Running sgadmin.sh for first time

Search Guard
1

Hi
I am trying to setup searchguard with ES2.3.3. As per the documentation info I am able to create the certificates with provided example.sh script but unable to execute. It gives me error on executing the sgadmin.sh script as follows: (tried with localhost for IP and icl options as well without success).
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/node-0-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
Connect to 10.236.133.186:9300
ERR: Cannot connect to elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{10.236.133.186}{10.236.133.186:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

Whereas the cluster is up and running:
root@node-0:/usr/local/elasticsearch# curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true
{
“cluster_name” : “ESTEST-ANS”,
“status” : “green”,
“timed_out” : false,

I had modifled the root-ca.conf and signing-ca.conf with my info as below:
0.domainComponent = “dbplat.altus.bblabs.net
organizationName = “ESDBA.”
organizationalUnitName = “ESDBA. Root CA”
commonName = “ESDBA. Root CA”
executing the script example.sh with these info generated required files and I am using the higlighted files in sgadmin commnd to run . Are these correct files to use for sgadmin ? If not which script generates files for sgadmin use for initial admin user configuration. (Do not have separate certificate to use).
-rw-r–r-- 1 root root 1143 Jul 13 19:07 node-0.csr
-rw-r–r-- 1 root root 4319 Jul 13 19:07 * node-0-keystore.jks*
-rw-r–r-- 1 root root 5076 Jul 13 19:07 node-0-keystore.p12
-rw-r–r-- 1 root root 1436 Jul 13 19:07 node-0-signed.pem

-rw-r–r-- 1 root root 4254 Jul 13 19:07 spock-keystore.jks
-rw-r–r-- 1 root root 5002 Jul 13 19:07 spock-keystore.p12
-rw-r–r-- 1 root root 1346 Jul 13 19:07 spock-signed.pem
-rw-r–r-- 1 root root 1032 Jul 13 19:07 * truststore.jks*Does the following entry in elasticsearch.yml file need to be made before ES startup and running sgadmin or after running sgadmin ?

  searchguard.authcz.admin_dn:
- cn=admin,ou=Test,ou=ou,dc=company,dc=com

With bundled download it executes properly, but from the scripts/files it is using, it is not clear at which step files needed to run sgadmin
were created as the files are already existing in bundled distribution and example.sh contents are not identical between bundled
release and separately downloaded scripts from master.zip from GIT.

Am I missing some step ?

Thanks in advance for clarification.

Ajay
2

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/<here the admin client cert needs to be used> -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

<here the admin client cert needs to be used>: this needs to be a certificate gernerated with "gen_client_node_cert.sh" and the dn must match the one configured in "searchguard.authcz.admin_dn"

···

Am 13.07.2016 um 22:32 schrieb Ajay B <ajay.bh111@gmail.com>:

Hi

I am trying to setup searchguard with ES2.3.3. As per the documentation info I am able to create the certificates with provided example.sh script but unable to execute. It gives me error on executing the sgadmin.sh script as follows: (tried with localhost for IP and icl options as well without success).

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/node-0-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
Connect to 10.236.133.186:9300
ERR: Cannot connect to elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{10.236.133.186}{10.236.133.186:9300}]]
        at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
        at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
....

Whereas the cluster is up and running:

root@node-0:/usr/local/elasticsearch# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true&#39;
{
  "cluster_name" : "ESTEST-ANS",
  "status" : "green",
  "timed_out" : false,
...

I had modifled the root-ca.conf and signing-ca.conf with my info as below:

0.domainComponent = "dbplat.altus.bblabs.net"
organizationName = "ESDBA."
organizationalUnitName = "ESDBA. Root CA"
commonName = "ESDBA. Root CA"

executing the script example.sh with these info generated required files and I am using the higlighted files in sgadmin commnd to run . Are these correct files to use for sgadmin ? If not which script generates files for sgadmin use for initial admin user configuration. (Do not have separate certificate to use).

-rw-r--r-- 1 root root 1143 Jul 13 19:07 node-0.csr
-rw-r--r-- 1 root root 4319 Jul 13 19:07 node-0-keystore.jks
-rw-r--r-- 1 root root 5076 Jul 13 19:07 node-0-keystore.p12
-rw-r--r-- 1 root root 1436 Jul 13 19:07 node-0-signed.pem
...
-rw-r--r-- 1 root root 4254 Jul 13 19:07 spock-keystore.jks
-rw-r--r-- 1 root root 5002 Jul 13 19:07 spock-keystore.p12
-rw-r--r-- 1 root root 1346 Jul 13 19:07 spock-signed.pem
-rw-r--r-- 1 root root 1032 Jul 13 19:07 truststore.jks

Does the following entry in elasticsearch.yml file need to be made before ES startup and running sgadmin or after running sgadmin ?

searchguard.authcz.admin_dn:
  - cn=admin,ou=Test,ou=ou,dc=company,dc=com

With bundled download it executes properly, but from the scripts/files it is using, it is not clear at which step files needed to run sgadmin
were created as the files are already existing in bundled distribution and example.sh contents are not identical between bundled
release and separately downloaded scripts from master.zip from GIT.

Am I missing some step ?

Thanks in advance for clarification.

Ajay

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6c59c70-9a5b-4d45-b53d-ce7777d0e485%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

Now I get error listed at the end of this mail:
Here are my steps to generate certs:
./gen_root_ca.sh “capass” “changeit”
./gen_node_cert.sh 0 changeit “capass”
./gen_client_node_cert.sh ESDBA changeit capass
Generated files copied to sgconfig directory, contents are:
elasticsearch.yml.example
ESDBA-keystore.jks
sg_action_groups.yml
sg_config.yml
sg_internal_users.yml
sg_roles_mapping.yml
sg_roles.yml
truststore.jksRoot and siging conf file entries as follows :**[ ca_dn ]
0.domainComponent = “dbplat.altus.bblabs.net
organizationName = “ESDBA.”**Elasticsearch.yml has the entry:
**searchguard.authcz.admin_dn:

  • CN=ESDBA**
    Executing command like below produces this error:
    plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/ESDBA-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
    Connect to 10.236.133.186:9300
    [18:05:53,054][ERROR] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Hermes] SSL Problem General SSLEngine problem
    javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)

Any incorrect or incomplete entry ?

Thanks

···

On Thursday, July 14, 2016 at 3:44:07 PM UTC-4, SG wrote:

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/ -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

: this needs to be a certificate gernerated with “gen_client_node_cert.sh” and the dn must match the one configured in “searchguard.authcz.admin_dn”

Am 13.07.2016 um 22:32 schrieb Ajay B ajay....@gmail.com:

Hi

I am trying to setup searchguard with ES2.3.3. As per the documentation info I am able to create the certificates with provided example.sh script but unable to execute. It gives me error on executing the sgadmin.sh script as follows: (tried with localhost for IP and icl options as well without success).

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/node-0-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

Connect to 10.236.133.186:9300

ERR: Cannot connect to elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{10.236.133.186}{10.236.133.186:9300}]]

    at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

    at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

Whereas the cluster is up and running:

root@node-0:/usr/local/elasticsearch# curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true

{

“cluster_name” : “ESTEST-ANS”,

“status” : “green”,

“timed_out” : false,

I had modifled the root-ca.conf and signing-ca.conf with my info as below:

0.domainComponent = “dbplat.altus.bblabs.net

organizationName = “ESDBA.”

organizationalUnitName = “ESDBA. Root CA”

commonName = “ESDBA. Root CA”

executing the script example.sh with these info generated required files and I am using the higlighted files in sgadmin commnd to run . Are these correct files to use for sgadmin ? If not which script generates files for sgadmin use for initial admin user configuration. (Do not have separate certificate to use).

-rw-r–r-- 1 root root 1143 Jul 13 19:07 node-0.csr

-rw-r–r-- 1 root root 4319 Jul 13 19:07 node-0-keystore.jks

-rw-r–r-- 1 root root 5076 Jul 13 19:07 node-0-keystore.p12

-rw-r–r-- 1 root root 1436 Jul 13 19:07 node-0-signed.pem

-rw-r–r-- 1 root root 4254 Jul 13 19:07 spock-keystore.jks

-rw-r–r-- 1 root root 5002 Jul 13 19:07 spock-keystore.p12

-rw-r–r-- 1 root root 1346 Jul 13 19:07 spock-signed.pem

-rw-r–r-- 1 root root 1032 Jul 13 19:07 truststore.jks

Does the following entry in elasticsearch.yml file need to be made before ES startup and running sgadmin or after running sgadmin ?

searchguard.authcz.admin_dn:

  • cn=admin,ou=Test,ou=ou,dc=company,dc=com

With bundled download it executes properly, but from the scripts/files it is using, it is not clear at which step files needed to run sgadmin

were created as the files are already existing in bundled distribution and example.sh contents are not identical between bundled
release and separately downloaded scripts from master.zip from GIT.

Am I missing some step ?

Thanks in advance for clarification.

Ajay


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6c59c70-9a5b-4d45-b53d-ce7777d0e485%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

4

i also failed many times. at last i input almost all of the param(Indispensably kspass and tspass), it worked.

在 2016年7月16日星期六 UTC+8上午2:17:34,Ajay B写道:

···

Now I get error listed at the end of this mail:
Here are my steps to generate certs:
./gen_root_ca.sh “capass” “changeit”
./gen_node_cert.sh 0 changeit “capass”
./gen_client_node_cert.sh ESDBA changeit capass
Generated files copied to sgconfig directory, contents are:
elasticsearch.yml.example
ESDBA-keystore.jks
sg_action_groups.yml
sg_config.yml
sg_internal_users.yml
sg_roles_mapping.yml
sg_roles.yml
truststore.jksRoot and siging conf file entries as follows :**[ ca_dn ]
0.domainComponent = “dbplat.altus.bblabs.net
organizationName = “ESDBA.”**Elasticsearch.yml has the entry:
**searchguard.authcz.admin_dn:

  • CN=ESDBA**
    Executing command like below produces this error:
    plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/ESDBA-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
    Connect to 10.236.133.186:9300
    [18:05:53,054][ERROR] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Hermes] SSL Problem General SSLEngine problem
    javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)

Any incorrect or incomplete entry ?

Thanks

On Thursday, July 14, 2016 at 3:44:07 PM UTC-4, SG wrote:

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/ -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

: this needs to be a certificate gernerated with “gen_client_node_cert.sh” and the dn must match the one configured in “searchguard.authcz.admin_dn”

Am 13.07.2016 um 22:32 schrieb Ajay B ajay....@gmail.com:

Hi

I am trying to setup searchguard with ES2.3.3. As per the documentation info I am able to create the certificates with provided example.sh script but unable to execute. It gives me error on executing the sgadmin.sh script as follows: (tried with localhost for IP and icl options as well without success).

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/node-0-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

Connect to 10.236.133.186:9300

ERR: Cannot connect to elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{10.236.133.186}{10.236.133.186:9300}]]

    at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

    at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

Whereas the cluster is up and running:

root@node-0:/usr/local/elasticsearch# curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true

{

“cluster_name” : “ESTEST-ANS”,

“status” : “green”,

“timed_out” : false,

I had modifled the root-ca.conf and signing-ca.conf with my info as below:

0.domainComponent = “dbplat.altus.bblabs.net

organizationName = “ESDBA.”

organizationalUnitName = “ESDBA. Root CA”

commonName = “ESDBA. Root CA”

executing the script example.sh with these info generated required files and I am using the higlighted files in sgadmin commnd to run . Are these correct files to use for sgadmin ? If not which script generates files for sgadmin use for initial admin user configuration. (Do not have separate certificate to use).

-rw-r–r-- 1 root root 1143 Jul 13 19:07 node-0.csr

-rw-r–r-- 1 root root 4319 Jul 13 19:07 node-0-keystore.jks

-rw-r–r-- 1 root root 5076 Jul 13 19:07 node-0-keystore.p12

-rw-r–r-- 1 root root 1436 Jul 13 19:07 node-0-signed.pem

-rw-r–r-- 1 root root 4254 Jul 13 19:07 spock-keystore.jks

-rw-r–r-- 1 root root 5002 Jul 13 19:07 spock-keystore.p12

-rw-r–r-- 1 root root 1346 Jul 13 19:07 spock-signed.pem

-rw-r–r-- 1 root root 1032 Jul 13 19:07 truststore.jks

Does the following entry in elasticsearch.yml file need to be made before ES startup and running sgadmin or after running sgadmin ?

searchguard.authcz.admin_dn:

  • cn=admin,ou=Test,ou=ou,dc=company,dc=com

With bundled download it executes properly, but from the scripts/files it is using, it is not clear at which step files needed to run sgadmin

were created as the files are already existing in bundled distribution and example.sh contents are not identical between bundled
release and separately downloaded scripts from master.zip from GIT.

Am I missing some step ?

Thanks in advance for clarification.

Ajay


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6c59c70-9a5b-4d45-b53d-ce7777d0e485%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.