Missing documentation for Client Certificate Validation

Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the “http_authenticator.type” as “clientcert”. There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.

Please provide the configuration details I need to follow in order to validate the client certificates.

Thanks

Abhinay.

see https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_config.yml

clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
  type: clientcert
  config:
  username_attribute: cn #optional, if omitted DN becomes username
  challenge: false
authentication_backend:
  type: noop

(order matters if you like to combine it with other authenticators)

···

Am 26.02.2017 um 04:28 schrieb Abhinay Thurlapati <abhinaythurlapati@gmail.com>:

Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the "http_authenticator.type" as "clientcert". There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.

Please provide the configuration details I need to follow in order to validate the client certificates.

Thanks
Abhinay.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4d226de6-b524-42cd-95bb-fbb85238a2ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks for the early response.

I followed this approach. I am trying to connect to elastic search using python requests module. I am sending clients signed certificate and the corresponding key generated using example scripts provided by the elastic search.

However, iam receiving the response “Authentication finally failed”. Going through the source code, I think it’s not matching with any of authentication mechanism.

How do I fix this issue. Also I would like define roles for the client certificate. In that case, in internal users yaml file, what could be the password of the hash.

Thanks

Abhinay

···

On 26-Feb-2017 4:13 PM, “SG” info@search-guard.com wrote:

see https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_config.yml

clientcert_auth_domain:

enabled: true

order: 2

http_authenticator:

type: clientcert

config:

    username_attribute: cn #optional, if omitted DN becomes username

challenge: false

authentication_backend:

type: noop

(order matters if you like to combine it with other authenticators)

Am 26.02.2017 um 04:28 schrieb Abhinay Thurlapati abhinaythurlapati@gmail.com:

Hi,

I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the “http_authenticator.type” as “clientcert”. There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.

Please provide the configuration details I need to follow in order to validate the client certificates.

Thanks

Abhinay.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4d226de6-b524-42cd-95bb-fbb85238a2ee%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/DCA5DF08-365B-4C41-92A3-A0EBB1AFA068%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

Hi Abhinay,

I ran into the same problem. Not sure if my findings will help you since I am struggling at an other point right now.

When trying to setup es with searchguard all from scratch without using bundle and example scripts, I stumbled over something interesting in elasticsearch.yml.example

This is optional

Only needed when impersonation is used

Allow DNs (distinguished names) to impersonate as other users

#searchguard.authcz.impersonation_dn:
“CN=spock,OU=client,O=client,L=Test,C=DE”:

- worf

“cn=webuser,ou=IT,ou=IT,dc=company,dc=com”:

- user2

- user1

Auditlog configuration:

``

On first glance I was no able to find any lines like the above in the yml files provided with the bundles I used.

best,
Meike

···

On Sunday, February 26, 2017 at 4:28:04 AM UTC+1, Abhinay Thurlapati wrote:

Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the “http_authenticator.type” as “clientcert”. There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.

Please provide the configuration details I need to follow in order to validate the client certificates.

Thanks

Abhinay.

ah… impersonation is something else…

but it seems searchguard is not able to validate the certificates

Forgot to add one point. This search guard is behind apache. Could it be the case that Apache is not forwarding client certificate to search guard.

Thanks

Abhinay

···

On 02-Mar-2017 8:13 PM, “Me He” google-work@kampfschnuffel.de wrote:

ah… impersonation is something else…

but it seems searchguard is not able to validate the certificates

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7d1a8edc-eae2-487a-8265-d24c0ee4fb56%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Hi,

if it is behind apache the client certificate may not be forwarded that is true. I have no idea how to check/fix that.

I got mine test instance with the bundle finally working.
I tried the wrong certificate as it seems, or did not copy truststore.jks properly around.

best,
Meike

···

On Thursday, March 2, 2017 at 4:02:56 PM UTC+1, Abhinay Thurlapati wrote:

Forgot to add one point. This search guard is behind apache. Could it be the case that Apache is not forwarding client certificate to search guard.

Thanks

Abhinay

ah… impersonation is something else…

but it seems searchguard is not able to validate the certificates

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7d1a8edc-eae2-487a-8265-d24c0ee4fb56%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
On 02-Mar-2017 8:13 PM, “Me He” googl...@kampfschnuffel.de wrote: