Hi,
I am trying to communicate with elasticsearch via SSL by using search-guard as plugin.
I modified the elasticsearch.yml file and added following entry
···
Enable or disable the complete Searchguard plugin functionality
searchguard.enabled: true
Path where to write/read the searchguard master key file
searchguard.key_path: /home/rahul/es/plugins
When using DLS or FLS and a get or mget is performed then rewrite it as search request
#searchguard.rewrite_get_as_search: true
The index name where Searchguard will store its configuration and various other informations related to Searchguard itself
This index can only be access from localhost
searchguard.config_index_name: searchguard
Enable or disable HTTP session which caches the authentication and authorization informations in a cookie
searchguard.http.enable_sessions: true
Enable or disable audit logging
#searchguard.auditlog.enabled: true
If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.
#searchguard.check_for_root: false
If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)
#searchguard.allow_all_from_loopback: true
If this is true (default: false) then enable authenticated transports requests (e.g. TransportClient authentication)
This can be done in that way (for example):
TransportClient.get(new GetRequest(“marketing”, “customer”, “tp_3”).putHeader(“searchguard_transport_creds”, “c2FseWg6c2VjcmV0”))
Add a header “searchguard_transport_creds”
base64(username":"password) is the credentials string
base64(spock:secret) → c3BvY2s6c2VjcmV0
#searchguard.transport_auth.enabled: false
#############################################################################################
Transport layer SSL
#############################################################################################
Enable or disable node-to-node ssl encryption
searchguard.ssl.transport.node.enabled: true
JKS or PKCS12
searchguard.ssl.transport.node.keystore_type: JKS
Absolute path to the keystore file (this stores the server certificates)
searchguard.ssl.transport.node.keystore_filepath: /home/rahul/search-guard/example-pki-scripts/node-0-keystore.jks
Keystore password
searchguard.ssl.transport.node.keystore_password: password
Do other nodes have to authenticate themself to the cluster, default is true
searchguard.ssl.transport.node.enforce_clientauth: true
JKS or PKCS12
searchguard.ssl.transport.node.truststore_type: JKS
Absolute path to the truststore file (this stores the client certificates)
searchguard.ssl.transport.node.truststore_filepath: /home/rahul/search-guard/example-pki-scripts/truststore.jks
Truststore password
searchguard.ssl.transport.node.truststore_password: password
Enforce hostname verification
searchguard.ssl.transport.node.encforce_hostname_verification: true
If hostname verification specify if hostname should be resolved
#searchguard.ssl.transport.node.encforce_hostname_verification.resolve_host_name: true
#############################################################################################
REST layer SSL
#############################################################################################
Enable or disable rest layer security (https)
searchguard.ssl.transport.http.enabled: true
JKS or PKCS12
searchguard.ssl.transport.http.keystore_type: JKS
Absolute path to the keystore file (this stores the server certificates)
searchguard.ssl.transport.http.keystore_filepath: /home/rahul/search-guard/example-pki-scripts/node-0-keystore.jks
Keystore password
searchguard.ssl.transport.http.keystore_password: password
Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is false
searchguard.ssl.transport.http.enforce_clientauth: true
JKS or PKCS12
searchguard.ssl.transport.http.truststore_type: JKS
Absolute path to the truststore file (this stores the client certificates)
searchguard.ssl.transport.http.truststore_filepath: /home/rahul/search-guard/example-pki-scripts/truststore.jks
Truststore password
searchguard.ssl.transport.http.truststore_password: password
But on starting elasticsearch i am getting following error
[2015-10-05 16:16:47,290][WARN ][com.floragunn.searchguard.transport.SSLNettyTransport] [Fantomex] exception caught on transport layer [[id: 0x1a6a65a2, /192.168.51.30:38037 => /192.168.51.30:9300]], closing connection
javax.net.ssl.SSLException: Received close_notify during handshake
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1220)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)…
[2015-10-05 16:16:48,379][ERROR][com.floragunn.searchguard.service.SearchGuardConfigService] [Fantomex] Try to refresh security configuration but it failed due to org.elasticsearch.action.NoShardAvailableActionException: [searchguard][4] null
org.elasticsearch.action.NoShardAvailableActionException: [searchguard][4] null
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction$AsyncSingleAction.perform(TransportShardSingleOperationAction.java:175)
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction$AsyncSingleAction.start(TransportShardSingleOperationAction.java:155)
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction.doExecute(TransportShardSingleOperationAction.java:89)
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction.doExecute(TransportShardSingleOperationAction.java:55)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:167)
at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:141)
at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:89)…
[2015-10-05 16:16:53,538][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Fantomex] Caught exception while handling client http traffic, closing connection [id: 0xf534d3bc, /127.0.0.1:34261 => /127.0.1.1:9200]
org.elasticsearch.common.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f74656d706c6174652f6d617276656c20485454502f312e310d0a43616368652d436f6e74726f6c3a206e6f2d63616368650d0a507261676d613a206e6f2d63616368650d0a557365722d4167656e743a204a6176612f312e382e305f34350d0a486f73743a205b303a303a303a303a303a303a303a305d3a393230300d0a4163636570743a20746578742f68746d6c2c20696d6167652f6769662c20696d6167652f6a7065672c202a3b20713d2e322c202a2f2a3b20713d2e320d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:858)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)…
Is there anything wrong with the configuration ?