Hi all,
I am using search-guard 0.5 with ElasticSearch 1.6. I have been able to get internode communication with SSL going, thanks to the cert-generation sample scripts, which makes things amply clear.
However, with REST SSL I am seeing some issues. Here is my configuration. I am using jre cacerts for keystore, since I will be accessing this api from the browser. So, the cacerts from jre should be able to match ones in the browser. For the truststore, I took a cert that is assigned to my machine and created a truststore2.jks from that.
I am wondering if that is correct. It does not seem to work.
Enable or disable the complete Searchguard plugin functionality
searchguard.enabled: true
Path where to write/read the searchguard master key file
searchguard.key_path: /usr/share/elasticsearch/plugins
When using DLS or FLS and a get or mget is performed then rewrite it as search request
#searchguard.rewrite_get_as_search: true
searchguard.check_for_root: false
searchguard.allow_all_from_loopback: true
ยทยทยท
#############################################################################################
Transport layer SSL
#############################################################################################
Enable or disable node-to-node ssl encryption
searchguard.ssl.transport.node.enabled: true
JKS or PKCS12
searchguard.ssl.transport.node.keystore_type: JKS
Absolute path to the keystore file (this stores the server certificates)
searchguard.ssl.transport.node.keystore_filepath: /usr/java/latest/lib/security/node-0-keystore.jks
Keystore password
searchguard.ssl.transport.node.keystore_password: kspass
Do other nodes have to authenticate themself to the cluster, default is true
searchguard.ssl.transport.node.enforce_clientauth: true
JKS or PKCS12
searchguard.ssl.transport.node.truststore_type: JKS
Absolute path to the truststore file (this stores the client certificates)
searchguard.ssl.transport.node.truststore_filepath: /usr/java/latest/lib/security/truststore.jks
Truststore password
searchguard.ssl.transport.node.truststore_password: tspass
Enforce hostname verification
searchguard.ssl.transport.node.enforce_hostname_verification: true
If hostname verification specify if hostname should be resolved
searchguard.ssl.transport.node.enforce_hostname_verification.resolve_host_name: true
#############################################################################################
REST layer SSL
#############################################################################################
Enable or disable rest layer security (https)
searchguard.ssl.transport.http.enabled: true
JKS or PKCS12
searchguard.ssl.transport.http.keystore_type: JKS
Absolute path to the keystore file (this stores the server certificates)
searchguard.ssl.transport.http.keystore_filepath: /usr/java/latest/lib/security/cacerts
Keystore password
searchguard.ssl.transport.http.keystore_password: changeit
Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is false
searchguard.ssl.transport.http.enforce_clientauth: true
JKS or PKCS12
searchguard.ssl.transport.http.truststore_type: JKS
Absolute path to the truststore file (this stores the client certificates)
searchguard.ssl.transport.http.truststore_filepath: /usr/java/latest/lib/security/truststore2.jks
Truststore password
searchguard.ssl.transport.http.truststore_password: foobar
#############################################################################################
Authentication backend
#############################################################################################
Validates the username and credentials
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
If caching is enabled then the authentication succeed for 24 h since the first successful login without hitting the backend again and again
searchguard.authentication.authentication_backend.cache.enable: true
#####################################################
Settings based authentication (define users and password directly here in the settings. Note: this is per node)
#searchguard.authentication.settingsdb.user.: password
#searchguard.authentication.settingsdb.user.user1: password
searchguard.authentication.settingsdb.user.pshah: foobar
If plain text password should be hashed use this. Supported digests are: SHA1 SHA256 SHA384 SHA512 MD5
searchguard.authentication.settingsdb.digest: SHA1
searchguard.authentication.settingsdb.user.pshah: f741cc7d1aaaa5fc112607b46a765ab7df014dd2
#####################################################
I am seeing the following issue:
2015-08-16 14:49:59,221][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0x65dce709, /10.21.50.36:53330 => /10.21.44.117:9200]
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
... 18 more
[2015-08-16 14:49:59,273][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0x3b47e432, /10.21.50.36:53331 => /10.21.44.117:9200]
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
... 18 more
[2015-08-16 14:49:59,317][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0xb18da9a8, /10.21.50.36:53332 => /10.21.44.117:9200]
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
... 18 more
[2015-08-16 14:49:59,354][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0x28f41e0b, /10.21.50.36:53333 => /10.21.44.117:9200]
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
... 18 more