Hello
it’s my first topic here.
I want too install search_gard
I have configured serach_guard_ssl and it’s work
[2016-04-08 15:46:28,671][INFO ][node ] [iloaes01ig] version[2.2.0], pid[18585], build[8ff36d1/2016-01-27T13:32:39Z]
[2016-04-08 15:46:28,672][INFO ][node ] [iloaes01ig] initializing …
[2016-04-08 15:46:29,524][INFO ][plugins ] [iloaes01ig] modules [lang-groovy, lang-expression], plugins [search-guard-2, search-guard-ssl], sites
[2016-04-08 15:46:29,585][INFO ][env ] [iloaes01ig] using [1] data paths, mounts [[/var/lib/elasticsearch (/dev/mapper/vg_vroot-lv_elasticsearch)]], net usable_space [74.9gb], net total_space [83.5gb], spins? [possibly], types [ext4]
[2016-04-08 15:46:29,586][INFO ][env ] [iloaes01ig] heap size [1.9gb], compressed ordinary object pointers [true]
[2016-04-08 15:46:29,665][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL OpenSSL 1.0.1f 6 Jan 2014 available
[2016-04-08 15:46:29,665][DEBUG][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL available ciphers [ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA, AECDH-AES256-SHA, ADH-AES256-GCM-SHA384, ADH-AES256-SHA256, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ECDH-RSA-AES256-GCM-SHA384, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-RSA-AES256-SHA384, ECDH-ECDSA-AES256-SHA384, ECDH-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, CAMELLIA256-SHA, PSK-AES256-CBC-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, SRP-DSS-3DES-EDE-CBC-SHA, SRP-RSA-3DES-EDE-CBC-SHA, SRP-3DES-EDE-CBC-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, AECDH-DES-CBC3-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, DES-CBC3-SHA, PSK-3DES-EDE-CBC-SHA, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-SEED-SHA, DHE-DSS-SEED-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA, AECDH-AES128-SHA, ADH-AES128-GCM-SHA256, ADH-AES128-SHA256, ADH-AES128-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, ECDH-RSA-AES128-GCM-SHA256, ECDH-ECDSA-AES128-GCM-SHA256, ECDH-RSA-AES128-SHA256, ECDH-ECDSA-AES128-SHA256, ECDH-RSA-AES128-SHA, ECDH-ECDSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, SEED-SHA, CAMELLIA128-SHA, PSK-AES128-CBC-SHA, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, RC4-SHA, RC4-MD5, PSK-RC4-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, ADH-DES-CBC-SHA, DES-CBC-SHA, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA, EXP-ADH-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-ADH-RC4-MD5, EXP-RC4-MD5]
[2016-04-08 15:46:29,665][DEBUG][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL ALPN supported false
[2016-04-08 15:46:30,125][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384]
[2016-04-08 15:46:30,125][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:OPENSSL with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384]
[2016-04-08 15:46:30,125][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null with ciphers
[2016-04-08 15:46:30,719][INFO ][transport ] [iloaes01ig] Using [com.floragunn.searchguard.transport.SearchGuardTransportService] as transport service, overridden by [search-guard2]
[2016-04-08 15:46:30,719][INFO ][transport ] [iloaes01ig] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
``
I have create keystore and trustore on my single node (yes it’s a small ES)
The problème is when i want to apply the configuration.
My files are in /etc/elasticsearch.
I copied the files in plugins/search-guard-2/sgconfig/ to be sure he did not miss.
And i execute the sgadmin.sh
the first tests I have done is without use the -kspass and -tspass.
And i have this result:
root@iloaes01ig:/opt/elasticsearch# plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
Connect to localhost:9300
Exception in thread “main” ElasticsearchException[Keystore was tampered with, or password was incorrect]; nested: IOException[Keystore was tampered with, or password was incorrect]; nested: UnrecoverableKeyException[Password verification failed];
at org.elasticsearch.ExceptionsHelper.convertToElastic(ExceptionsHelper.java:57)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:193)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:130)
at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:116)
at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:140)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:141)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1214)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:182)
... 6 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
... 9 more
``
Secondly i put the password parameters:
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/keystore.jks -kspass ***** -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass ***** -nhnv
Connect to localhost:9300
Exception in thread “main” ElasticsearchException[no key alias named root-ca]; nested: KeyStoreException[no key alias named root-ca];
at org.elasticsearch.ExceptionsHelper.convertToElastic(ExceptionsHelper.java:57)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:193)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:130)
at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:116)
at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:140)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:141)
Caused by: java.security.KeyStoreException: no key alias named root-ca
at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:87)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:185)
... 6 more
``
I don’t uderstand why.
Someone can help me please?
I checked the alias in the truststore.jks with keytools and it’s ok
keytool -v -list -keystore truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: root-ca
Creation date: Mar 18, 2016
Entry type: trustedCertEntry
``
Thx for help, i have no idea of the problème