Problem with IdentityServer4

Dear Jochen,

Thanks for your kind help.

Aside from the problem occurred in Kibana, wen I run the Elastic, I receive the following error:

Authentication finally failed

When Loking at the log file, I get the following:

[WARN ][c.f.s.a.BackendRegistry ] [BREZAEI-PC] Authentication finally failed for null from [::1]:4048

[c.f.s.h.SearchGuardHttpServerTransport] [BREZAEI-PC] Someone (/127.0.0.1:4050) speaks http plaintext instead of ssl, will close the channel

···

On Thursday, February 21, 2019 at 1:35:03 PM UTC+3:30, Jochen Kressin wrote:

This is an error/warning from X-Pack, not Search Guard. I stumbled upon this, does not seem to affect any Kibana functionality. If it does please open an issue on the Kibana / X-Pack forum.

On Wednesday, February 20, 2019 at 5:11:57 PM UTC+1, Behzad Rezaie wrote:

I did solve the problem by modifying the paths. Thanks so much, dear Jochen.

I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:

[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.

On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…......\config”, while the sgadmin.bat searches for “…....\config”. How can I set it to my config folder?

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Searching on the Net, I found the problem is that some plugins are running on http, instead of https! Looking for the ports logged on the elastic log file, I found the following result (I ran the command “netstat -a -b -o” in cmd):

Proto Local Address Foreign Address State PID

TCP 127.0.0.1:9200 BRezaei-PC:6614 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6762 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6813 TIME_WAIT 0

TCP 127.0.0.1:9300 BRezaei-PC:0 LISTENING 2680

[java.exe]

The ports 6614, 6762, and 6813 are of the ports speaking http plaintext instead of ssl, will close the channel!

How can I set them to use the https?!

···

On Saturday, February 23, 2019 at 10:39:49 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your kind help.

Aside from the problem occurred in Kibana, wen I run the Elastic, I receive the following error:

Authentication finally failed


When Loking at the log file, I get the following:


[WARN ][c.f.s.a.BackendRegistry ] [BREZAEI-PC] Authentication finally failed for null from [::1]:4048

[c.f.s.h.SearchGuardHttpServerTransport] [BREZAEI-PC] Someone (/127.0.0.1:4050) speaks http plaintext instead of ssl, will close the channel

On Thursday, February 21, 2019 at 1:35:03 PM UTC+3:30, Jochen Kressin wrote:

This is an error/warning from X-Pack, not Search Guard. I stumbled upon this, does not seem to affect any Kibana functionality. If it does please open an issue on the Kibana / X-Pack forum.

On Wednesday, February 20, 2019 at 5:11:57 PM UTC+1, Behzad Rezaie wrote:

I did solve the problem by modifying the paths. Thanks so much, dear Jochen.

I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:

[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.

On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…......\config”, while the sgadmin.bat searches for “…....\config”. How can I set it to my config folder?

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

See Configuring TLS | Security for Elasticsearch | Search Guard

To enable HTTPS for Search Guard set searchguard.ssl.http.enabled: true in elasticsearch.yml

···

On Saturday, 23 February 2019 13:17:22 UTC+1, Behzad Rezaie wrote:

Searching on the Net, I found the problem is that some plugins are running on http, instead of https! Looking for the ports logged on the elastic log file, I found the following result (I ran the command “netstat -a -b -o” in cmd):

Proto Local Address Foreign Address State PID

TCP 127.0.0.1:9200 BRezaei-PC:6614 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6762 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6813 TIME_WAIT 0

TCP 127.0.0.1:9300 BRezaei-PC:0 LISTENING 2680

[java.exe]

The ports 6614, 6762, and 6813 are of the ports speaking http plaintext instead of ssl, will close the channel!

How can I set them to use the https?!

On Saturday, February 23, 2019 at 10:39:49 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your kind help.

Aside from the problem occurred in Kibana, wen I run the Elastic, I receive the following error:

Authentication finally failed


When Loking at the log file, I get the following:


[WARN ][c.f.s.a.BackendRegistry ] [BREZAEI-PC] Authentication finally failed for null from [::1]:4048

[c.f.s.h.SearchGuardHttpServerTransport] [BREZAEI-PC] Someone (/127.0.0.1:4050) speaks http plaintext instead of ssl, will close the channel

On Thursday, February 21, 2019 at 1:35:03 PM UTC+3:30, Jochen Kressin wrote:

This is an error/warning from X-Pack, not Search Guard. I stumbled upon this, does not seem to affect any Kibana functionality. If it does please open an issue on the Kibana / X-Pack forum.

On Wednesday, February 20, 2019 at 5:11:57 PM UTC+1, Behzad Rezaie wrote:

I did solve the problem by modifying the paths. Thanks so much, dear Jochen.

I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:

[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.

On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…......\config”, while the sgadmin.bat searches for “…....\config”. How can I set it to my config folder?

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Dear madam/sir,

Due to the problems occurred, I decided to reinstall the elastic and kibana from scratch. Then I followed the instructions provided in here, here, here, and here. When running the kibana, I get the following error:

Authentication failed. Please provider a new token.

Here are my configuration files:

sg_config.yml:

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: “basic”

challenge: false

authentication_backend:

type: “internal”

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

openid_connect_url: http://someserver/.well-known/openid-configuration

subject_key: preferred_username

roles_key: roles

authentication_backend:

type: noop

kibana.yml:

elasticsearch.url: “https://localhost:9200

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.ssl.verificationMode: none

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

searchguard.auth.type: “openid”

searchguard.openid.connect_url: " http://someserver/.well-known/openid-configuration"

searchguard.openid.client_id: “elastic-mvc”

searchguard.openid.client_secret: “elk-secret”

xpack.security.enabled: false

////////////////////////////////////////////////////////////////////////////

elasticsearch.yml:

bootstrap.memory_lock: false

cluster.name: elasticsearch

http.port: 9200

node.data: true

node.ingest: true

node.master: true

node.max_local_storage_nodes: 1

node.name: Some-PC

path.data: F:\Program\ELK\data

path.logs: F:\Program\ELK\logs

transport.tcp.port: 9300

xpack.license.self_generated.type: basic

xpack.security.enabled: false

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

////////////////////////////////////////////////////////////////////////////

sg_roles.yml:

.

.

.

sg_human_resources:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘humanresources’:

‘*’:

  • INDICES_ALL

.

.

.

////////////////////////////////////////////////////////////////////////////

sg_roles_mapping.yml:

.

.

.

sg_human_resources:

backendroles:

  • hr

.

.

.

My IdentityServer4 config:

I have also added two roles in the IdentityServer4 named hr and kibanauser and assigned my account to these two roles.

Could you please let me know about any mistakes I have made in my configuration?

Thanks in advance

···

On Tuesday, February 26, 2019 at 11:17:33 AM UTC+3:30, Search Guard wrote:

See https://docs.search-guard.com/latest/configuring-tls#rest-layer-tls-1

To enable HTTPS for Search Guard set searchguard.ssl.http.enabled: true in elasticsearch.yml

On Saturday, 23 February 2019 13:17:22 UTC+1, Behzad Rezaie wrote:

Searching on the Net, I found the problem is that some plugins are running on http, instead of https! Looking for the ports logged on the elastic log file, I found the following result (I ran the command “netstat -a -b -o” in cmd):

Proto Local Address Foreign Address State PID

TCP 127.0.0.1:9200 BRezaei-PC:6614 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6762 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6813 TIME_WAIT 0

TCP 127.0.0.1:9300 BRezaei-PC:0 LISTENING 2680

[java.exe]

The ports 6614, 6762, and 6813 are of the ports speaking http plaintext instead of ssl, will close the channel!

How can I set them to use the https?!

On Saturday, February 23, 2019 at 10:39:49 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your kind help.

Aside from the problem occurred in Kibana, wen I run the Elastic, I receive the following error:

Authentication finally failed


When Loking at the log file, I get the following:


[WARN ][c.f.s.a.BackendRegistry ] [BREZAEI-PC] Authentication finally failed for null from [::1]:4048

[c.f.s.h.SearchGuardHttpServerTransport] [BREZAEI-PC] Someone (/127.0.0.1:4050) speaks http plaintext instead of ssl, will close the channel

On Thursday, February 21, 2019 at 1:35:03 PM UTC+3:30, Jochen Kressin wrote:

This is an error/warning from X-Pack, not Search Guard. I stumbled upon this, does not seem to affect any Kibana functionality. If it does please open an issue on the Kibana / X-Pack forum.

On Wednesday, February 20, 2019 at 5:11:57 PM UTC+1, Behzad Rezaie wrote:

I did solve the problem by modifying the paths. Thanks so much, dear Jochen.

I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:

[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.

On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…......\config”, while the sgadmin.bat searches for “…....\config”. How can I set it to my config folder?

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

The problem got resolved.

The issues was with the " roles_key: roles" in sg_config.yml file! I had to set the parameter to “role” instead of “roles”. This is because the claim in our identity server is set to “role”.

Thanks everybody :wink:

···

On Tuesday, February 26, 2019 at 2:34:34 PM UTC+3:30, Behzad Rezaie wrote:

Dear madam/sir,

Due to the problems occurred, I decided to reinstall the elastic and kibana from scratch. Then I followed the instructions provided in here, here, here, and here. When running the kibana, I get the following error:

Authentication failed. Please provider a new token.

Here are my configuration files:

sg_config.yml:

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: “basic”

challenge: false

authentication_backend:

type: “internal”

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

openid_connect_url: http://someserver/.well-known/openid-configuration

subject_key: preferred_username

roles_key: roles

authentication_backend:

type: noop

kibana.yml:

elasticsearch.url: “https://localhost:9200

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.ssl.verificationMode: none

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

searchguard.auth.type: “openid”

searchguard.openid.connect_url: " http://someserver/.well-known/openid-configuration"

searchguard.openid.client_id: “elastic-mvc”

searchguard.openid.client_secret: “elk-secret”

xpack.security.enabled: false

////////////////////////////////////////////////////////////////////////////

elasticsearch.yml:

bootstrap.memory_lock: false

cluster.name: elasticsearch

http.port: 9200

node.data: true

node.ingest: true

node.master: true

node.max_local_storage_nodes: 1

node.name: Some-PC

path.data: F:\Program\ELK\data

path.logs: F:\Program\ELK\logs

transport.tcp.port: 9300

xpack.license.self_generated.type: basic

xpack.security.enabled: false

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

////////////////////////////////////////////////////////////////////////////

sg_roles.yml:

.

.

.

sg_human_resources:

cluster:

  • CLUSTER_COMPOSITE_OPS

indices:

‘humanresources’:

‘*’:

  • INDICES_ALL

.

.

.

////////////////////////////////////////////////////////////////////////////

sg_roles_mapping.yml:

.

.

.

sg_human_resources:

backendroles:

  • hr

.

.

.

My IdentityServer4 config:

I have also added two roles in the IdentityServer4 named hr and kibanauser and assigned my account to these two roles.

Could you please let me know about any mistakes I have made in my configuration?

Thanks in advance

On Tuesday, February 26, 2019 at 11:17:33 AM UTC+3:30, Search Guard wrote:

See https://docs.search-guard.com/latest/configuring-tls#rest-layer-tls-1

To enable HTTPS for Search Guard set searchguard.ssl.http.enabled: true in elasticsearch.yml

On Saturday, 23 February 2019 13:17:22 UTC+1, Behzad Rezaie wrote:

Searching on the Net, I found the problem is that some plugins are running on http, instead of https! Looking for the ports logged on the elastic log file, I found the following result (I ran the command “netstat -a -b -o” in cmd):

Proto Local Address Foreign Address State PID

TCP 127.0.0.1:9200 BRezaei-PC:6614 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6762 TIME_WAIT 0

TCP 127.0.0.1:9200 BRezaei-PC:6813 TIME_WAIT 0

TCP 127.0.0.1:9300 BRezaei-PC:0 LISTENING 2680

[java.exe]

The ports 6614, 6762, and 6813 are of the ports speaking http plaintext instead of ssl, will close the channel!

How can I set them to use the https?!

On Saturday, February 23, 2019 at 10:39:49 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your kind help.

Aside from the problem occurred in Kibana, wen I run the Elastic, I receive the following error:

Authentication finally failed


When Loking at the log file, I get the following:


[WARN ][c.f.s.a.BackendRegistry ] [BREZAEI-PC] Authentication finally failed for null from [::1]:4048

[c.f.s.h.SearchGuardHttpServerTransport] [BREZAEI-PC] Someone (/127.0.0.1:4050) speaks http plaintext instead of ssl, will close the channel

On Thursday, February 21, 2019 at 1:35:03 PM UTC+3:30, Jochen Kressin wrote:

This is an error/warning from X-Pack, not Search Guard. I stumbled upon this, does not seem to affect any Kibana functionality. If it does please open an issue on the Kibana / X-Pack forum.

On Wednesday, February 20, 2019 at 5:11:57 PM UTC+1, Behzad Rezaie wrote:

I did solve the problem by modifying the paths. Thanks so much, dear Jochen.

I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:

[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.

On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…......\config”, while the sgadmin.bat searches for “…....\config”. How can I set it to my config folder?

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad