Search Guard client configuration issue

  • Search Guard and Elasticsearch version : Elasticsearch 6.6.1 & SearchGuard : 6:6.1.1-22.4

  • Installed and used enterprise modules, if any : No

  • JVM version and operating system version : java version “1.8.0_171” & Linux

I successfully installed search guard on my Elasticsearch cluster and able to connect via transport client (Elasticsearch java Transport client) using admin certificate. Having problem using client certificate.

Transport authentication finally failed for CN=cn-abc7c-vm92.acme.com,OU=IT,O=Acme Com, Inc.,DC=acme,DC=com

[2019-03-11T23:03:50,559][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null for cluster:monitor/state

Referring to this documentation https://docs.search-guard.com/latest/client-certificate-auth, I configured:

In elasticsearch.yml (along with other properties)

···

searchguard.ssl.http.clientauth_mode: OPTIONAL

In sg_roles_mapping.yml


sg_all_access:

readonly: true

users :

backendroles:

  • admin

In sg_config.yml


clientcert_auth_domain:

http_enabled: true #false

transport_enabled: true #false

order: 1

http_authenticator:

type: clientcert

config:

username_attribute: cn #optional, if omitted DN becomes username

challenge: false

authentication_backend:

type: noop

Again, if I use cert as mentioned in searchguard.authcz.admin_dn: then it works just fine.

Please help in resolving the issue. Thanks

Never mind, I got it resolved. Thanks to belong documentation that mentioned about running sgadmin after changes are made in sgconfig.yml.

···

On Monday, March 11, 2019 at 4:33:11 PM UTC-7, SEARES wrote:

  • Search Guard and Elasticsearch version : Elasticsearch 6.6.1 & SearchGuard : 6:6.1.1-22.4
  • Installed and used enterprise modules, if any : No
  • JVM version and operating system version : java version “1.8.0_171” & Linux

I successfully installed search guard on my Elasticsearch cluster and able to connect via transport client (Elasticsearch java Transport client) using admin certificate. Having problem using client certificate.

Transport authentication finally failed for CN=cn-abc7c-vm92.acme.com,OU=IT,O=Acme Com, Inc.,DC=acme,DC=com

[2019-03-11T23:03:50,559][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null for cluster:monitor/state

Referring to this documentation https://docs.search-guard.com/latest/client-certificate-auth, I configured:

In elasticsearch.yml (along with other properties)


searchguard.ssl.http.clientauth_mode: OPTIONAL

In sg_roles_mapping.yml


sg_all_access:

readonly: true

users :

backendroles:

  • admin

In sg_config.yml


clientcert_auth_domain:

http_enabled: true #false

transport_enabled: true #false

order: 1

http_authenticator:

type: clientcert

config:

username_attribute: cn #optional, if omitted DN becomes username

challenge: false

authentication_backend:

type: noop

Again, if I use cert as mentioned in searchguard.authcz.admin_dn: then it works just fine.

Please help in resolving the issue. Thanks