Problem with IdentityServer4

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false