Problem with integrating search-guard with elasticsearch

Hi,

I am trying to communicate with elasticsearch via SSL by using search-guard as plugin.

I modified the elasticsearch.yml file and added following entry

···

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: true

Path where to write/read the searchguard master key file

searchguard.key_path: /home/rahul/es/plugins

When using DLS or FLS and a get or mget is performed then rewrite it as search request

#searchguard.rewrite_get_as_search: true

The index name where Searchguard will store its configuration and various other informations related to Searchguard itself

This index can only be access from localhost

searchguard.config_index_name: searchguard

Enable or disable HTTP session which caches the authentication and authorization informations in a cookie

searchguard.http.enable_sessions: true

Enable or disable audit logging

#searchguard.auditlog.enabled: true

If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.

#searchguard.check_for_root: false

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

#searchguard.allow_all_from_loopback: true

If this is true (default: false) then enable authenticated transports requests (e.g. TransportClient authentication)

This can be done in that way (for example):

TransportClient.get(new GetRequest(“marketing”, “customer”, “tp_3”).putHeader(“searchguard_transport_creds”, “c2FseWg6c2VjcmV0”))

Add a header “searchguard_transport_creds”

base64(username":"password) is the credentials string

base64(spock:secret) -> c3BvY2s6c2VjcmV0

#searchguard.transport_auth.enabled: false

#############################################################################################

Transport layer SSL

#############################################################################################

Enable or disable node-to-node ssl encryption

searchguard.ssl.transport.node.enabled: true

JKS or PKCS12

searchguard.ssl.transport.node.keystore_type: JKS

Absolute path to the keystore file (this stores the server certificates)

searchguard.ssl.transport.node.keystore_filepath: /home/rahul/search-guard/example-pki-scripts/node-0-keystore.jks

Keystore password

searchguard.ssl.transport.node.keystore_password: password

Do other nodes have to authenticate themself to the cluster, default is true

searchguard.ssl.transport.node.enforce_clientauth: true

JKS or PKCS12

searchguard.ssl.transport.node.truststore_type: JKS

Absolute path to the truststore file (this stores the client certificates)

searchguard.ssl.transport.node.truststore_filepath: /home/rahul/search-guard/example-pki-scripts/truststore.jks

Truststore password

searchguard.ssl.transport.node.truststore_password: password

Enforce hostname verification

searchguard.ssl.transport.node.encforce_hostname_verification: true

If hostname verification specify if hostname should be resolved

#searchguard.ssl.transport.node.encforce_hostname_verification.resolve_host_name: true

#############################################################################################

REST layer SSL

#############################################################################################

Enable or disable rest layer security (https)

searchguard.ssl.transport.http.enabled: true

JKS or PKCS12

searchguard.ssl.transport.http.keystore_type: JKS

Absolute path to the keystore file (this stores the server certificates)

searchguard.ssl.transport.http.keystore_filepath: /home/rahul/search-guard/example-pki-scripts/node-0-keystore.jks

Keystore password

searchguard.ssl.transport.http.keystore_password: password

Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is false

searchguard.ssl.transport.http.enforce_clientauth: true

JKS or PKCS12

searchguard.ssl.transport.http.truststore_type: JKS

Absolute path to the truststore file (this stores the client certificates)

searchguard.ssl.transport.http.truststore_filepath: /home/rahul/search-guard/example-pki-scripts/truststore.jks

Truststore password

searchguard.ssl.transport.http.truststore_password: password


But on starting elasticsearch i am getting following error


[2015-10-05 16:16:47,290][WARN ][com.floragunn.searchguard.transport.SSLNettyTransport] [Fantomex] exception caught on transport layer [[id: 0x1a6a65a2, /192.168.51.30:38037 => /192.168.51.30:9300]], closing connection
javax.net.ssl.SSLException: Received close_notify during handshake
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1220)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)…

[2015-10-05 16:16:48,379][ERROR][com.floragunn.searchguard.service.SearchGuardConfigService] [Fantomex] Try to refresh security configuration but it failed due to org.elasticsearch.action.NoShardAvailableActionException: [searchguard][4] null
org.elasticsearch.action.NoShardAvailableActionException: [searchguard][4] null
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction$AsyncSingleAction.perform(TransportShardSingleOperationAction.java:175)
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction$AsyncSingleAction.start(TransportShardSingleOperationAction.java:155)
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction.doExecute(TransportShardSingleOperationAction.java:89)
at org.elasticsearch.action.support.single.shard.TransportShardSingleOperationAction.doExecute(TransportShardSingleOperationAction.java:55)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:167)
at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:141)
at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:89)…

[2015-10-05 16:16:53,538][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Fantomex] Caught exception while handling client http traffic, closing connection [id: 0xf534d3bc, /127.0.0.1:34261 => /127.0.1.1:9200]
org.elasticsearch.common.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f74656d706c6174652f6d617276656c20485454502f312e310d0a43616368652d436f6e74726f6c3a206e6f2d63616368650d0a507261676d613a206e6f2d63616368650d0a557365722d4167656e743a204a6176612f312e382e305f34350d0a486f73743a205b303a303a303a303a303a303a303a305d3a393230300d0a4163636570743a20746578742f68746d6c2c20696d6167652f6769662c20696d6167652f6a7065672c202a3b20713d2e322c202a2f2a3b20713d2e320d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:858)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)…


Is there anything wrong with the configuration ?