Search Guard - Node Error in Logs

Hi

I was able to install search guard and run elastic search succesfully by following the steps mentioned in https://github.com/floragunncom/search-guard

I am running the below versions

Elastic Search 5.5.0

Spring-data-elasticsearch 3.0.0.RC2

Search Guard 5.5.0-15

Using the below code I was able to successfully connect to Elastic Search and insert records into elastic search

`Settings esSettings = Settings.builder()

                            .put("path.home", ".")

                            .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

                            .put("searchguard.ssl.transport.enabled", true)

                            .put("searchguard.ssl.transport.keystore_filepath", "/Users/temp/Desktop/applications/mycert/kirk.jks")

                            .put("searchguard.ssl.transport.truststore_filepath", "/Users/temp/Desktop/applications/mycert/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")

         .putArray("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=Est,C=De")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

`

Now , I am trying to create certificates using the TLS generator provided by Search Guard.

https://floragunn.com/tls-certificate-generator/

I got two client certificates : sgadmin and demouser apart from the node cerificate CN=127.0.0.1-keystore.jks

After generating the certificates , the copied the below files to searchgaurd/config/generate-certificates folder

CN=demouser-keystore.jks

CN=sgadmin-keystore.jks

truststore.jks

I am trying to use the CN=demouser-keystore.jks to connect to Elastic Search

Below is my configuration in elasticsearch.yml

`

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

`

When I start elastic search , I get the following error. I have only one node in my cluster .

I have still not run sgadmin.sh . Am I doing any mistake here ? Should I add the node certificate also to elasticsearch.yml file ?

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][127.0.0.1:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) ~[?:?]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) ~[?:?]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[?:?]

… 1 more

I was able to run the below command successfully

./sgadmin.sh -ks /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks -kspass afd02cecb11578f80c78 -ts /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

I was also able to insert records into elastic search finally …

`

Settings esSettings = Settings.builder()

         .put("path.home", ".")

         .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

         .put("searchguard.ssl.transport.enabled", true)

         .put("searchguard.ssl.transport.keystore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks")

         .put("searchguard.ssl.transport.truststore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         //.put("[request.headers.sg.impersonate.as](http://request.headers.sg.impersonate.as/)", "admin")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "afd02cecb11578f80c78")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "8533bf07a673a9af95b9")

         .putArray("searchguard.authcz.admin_dn", "CN=demouser")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

`

I still get this error in elastic search server logs though I was able to insert and select data from elastic search .

I could not find out what I had missed. Kindly revert if you find any issue in my configurations

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][[::1]:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

``

The network_host was incorrect
I changed it to 127.0.0.1 and the below error is not happening now

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md
at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

``

···

On Monday, August 21, 2017 at 5:23:03 PM UTC+3, md md wrote:

Hi

I was able to install search guard and run elastic search succesfully by following the steps mentioned in https://github.com/floragunncom/search-guard

I am running the below versions

Elastic Search 5.5.0

Spring-data-elasticsearch 3.0.0.RC2

Search Guard 5.5.0-15

Using the below code I was able to successfully connect to Elastic Search and insert records into elastic search

`Settings esSettings = Settings.builder()

                            .put("path.home", ".")


                            .put("[cluster.name](http://cluster.name/)", "searchguard_demo")


                            .put("searchguard.ssl.transport.enabled", true)


                            .put("searchguard.ssl.transport.keystore_filepath", "/Users/temp/Desktop/applications/mycert/kirk.jks")


                            .put("searchguard.ssl.transport.truststore_filepath", "/Users/temp/Desktop/applications/mycert/truststore.jks")


         .put("searchguard.ssl.transport.enforce_hostname_verification", false)


         .put("searchguard.ssl.transport.resolve_hostname", false)


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")


         .putArray("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=Est,C=De")


         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

`

Now , I am trying to create certificates using the TLS generator provided by Search Guard.

https://floragunn.com/tls-certificate-generator/

I got two client certificates : sgadmin and demouser apart from the node cerificate CN=127.0.0.1-keystore.jks

After generating the certificates , the copied the below files to searchgaurd/config/generate-certificates folder

CN=demouser-keystore.jks

CN=sgadmin-keystore.jks

truststore.jks

I am trying to use the CN=demouser-keystore.jks to connect to Elastic Search

Below is my configuration in elasticsearch.yml

`

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

`

When I start elastic search , I get the following error. I have only one node in my cluster .

I have still not run sgadmin.sh . Am I doing any mistake here ? Should I add the node certificate also to elasticsearch.yml file ?

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][127.0.0.1:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) ~[?:?]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) ~[?:?]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[?:?]

… 1 more

I was able to run the below command successfully

./sgadmin.sh -ks /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks -kspass afd02cecb11578f80c78 -ts /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

I was also able to insert records into elastic search finally …

`

Settings esSettings = Settings.builder()

         .put("path.home", ".")

         .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

         .put("searchguard.ssl.transport.enabled", true)

         .put("searchguard.ssl.transport.keystore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks")

         .put("searchguard.ssl.transport.truststore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         //.put("[request.headers.sg.impersonate.as](http://request.headers.sg.impersonate.as/)", "admin")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "afd02cecb11578f80c78")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "8533bf07a673a9af95b9")

         .putArray("searchguard.authcz.admin_dn", "CN=demouser")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

`

I still get this error in elastic search server logs though I was able to insert and select data from elastic search .

I could not find out what I had missed. Kindly revert if you find any issue in my configurations

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][[::1]:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

``

Hi,

first of all you need to know that your successful requests did work because by adding the demouser client certificate to the configuration of searchguard.authcz.admin_dn you have permitted admin access for the demouser certificate. (see screenshot):

This way all auth checks will be ‘bypassed’ so to say.

Furthermore your configuration of this elasticsearch.yml does not provide any node certificate. As you have already mentioned yourself:
‘‘Should I add the node certificate also to elasticsearch.yml file ?’’ - correct, in order to ensure node to node communication, a node certificate needs to be provided.

The log file gives some helpful information here:

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

So, you need to add a node certificate to your elasticsearch.yml. It has been provided as well with using our TLS certificate generator, you will find it in the folder node-certificates shipped within the search-guard-certificates archive.
In the end your elasticsearch.yml has to look something like this: !Please do not forget to fill out with your own path and .jks file name!

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

Thanks for your question, I hope this answer helps,

regards, Urs.

···

Urs Armbruster

Community Manager

floragunn GmbH

Tempelhofer Ufer 16

10963 Berlin

Amtsgericht Charlottenburg HRB 147010

USt-IdNr.: DE287373363

+++ like us on facebook: https://www.facebook.com/searchguard

+++ follow us on twitter: https://twitter.com/searchguard

On Monday, August 21, 2017 at 4:23:03 PM UTC+2, md md wrote:

Hi

I was able to install search guard and run elastic search succesfully by following the steps mentioned in https://github.com/floragunncom/search-guard

I am running the below versions

Elastic Search 5.5.0

Spring-data-elasticsearch 3.0.0.RC2

Search Guard 5.5.0-15

Using the below code I was able to successfully connect to Elastic Search and insert records into elastic search

`Settings esSettings = Settings.builder()

                            .put("path.home", ".")


                            .put("[cluster.name](http://cluster.name/)", "searchguard_demo")


                            .put("searchguard.ssl.transport.enabled", true)


                            .put("searchguard.ssl.transport.keystore_filepath", "/Users/temp/Desktop/applications/mycert/kirk.jks")


                            .put("searchguard.ssl.transport.truststore_filepath", "/Users/temp/Desktop/applications/mycert/truststore.jks")


         .put("searchguard.ssl.transport.enforce_hostname_verification", false)


         .put("searchguard.ssl.transport.resolve_hostname", false)


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")


         .putArray("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=Est,C=De")


         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

`

Now , I am trying to create certificates using the TLS generator provided by Search Guard.

https://floragunn.com/tls-certificate-generator/

I got two client certificates : sgadmin and demouser apart from the node cerificate CN=127.0.0.1-keystore.jks

After generating the certificates , the copied the below files to searchgaurd/config/generate-certificates folder

CN=demouser-keystore.jks

CN=sgadmin-keystore.jks

truststore.jks

I am trying to use the CN=demouser-keystore.jks to connect to Elastic Search

Below is my configuration in elasticsearch.yml

`

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

`

When I start elastic search , I get the following error. I have only one node in my cluster .

I have still not run sgadmin.sh . Am I doing any mistake here ? Should I add the node certificate also to elasticsearch.yml file ?

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][127.0.0.1:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) ~[?:?]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) ~[?:?]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) ~[?:?]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[?:?]

… 1 more

I was able to run the below command successfully

./sgadmin.sh -ks /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks -kspass afd02cecb11578f80c78 -ts /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

I was also able to insert records into elastic search finally …

`

Settings esSettings = Settings.builder()

         .put("path.home", ".")

         .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

         .put("searchguard.ssl.transport.enabled", true)

         .put("searchguard.ssl.transport.keystore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks")

         .put("searchguard.ssl.transport.truststore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         //.put("[request.headers.sg.impersonate.as](http://request.headers.sg.impersonate.as/)", "admin")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "afd02cecb11578f80c78")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "8533bf07a673a9af95b9")

         .putArray("searchguard.authcz.admin_dn", "CN=demouser")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

`

I still get this error in elastic search server logs though I was able to insert and select data from elastic search .

I could not find out what I had missed. Kindly revert if you find any issue in my configurations

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][[::1]:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

``

Thanks for the detailed clarification

It would be very helpful if you can clarify my below doubts as well.

When I used the TLS certificate generator ( https://floragunn.com/tls-certificate-generator/ ) , I got the below certicates

  • CN=demouser-keystore.jks
  • CN=sgadmin-keystore.jks
  • CN=127.0.0.1-keystore.jks ( In the TLS generator , I specified only one node - 127.0.0.1 )
  • truststore.jks

I am running the elastic search in Red hat linux and the cluster has only one node.

My client program is connecting from windows using Transport Client and Spring Data Elastic Search

I am confused between the client certificate and node certificate configruations

Since there is only one node in the cluster , I have added the below setting in elasticsearch.yml

searchguard.nodes_dn:

  • “CN=127.0.0.1”

``

and placed CN=127.0.0.-keystore.jks under config folder

For the key store filepath “searchguard.ssl.transport.keystore_filepath” , should I mention “CN=127.0.0.1-keystore.jks” or should I mention “CN=demouser-keystore.jks” ?

Since I want to connect via transport client , my understanding is that key store should be of the client ( in this case the demouser )

This is my final configuration and now everything works fine .

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.http.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

searchguard.nodes_dn:

  • “CN=127.0.0.1”

cluster.name: searchguard_demo
network.host: 127.0.0.1
######## End Search Guard Demo Configuration ########

``

But I understand that making demouser as admin is wrong - I would like to fix that.

If you can guide me , it would be helpful

···

On Tuesday, August 22, 2017 at 7:58:48 PM UTC+3, Urs wrote:

Hi,

first of all you need to know that your successful requests did work because by adding the demouser client certificate to the configuration of searchguard.authcz.admin_dn you have permitted admin access for the demouser certificate. (see screenshot):

This way all auth checks will be ‘bypassed’ so to say.

Furthermore your configuration of this elasticsearch.yml does not provide any node certificate. As you have already mentioned yourself:
‘‘Should I add the node certificate also to elasticsearch.yml file ?’’ - correct, in order to ensure node to node communication, a node certificate needs to be provided.

The log file gives some helpful information here:

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

So, you need to add a node certificate to your elasticsearch.yml. It has been provided as well with using our TLS certificate generator, you will find it in the folder node-certificates shipped within the search-guard-certificates archive.
In the end your elasticsearch.yml has to look something like this: !Please do not forget to fill out with your own path and .jks file name!

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

Thanks for your question, I hope this answer helps,

regards, Urs.

Urs Armbruster

Community Manager

floragunn GmbH

Tempelhofer Ufer 16

10963 Berlin

Amtsgericht Charlottenburg HRB 147010

USt-IdNr.: DE287373363

+++ like us on facebook: https://www.facebook.com/searchguard

+++ follow us on twitter: https://twitter.com/searchguard

On Monday, August 21, 2017 at 4:23:03 PM UTC+2, md md wrote:

Hi

I was able to install search guard and run elastic search succesfully by following the steps mentioned in https://github.com/floragunncom/search-guard

I am running the below versions

Elastic Search 5.5.0

Spring-data-elasticsearch 3.0.0.RC2

Search Guard 5.5.0-15

Using the below code I was able to successfully connect to Elastic Search and insert records into elastic search

`Settings esSettings = Settings.builder()

                            .put("path.home", ".")


                            .put("[cluster.name](http://cluster.name/)", "searchguard_demo")


                            .put("searchguard.ssl.transport.enabled", true)


                            .put("searchguard.ssl.transport.keystore_filepath", "/Users/temp/Desktop/applications/mycert/kirk.jks")


                            .put("searchguard.ssl.transport.truststore_filepath", "/Users/temp/Desktop/applications/mycert/truststore.jks")


         .put("searchguard.ssl.transport.enforce_hostname_verification", false)


         .put("searchguard.ssl.transport.resolve_hostname", false)


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")


         .putArray("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=Est,C=De")


         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

`

Now , I am trying to create certificates using the TLS generator provided by Search Guard.

https://floragunn.com/tls-certificate-generator/

I got two client certificates : sgadmin and demouser apart from the node cerificate CN=127.0.0.1-keystore.jks

After generating the certificates , the copied the below files to searchgaurd/config/generate-certificates folder

CN=demouser-keystore.jks

CN=sgadmin-keystore.jks

truststore.jks

I am trying to use the CN=demouser-keystore.jks to connect to Elastic Search

Below is my configuration in elasticsearch.yml

`

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

`

When I start elastic search , I get the following error. I have only one node in my cluster .

I have still not run sgadmin.sh . Am I doing any mistake here ? Should I add the node certificate also to elasticsearch.yml file ?

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][127.0.0.1:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[?:?]

… 1 more

I was able to run the below command successfully

./sgadmin.sh -ks /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks -kspass afd02cecb11578f80c78 -ts /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

I was also able to insert records into elastic search finally …

`

Settings esSettings = Settings.builder()

         .put("path.home", ".")

         .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

         .put("searchguard.ssl.transport.enabled", true)

         .put("searchguard.ssl.transport.keystore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks")

         .put("searchguard.ssl.transport.truststore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         //.put("[request.headers.sg.impersonate.as](http://request.headers.sg.impersonate.as/)", "admin")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "afd02cecb11578f80c78")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "8533bf07a673a9af95b9")

         .putArray("searchguard.authcz.admin_dn", "CN=demouser")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

`

I still get this error in elastic search server logs though I was able to insert and select data from elastic search .

I could not find out what I had missed. Kindly revert if you find any issue in my configurations

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][[::1]:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

``

The generated package from the certificates generator contains these folders:

From the README:

node-certificates

│ Contains the certificates in jks, p12 and pem format to be used

│ on your Elasticsearch nodes. You will find certificates for all

│ hostnames you specified when submitting the form.

The certificates in this folder are to be used on your elasticsearch nodes, means, these are the node certificates. You can use them for both the transport and the http configuration, and they have to be configured in elasticsearch.yml like:

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks

searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks

(This configuration has nothing to do with your Transport Client.)

Node certificates, as the name implies, have to be used on your Elasticsearch nodes only, means, they are not to be used with your Transport Client. Since the certificates have been generated by our service, they are recognized as node certificates automatically, so actuall you don’t need to list them in searchguard.nodes_dn. But this entry here is correct nonethless:

searchguard.nodes_dn:

  • “CN=127.0.0.1”

The folder client-certificates contains certificates you can use to connect to the SG secured cluster “from the outside”, for example, by a Transport Client, or via TLS client authentication.

From the README:

└─── client-certificates

│ Contains two client certificates named ‘admin’ and ‘demouser’

│ The admin certificate can be used with sgadmin and the REST API.

│ The CN of this certificate is ‘sgadmin’. The demouser certificate can be used

│ for HTTPS client authentication.

To make one of the two certificates an admin certificate, you need to specify it in elasticsearch.yml.

From the README:

searchguard.authcz.admin_dn:

  • CN=sgadmin

(no demouser here!)

Now the certificate contained in the sgadmin-keystore is an admin certificate, and you can use it for example with sgadmin to change configuration. An admin certificate has elevated permissions, and is basically allowed to do anything on the cluster.

The different types of certificates are described in the docs here:

For your Transport Client, you should use the demouser certificate / keystore and configure the permissions you would like to assign to. This is described in this article:

https://floragunn.com/searchguard-elasicsearch-transport-clients/

···

On Thursday, August 24, 2017 at 12:37:52 PM UTC+2, md md wrote:

Thanks for the detailed clarification

It would be very helpful if you can clarify my below doubts as well.

When I used the TLS certificate generator ( https://floragunn.com/tls-certificate-generator/ ) , I got the below certicates

  • CN=demouser-keystore.jks
  • CN=sgadmin-keystore.jks
  • CN=127.0.0.1-keystore.jks ( In the TLS generator , I specified only one node - 127.0.0.1 )
  • truststore.jks

I am running the elastic search in Red hat linux and the cluster has only one node.

My client program is connecting from windows using Transport Client and Spring Data Elastic Search

I am confused between the client certificate and node certificate configruations

Since there is only one node in the cluster , I have added the below setting in elasticsearch.yml

searchguard.nodes_dn:

  • “CN=127.0.0.1”

``

and placed CN=127.0.0.-keystore.jks under config folder

For the key store filepath “searchguard.ssl.transport.keystore_filepath” , should I mention “CN=127.0.0.1-keystore.jks” or should I mention “CN=demouser-keystore.jks” ?

Since I want to connect via transport client , my understanding is that key store should be of the client ( in this case the demouser )

This is my final configuration and now everything works fine .

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.http.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

searchguard.nodes_dn:

  • “CN=127.0.0.1”

cluster.name: searchguard_demo
network.host: 127.0.0.1
######## End Search Guard Demo Configuration ########

``

But I understand that making demouser as admin is wrong - I would like to fix that.

If you can guide me , it would be helpful

On Tuesday, August 22, 2017 at 7:58:48 PM UTC+3, Urs wrote:

Hi,

first of all you need to know that your successful requests did work because by adding the demouser client certificate to the configuration of searchguard.authcz.admin_dn you have permitted admin access for the demouser certificate. (see screenshot):

This way all auth checks will be ‘bypassed’ so to say.

Furthermore your configuration of this elasticsearch.yml does not provide any node certificate. As you have already mentioned yourself:
‘‘Should I add the node certificate also to elasticsearch.yml file ?’’ - correct, in order to ensure node to node communication, a node certificate needs to be provided.

The log file gives some helpful information here:

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

So, you need to add a node certificate to your elasticsearch.yml. It has been provided as well with using our TLS certificate generator, you will find it in the folder node-certificates shipped within the search-guard-certificates archive.
In the end your elasticsearch.yml has to look something like this: !Please do not forget to fill out with your own path and .jks file name!

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

Thanks for your question, I hope this answer helps,

regards, Urs.

Urs Armbruster

Community Manager

floragunn GmbH

Tempelhofer Ufer 16

10963 Berlin

Amtsgericht Charlottenburg HRB 147010

USt-IdNr.: DE287373363

+++ like us on facebook: https://www.facebook.com/searchguard

+++ follow us on twitter: https://twitter.com/searchguard

On Monday, August 21, 2017 at 4:23:03 PM UTC+2, md md wrote:

Hi

I was able to install search guard and run elastic search succesfully by following the steps mentioned in https://github.com/floragunncom/search-guard

I am running the below versions

Elastic Search 5.5.0

Spring-data-elasticsearch 3.0.0.RC2

Search Guard 5.5.0-15

Using the below code I was able to successfully connect to Elastic Search and insert records into elastic search

`Settings esSettings = Settings.builder()

                            .put("path.home", ".")


                            .put("[cluster.name](http://cluster.name/)", "searchguard_demo")


                            .put("searchguard.ssl.transport.enabled", true)


                            .put("searchguard.ssl.transport.keystore_filepath", "/Users/temp/Desktop/applications/mycert/kirk.jks")


                            .put("searchguard.ssl.transport.truststore_filepath", "/Users/temp/Desktop/applications/mycert/truststore.jks")


         .put("searchguard.ssl.transport.enforce_hostname_verification", false)


         .put("searchguard.ssl.transport.resolve_hostname", false)


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")


         .putArray("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=Est,C=De")


         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

`

Now , I am trying to create certificates using the TLS generator provided by Search Guard.

https://floragunn.com/tls-certificate-generator/

I got two client certificates : sgadmin and demouser apart from the node cerificate CN=127.0.0.1-keystore.jks

After generating the certificates , the copied the below files to searchgaurd/config/generate-certificates folder

CN=demouser-keystore.jks

CN=sgadmin-keystore.jks

truststore.jks

I am trying to use the CN=demouser-keystore.jks to connect to Elastic Search

Below is my configuration in elasticsearch.yml

`

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

`

When I start elastic search , I get the following error. I have only one node in my cluster .

I have still not run sgadmin.sh . Am I doing any mistake here ? Should I add the node certificate also to elasticsearch.yml file ?

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][127.0.0.1:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[?:?]

… 1 more

I was able to run the below command successfully

./sgadmin.sh -ks /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks -kspass afd02cecb11578f80c78 -ts /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

I was also able to insert records into elastic search finally …

`

Settings esSettings = Settings.builder()

         .put("path.home", ".")

         .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

         .put("searchguard.ssl.transport.enabled", true)

         .put("searchguard.ssl.transport.keystore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks")

         .put("searchguard.ssl.transport.truststore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         //.put("[request.headers.sg.impersonate.as](http://request.headers.sg.impersonate.as/)", "admin")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "afd02cecb11578f80c78")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "8533bf07a673a9af95b9")

         .putArray("searchguard.authcz.admin_dn", "CN=demouser")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

`

I still get this error in elastic search server logs though I was able to insert and select data from elastic search .

I could not find out what I had missed. Kindly revert if you find any issue in my configurations

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][[::1]:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

``

Thanks a lot for your time in clarifying my doubts .
I will try as suggested in your reply.

···

On Thursday, August 31, 2017 at 1:36:42 PM UTC+3, Jochen Kressin wrote:

The generated package from the certificates generator contains these folders:

From the README:

node-certificates

│ Contains the certificates in jks, p12 and pem format to be used

│ on your Elasticsearch nodes. You will find certificates for all

│ hostnames you specified when submitting the form.

The certificates in this folder are to be used on your elasticsearch nodes, means, these are the node certificates. You can use them for both the transport and the http configuration, and they have to be configured in elasticsearch.yml like:

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks

searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks

(This configuration has nothing to do with your Transport Client.)

Node certificates, as the name implies, have to be used on your Elasticsearch nodes only, means, they are not to be used with your Transport Client. Since the certificates have been generated by our service, they are recognized as node certificates automatically, so actuall you don’t need to list them in searchguard.nodes_dn. But this entry here is correct nonethless:

searchguard.nodes_dn:

  • “CN=127.0.0.1”

The folder client-certificates contains certificates you can use to connect to the SG secured cluster “from the outside”, for example, by a Transport Client, or via TLS client authentication.

From the README:

└─── client-certificates

│ Contains two client certificates named ‘admin’ and ‘demouser’

│ The admin certificate can be used with sgadmin and the REST API.

│ The CN of this certificate is ‘sgadmin’. The demouser certificate can be used

│ for HTTPS client authentication.

To make one of the two certificates an admin certificate, you need to specify it in elasticsearch.yml.

From the README:

searchguard.authcz.admin_dn:

  • CN=sgadmin

(no demouser here!)

Now the certificate contained in the sgadmin-keystore is an admin certificate, and you can use it for example with sgadmin to change configuration. An admin certificate has elevated permissions, and is basically allowed to do anything on the cluster.

The different types of certificates are described in the docs here:

http://floragunncom.github.io/search-guard-docs/tls_certificates_production.html

For your Transport Client, you should use the demouser certificate / keystore and configure the permissions you would like to assign to. This is described in this article:

https://floragunn.com/searchguard-elasicsearch-transport-clients/

On Thursday, August 24, 2017 at 12:37:52 PM UTC+2, md md wrote:

Thanks for the detailed clarification

It would be very helpful if you can clarify my below doubts as well.

When I used the TLS certificate generator ( https://floragunn.com/tls-certificate-generator/ ) , I got the below certicates

  • CN=demouser-keystore.jks
  • CN=sgadmin-keystore.jks
  • CN=127.0.0.1-keystore.jks ( In the TLS generator , I specified only one node - 127.0.0.1 )
  • truststore.jks

I am running the elastic search in Red hat linux and the cluster has only one node.

My client program is connecting from windows using Transport Client and Spring Data Elastic Search

I am confused between the client certificate and node certificate configruations

Since there is only one node in the cluster , I have added the below setting in elasticsearch.yml

searchguard.nodes_dn:

  • “CN=127.0.0.1”

``

and placed CN=127.0.0.-keystore.jks under config folder

For the key store filepath “searchguard.ssl.transport.keystore_filepath” , should I mention “CN=127.0.0.1-keystore.jks” or should I mention “CN=demouser-keystore.jks” ?

Since I want to connect via transport client , my understanding is that key store should be of the client ( in this case the demouser )

This is my final configuration and now everything works fine .

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.http.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

searchguard.nodes_dn:

  • “CN=127.0.0.1”

cluster.name: searchguard_demo
network.host: 127.0.0.1
######## End Search Guard Demo Configuration ########

``

But I understand that making demouser as admin is wrong - I would like to fix that.

If you can guide me , it would be helpful

On Tuesday, August 22, 2017 at 7:58:48 PM UTC+3, Urs wrote:

Hi,

first of all you need to know that your successful requests did work because by adding the demouser client certificate to the configuration of searchguard.authcz.admin_dn you have permitted admin access for the demouser certificate. (see screenshot):

This way all auth checks will be ‘bypassed’ so to say.

Furthermore your configuration of this elasticsearch.yml does not provide any node certificate. As you have already mentioned yourself:
‘‘Should I add the node certificate also to elasticsearch.yml file ?’’ - correct, in order to ensure node to node communication, a node certificate needs to be provided.

The log file gives some helpful information here:

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

So, you need to add a node certificate to your elasticsearch.yml. It has been provided as well with using our TLS certificate generator, you will find it in the folder node-certificates shipped within the search-guard-certificates archive.
In the end your elasticsearch.yml has to look something like this: !Please do not forget to fill out with your own path and .jks file name!

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

Thanks for your question, I hope this answer helps,

regards, Urs.

Urs Armbruster

Community Manager

floragunn GmbH

Tempelhofer Ufer 16

10963 Berlin

Amtsgericht Charlottenburg HRB 147010

USt-IdNr.: DE287373363

+++ like us on facebook: https://www.facebook.com/searchguard

+++ follow us on twitter: https://twitter.com/searchguard

On Monday, August 21, 2017 at 4:23:03 PM UTC+2, md md wrote:

Hi

I was able to install search guard and run elastic search succesfully by following the steps mentioned in https://github.com/floragunncom/search-guard

I am running the below versions

Elastic Search 5.5.0

Spring-data-elasticsearch 3.0.0.RC2

Search Guard 5.5.0-15

Using the below code I was able to successfully connect to Elastic Search and insert records into elastic search

`Settings esSettings = Settings.builder()

                            .put("path.home", ".")


                            .put("[cluster.name](http://cluster.name/)", "searchguard_demo")


                            .put("searchguard.ssl.transport.enabled", true)


                            .put("searchguard.ssl.transport.keystore_filepath", "/Users/temp/Desktop/applications/mycert/kirk.jks")


                            .put("searchguard.ssl.transport.truststore_filepath", "/Users/temp/Desktop/applications/mycert/truststore.jks")


         .put("searchguard.ssl.transport.enforce_hostname_verification", false)


         .put("searchguard.ssl.transport.resolve_hostname", false)


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")


         .putArray("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=Est,C=De")


         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

`

Now , I am trying to create certificates using the TLS generator provided by Search Guard.

https://floragunn.com/tls-certificate-generator/

I got two client certificates : sgadmin and demouser apart from the node cerificate CN=127.0.0.1-keystore.jks

After generating the certificates , the copied the below files to searchgaurd/config/generate-certificates folder

CN=demouser-keystore.jks

CN=sgadmin-keystore.jks

truststore.jks

I am trying to use the CN=demouser-keystore.jks to connect to Elastic Search

Below is my configuration in elasticsearch.yml

`

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

`

When I start elastic search , I get the following error. I have only one node in my cluster .

I have still not run sgadmin.sh . Am I doing any mistake here ? Should I add the node certificate also to elasticsearch.yml file ?

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][127.0.0.1:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[?:?]

… 1 more

I was able to run the below command successfully

./sgadmin.sh -ks /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks -kspass afd02cecb11578f80c78 -ts /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

I was also able to insert records into elastic search finally …

`

Settings esSettings = Settings.builder()

         .put("path.home", ".")

         .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

         .put("searchguard.ssl.transport.enabled", true)

         .put("searchguard.ssl.transport.keystore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks")

         .put("searchguard.ssl.transport.truststore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         //.put("[request.headers.sg.impersonate.as](http://request.headers.sg.impersonate.as/)", "admin")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "afd02cecb11578f80c78")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "8533bf07a673a9af95b9")

         .putArray("searchguard.authcz.admin_dn", "CN=demouser")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

`

I still get this error in elastic search server logs though I was able to insert and select data from elastic search .

I could not find out what I had missed. Kindly revert if you find any issue in my configurations

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][[::1]:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

``

Thanks. The steps you suggested worked fine.

Below is my current configuration

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.http.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks
searchguard.ssl.transport.keystore_password: 612aedcac5f2719e6b68
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks
searchguard.ssl.http.keystore_password: 612aedcac5f2719e6b68
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin

searchguard.nodes_dn:

  • “CN=127.0.0.1”

cluster.name: searchguard_demo
network.host: 127.0.0.1

######## End Search Guard Demo Configuration ########

``

I added CN=demouser to sg_internal_users.yml

CN=demouser:
hash: $2a$12$91jD0vozYMOvZTkoXvxJw.vWjA1WWxZrKqsTfgKDioSafWht8X3wO

``

Mapped the role to sg_all_access in sg_roles_mapping.yml ( I want the demo user to read and write to Elastic Search

sg_all_access:
users:
- admin
- ‘CN=demouser’

``

I have used CN=sgadmin-keystore.jks for running the sgadmin.sh command like below

./sgadmin.sh -ks /Users/mohamedmuhad/Desktop/applications/elasticsearch-5.5.0-SearchGuard_1/config/generated-certificates/CN=sgadmin-keystore.jks -kspass b914dbd18884686dd868 -ts /Users/mohamedmuhad/Desktop/applications/elasticsearch-5.5.0-SearchGuard_1/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

``

I am able to connect from my java program using the below code

Settings esSettings = Settings.builder()
.put(“path.home”, “.”)
.put(“cluster.name”, “searchguard_demo”)
.put(“searchguard.ssl.transport.enabled”, true)
.put(“searchguard.ssl.transport.keystore_filepath”, “/Users/mohamedmuhad/Documents/workspace-sts-3.7.3.RELEASE/springDataElasticsearch3/src/main/resources/CN=demouser-keystore.jks”)
.put(“searchguard.ssl.transport.truststore_filepath”, “/Users/mohamedmuhad/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks”)
.put(“searchguard.ssl.transport.enforce_hostname_verification”, false)
.put(“searchguard.ssl.transport.resolve_hostname”, false)
//.put(“request.headers.sg.impersonate.as”, “admin”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, “afd02cecb11578f80c78”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, “8533bf07a673a9af95b9”)
.putArray(“searchguard.authcz.admin_dn”, “CN=demouser”)
.build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {
client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));
} catch (NumberFormatException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnknownHostException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

``

Everything works fine now.

For my understanding , if you can clarify the below as well , it would be great. Highly appreciate your detailed response for all my queries so far.

  1. While creating the user , i created a hash password using hash.sh under tools.

The hash generated for admin in the sg_internal_users.yml seems to be different . Was that hash generated using different hashing tool ?

I was able to change the default password for admin successfully using the hash.sh

2.I presume the password we mention in “sg_internal_users.yml” will be used for authentication ( https://floragunn.com/transport-client-authentication-authorization/ )

In this article , it is mentioned to remove the role mapping . In that case what role will the user get assigned to ?

The authorization header that is being password - is it the hashed password ?

  1. If i want to change the demouser.jks to myname.jks - would TLS generator help in doing that ?
···

On Thursday, August 31, 2017 at 1:36:42 PM UTC+3, Jochen Kressin wrote:

The generated package from the certificates generator contains these folders:

From the README:

node-certificates

│ Contains the certificates in jks, p12 and pem format to be used

│ on your Elasticsearch nodes. You will find certificates for all

│ hostnames you specified when submitting the form.

The certificates in this folder are to be used on your elasticsearch nodes, means, these are the node certificates. You can use them for both the transport and the http configuration, and they have to be configured in elasticsearch.yml like:

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks

searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks

(This configuration has nothing to do with your Transport Client.)

Node certificates, as the name implies, have to be used on your Elasticsearch nodes only, means, they are not to be used with your Transport Client. Since the certificates have been generated by our service, they are recognized as node certificates automatically, so actuall you don’t need to list them in searchguard.nodes_dn. But this entry here is correct nonethless:

searchguard.nodes_dn:

  • “CN=127.0.0.1”

The folder client-certificates contains certificates you can use to connect to the SG secured cluster “from the outside”, for example, by a Transport Client, or via TLS client authentication.

From the README:

└─── client-certificates

│ Contains two client certificates named ‘admin’ and ‘demouser’

│ The admin certificate can be used with sgadmin and the REST API.

│ The CN of this certificate is ‘sgadmin’. The demouser certificate can be used

│ for HTTPS client authentication.

To make one of the two certificates an admin certificate, you need to specify it in elasticsearch.yml.

From the README:

searchguard.authcz.admin_dn:

  • CN=sgadmin

(no demouser here!)

Now the certificate contained in the sgadmin-keystore is an admin certificate, and you can use it for example with sgadmin to change configuration. An admin certificate has elevated permissions, and is basically allowed to do anything on the cluster.

The different types of certificates are described in the docs here:

http://floragunncom.github.io/search-guard-docs/tls_certificates_production.html

For your Transport Client, you should use the demouser certificate / keystore and configure the permissions you would like to assign to. This is described in this article:

https://floragunn.com/searchguard-elasicsearch-transport-clients/

On Thursday, August 24, 2017 at 12:37:52 PM UTC+2, md md wrote:

Thanks for the detailed clarification

It would be very helpful if you can clarify my below doubts as well.

When I used the TLS certificate generator ( https://floragunn.com/tls-certificate-generator/ ) , I got the below certicates

  • CN=demouser-keystore.jks
  • CN=sgadmin-keystore.jks
  • CN=127.0.0.1-keystore.jks ( In the TLS generator , I specified only one node - 127.0.0.1 )
  • truststore.jks

I am running the elastic search in Red hat linux and the cluster has only one node.

My client program is connecting from windows using Transport Client and Spring Data Elastic Search

I am confused between the client certificate and node certificate configruations

Since there is only one node in the cluster , I have added the below setting in elasticsearch.yml

searchguard.nodes_dn:

  • “CN=127.0.0.1”

``

and placed CN=127.0.0.-keystore.jks under config folder

For the key store filepath “searchguard.ssl.transport.keystore_filepath” , should I mention “CN=127.0.0.1-keystore.jks” or should I mention “CN=demouser-keystore.jks” ?

Since I want to connect via transport client , my understanding is that key store should be of the client ( in this case the demouser )

This is my final configuration and now everything works fine .

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.http.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

searchguard.nodes_dn:

  • “CN=127.0.0.1”

cluster.name: searchguard_demo
network.host: 127.0.0.1
######## End Search Guard Demo Configuration ########

``

But I understand that making demouser as admin is wrong - I would like to fix that.

If you can guide me , it would be helpful

On Tuesday, August 22, 2017 at 7:58:48 PM UTC+3, Urs wrote:

Hi,

first of all you need to know that your successful requests did work because by adding the demouser client certificate to the configuration of searchguard.authcz.admin_dn you have permitted admin access for the demouser certificate. (see screenshot):

This way all auth checks will be ‘bypassed’ so to say.

Furthermore your configuration of this elasticsearch.yml does not provide any node certificate. As you have already mentioned yourself:
‘‘Should I add the node certificate also to elasticsearch.yml file ?’’ - correct, in order to ensure node to node communication, a node certificate needs to be provided.

The log file gives some helpful information here:

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

So, you need to add a node certificate to your elasticsearch.yml. It has been provided as well with using our TLS certificate generator, you will find it in the folder node-certificates shipped within the search-guard-certificates archive.
In the end your elasticsearch.yml has to look something like this: !Please do not forget to fill out with your own path and .jks file name!

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

Thanks for your question, I hope this answer helps,

regards, Urs.

Urs Armbruster

Community Manager

floragunn GmbH

Tempelhofer Ufer 16

10963 Berlin

Amtsgericht Charlottenburg HRB 147010

USt-IdNr.: DE287373363

+++ like us on facebook: https://www.facebook.com/searchguard

+++ follow us on twitter: https://twitter.com/searchguard

On Monday, August 21, 2017 at 4:23:03 PM UTC+2, md md wrote:

Hi

I was able to install search guard and run elastic search succesfully by following the steps mentioned in https://github.com/floragunncom/search-guard

I am running the below versions

Elastic Search 5.5.0

Spring-data-elasticsearch 3.0.0.RC2

Search Guard 5.5.0-15

Using the below code I was able to successfully connect to Elastic Search and insert records into elastic search

`Settings esSettings = Settings.builder()

                            .put("path.home", ".")


                            .put("[cluster.name](http://cluster.name/)", "searchguard_demo")


                            .put("searchguard.ssl.transport.enabled", true)


                            .put("searchguard.ssl.transport.keystore_filepath", "/Users/temp/Desktop/applications/mycert/kirk.jks")


                            .put("searchguard.ssl.transport.truststore_filepath", "/Users/temp/Desktop/applications/mycert/truststore.jks")


         .put("searchguard.ssl.transport.enforce_hostname_verification", false)


         .put("searchguard.ssl.transport.resolve_hostname", false)


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")


         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")


         .putArray("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=Est,C=De")


         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

`

Now , I am trying to create certificates using the TLS generator provided by Search Guard.

https://floragunn.com/tls-certificate-generator/

I got two client certificates : sgadmin and demouser apart from the node cerificate CN=127.0.0.1-keystore.jks

After generating the certificates , the copied the below files to searchgaurd/config/generate-certificates folder

CN=demouser-keystore.jks

CN=sgadmin-keystore.jks

truststore.jks

I am trying to use the CN=demouser-keystore.jks to connect to Elastic Search

Below is my configuration in elasticsearch.yml

`

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.transport.keystore_password: afd02cecb11578f80c78
searchguard.ssl.transport.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.transport.truststore_password: 8533bf07a673a9af95b9
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=demouser-keystore.jks
searchguard.ssl.http.keystore_password: afd02cecb11578f80c78
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: 8533bf07a673a9af95b9

searchguard.authcz.admin_dn:

  • CN=sgadmin
  • CN=demouser

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

`

When I start elastic search , I get the following error. I have only one node in my cluster .

I have still not run sgadmin.sh . Am I doing any mistake here ? Should I add the node certificate also to elasticsearch.yml file ?

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][127.0.0.1:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) ~[elasticsearch-5.5.0.jar:5.5.0]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[?:?]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[?:?]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) ~[?:?]

… 1 more

I was able to run the below command successfully

./sgadmin.sh -ks /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks -kspass afd02cecb11578f80c78 -ts /Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks -tspass 8533bf07a673a9af95b9 -cd …/sgconfig -icl -nhnv

I was also able to insert records into elastic search finally …

`

Settings esSettings = Settings.builder()

         .put("path.home", ".")

         .put("[cluster.name](http://cluster.name/)", "searchguard_demo")

         .put("searchguard.ssl.transport.enabled", true)

         .put("searchguard.ssl.transport.keystore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/CN=demouser-keystore.jks")

         .put("searchguard.ssl.transport.truststore_filepath", "/Users/myname/Desktop/applications/elasticsearch-5.5.0-demouser/config/generated-certificates/truststore.jks")

         .put("searchguard.ssl.transport.enforce_hostname_verification", false)

         .put("searchguard.ssl.transport.resolve_hostname", false)

         //.put("[request.headers.sg.impersonate.as](http://request.headers.sg.impersonate.as/)", "admin")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "afd02cecb11578f80c78")

         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "8533bf07a673a9af95b9")

         .putArray("searchguard.authcz.admin_dn", "CN=demouser")

         .build();

TransportClient client = new PreBuiltTransportClient(esSettings,SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(“127.0.0.1”), Integer.valueOf(“9300”)));

} catch (NumberFormatException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (UnknownHostException e) {

// TODO Auto-generated catch block

e.printStackTrace();

`

I still get this error in elastic search server logs though I was able to insert and select data from elastic search .

I could not find out what I had missed. Kindly revert if you find any issue in my configurations

Caused by: org.elasticsearch.transport.RemoteTransportException: [TR6U48o][[::1]:9300][internal:transport/handshake]

Caused by: org.elasticsearch.ElasticsearchException: bad header found. This means typically that one node try to connect to another with a non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someoneis spoofing requests. See https://github.com/floragunncom/search-guard-docs/blob/master/tls_node_certificates.md

at com.floragunn.searchguard.ssl.util.ExceptionUtils.createBadHeaderException(ExceptionUtils.java:56) ~[?:?]

at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:159) ~[?:?]

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) ~[?:?]

at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) ~[?:?]

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) ~[elasticsearch-5.5.0.jar:5.5.0]

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.0.jar:5.5.0]

``