Search Guard Setup

Hello!
I am trying to setup search guard 2.
I have 2 data nodes, 1 master node and 1 search node.
Search guard ssl is already installed and working :slight_smile:
I have install both plugins on every node in the cluster. In the documentation it said: "search-guard-2 needs only a single entry in elasticsearch.yml " Does it mean it is enough if all the configuration it is done in the elasticsearch.yml in the master node?

Also, in the documentation example, we have inside /usr/share/elasticsearch/plugins/search-guard-2/sgconfig many files as:

  • elasticsearch.yml
  • node-0-keystore.jks
  • node-2-keystore.jks
  • sg_config.yml
  • sg_roles_mapping.yml
  • spock-keystore.jks
  • kirk-keystore.jks
  • node-1-keystore.jks
  • sg_action_groups.yml
  • sg_internal_users.yml
  • sg_roles.yml
  • truststore.jks

Do we need all the nodes keystore?
and we have to apply the configuration:

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

Do we need to apply the configuration in every node?
Which keystore and truststore are used? Can we use the same as for search-guard-ssl?

After using the keystore and truststore that we have from search-guard-ssl, running the sgadmin.sh we get the error:
{localhost/127.0.0.1:9300} not part of the cluster Cluster [elasticsearch], ignoring…

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:286)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:351)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:340)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:840)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:860)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:144)

The line 144 is when we try to get the cluster_health, and actually we cannot get the health of the cluster:
curl https://myessearchnode:9200/_cluster/health?pretty
Search Guard not initialized (SG11)

Do you have any idea of how to solve these problems?

Thanks in advance!!
Cheers,
Rocio

Hello!
I am trying to setup search guard 2.
I have 2 data nodes, 1 master node and 1 search node.
Search guard ssl is already installed and working :slight_smile:
I have install both plugins on every node in the cluster. In the documentation it said: "search-guard-2 needs only a single entry in elasticsearch.yml " Does it mean it is enough if all the configuration it is done in the elasticsearch.yml in the master node?

  • You have to install both plugins on every node.

  • You have to configure SG and SG SSL in elasticsearch.yml on EVERY node, not only master

Also, in the documentation example, we have inside /usr/share/elasticsearch/plugins/search-guard-2/sgconfig many files as:

  • elasticsearch.yml
  • node-0-keystore.jks
  • node-2-keystore.jks
  • sg_config.yml
  • sg_roles_mapping.yml
  • spock-keystore.jks
  • kirk-keystore.jks
  • node-1-keystore.jks
  • sg_action_groups.yml
  • sg_internal_users.yml
  • sg_roles.yml
  • truststore.jks

Do we need all the nodes keystore?

On every node you need one keystore and one truststore

and we have to apply the configuration:

plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

Do we need to apply the configuration in every node?

No, just to one. The configuration will then internally dsitributed to all nodes

Which keystore and truststore are used? Can we use the same as for search-guard-ssl?

There is only search-guard-ssl which is doing ssl stuff. SG itself does not deal with SSL.

After using the keystore and truststore that we have from search-guard-ssl, running the sgadmin.sh we get the error:
{localhost/127.0.0.1:9300} not part of the cluster Cluster [elasticsearch], ignoring…

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:286)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:351)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:340)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:840)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:860)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:144)

The line 144 is when we try to get the cluster_health, and actually we cannot get the health of the cluster:
curl https://myessearchnode:9200/_cluster/health?pretty
Search Guard not initialized (SG11)

Do you have any idea of how to solve these problems?

Pls try to get first SG SSL up and running. If that works continue with SG itself.

Good point to start and see how its working is the Vagrant box: https://github.com/floragunncom/search-guard-ssl/wiki/Vagrant-Demo

···

Am Donnerstag, 3. März 2016 17:19:58 UTC+1 schrieb Rocio Rama:

Thanks in advance!!
Cheers,
Rocio

Hello,
Thanks for your explanations!

SG SSL is up and running.

[2016-03-03 17:25:49,454][DEBUG][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL ALPN supported false

[2016-03-03 17:25:49,454][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2016-03-03 17:25:49,454][DEBUG][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL available ciphers [ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA, AECDH-AES256-SHA, ADH-AES256-GCM-SHA384, ADH-AES256-SHA256, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ECDH-RSA-AES256-GCM-SHA384, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-RSA-AES256-SHA384, ECDH-ECDSA-AES256-SHA384, ECDH-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, CAMELLIA256-SHA, PSK-AES256-CBC-SHA, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, DHE-RSA-SEED-SHA, DHE-DSS-SEED-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, AECDH-AES128-SHA, ADH-AES128-GCM-SHA256, ADH-AES128-SHA256, ADH-AES128-SHA, AECDH-DES-CBC3-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-AES128-GCM-SHA256, ECDH-ECDSA-AES128-GCM-SHA256, ECDH-RSA-AES128-SHA256, ECDH-ECDSA-AES128-SHA256, ECDH-RSA-AES128-SHA, ECDH-ECDSA-AES128-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, SEED-SHA, CAMELLIA128-SHA, DES-CBC3-SHA, IDEA-CBC-SHA, PSK-AES128-CBC-SHA, PSK-3DES-EDE-CBC-SHA, KRB5-IDEA-CBC-SHA, KRB5-DES-CBC3-SHA, KRB5-IDEA-CBC-MD5, KRB5-DES-CBC3-MD5, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, RC4-SHA, RC4-MD5, PSK-RC4-SHA, KRB5-RC4-SHA, KRB5-RC4-MD5, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, ADH-DES-CBC-SHA, DES-CBC-SHA, KRB5-DES-CBC-SHA, KRB5-DES-CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA, EXP-ADH-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-KRB5-RC2-CBC-SHA, EXP-KRB5-DES-CBC-SHA, EXP-KRB5-RC2-CBC-MD5, EXP-KRB5-DES-CBC-MD5, EXP-ADH-RC4-MD5, EXP-RC4-MD5, EXP-KRB5-RC4-SHA, EXP-KRB5-RC4-MD5]

``

When I don’t have SG running but SG SSL is running, the cluster is green . With SG and SG SSL installed, I am still getting the error.

Maybe I am missing something from the configuration? Some parameters mandatory for the SG configuration?

Thanks again!! :slight_smile:

look here https://github.com/floragunncom/search-guard/blob/2.2/Vagrantfile

···

Am Dienstag, 15. März 2016 14:34:33 UTC+1 schrieb Rocio Rama:

Hello,
Thanks for your explanations!

SG SSL is up and running.

[2016-03-03 17:25:49,454][DEBUG][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL ALPN supported false

[2016-03-03 17:25:49,454][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL OpenSSL 1.0.1e-fips 11 Feb 2013 available

[2016-03-03 17:25:49,454][DEBUG][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL available ciphers [ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA, AECDH-AES256-SHA, ADH-AES256-GCM-SHA384, ADH-AES256-SHA256, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ECDH-RSA-AES256-GCM-SHA384, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-RSA-AES256-SHA384, ECDH-ECDSA-AES256-SHA384, ECDH-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, CAMELLIA256-SHA, PSK-AES256-CBC-SHA, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, DHE-RSA-SEED-SHA, DHE-DSS-SEED-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, AECDH-AES128-SHA, ADH-AES128-GCM-SHA256, ADH-AES128-SHA256, ADH-AES128-SHA, AECDH-DES-CBC3-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-AES128-GCM-SHA256, ECDH-ECDSA-AES128-GCM-SHA256, ECDH-RSA-AES128-SHA256, ECDH-ECDSA-AES128-SHA256, ECDH-RSA-AES128-SHA, ECDH-ECDSA-AES128-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, SEED-SHA, CAMELLIA128-SHA, DES-CBC3-SHA, IDEA-CBC-SHA, PSK-AES128-CBC-SHA, PSK-3DES-EDE-CBC-SHA, KRB5-IDEA-CBC-SHA, KRB5-DES-CBC3-SHA, KRB5-IDEA-CBC-MD5, KRB5-DES-CBC3-MD5, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, RC4-SHA, RC4-MD5, PSK-RC4-SHA, KRB5-RC4-SHA, KRB5-RC4-MD5, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, ADH-DES-CBC-SHA, DES-CBC-SHA, KRB5-DES-CBC-SHA, KRB5-DES-CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA, EXP-ADH-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-KRB5-RC2-CBC-SHA, EXP-KRB5-DES-CBC-SHA, EXP-KRB5-RC2-CBC-MD5, EXP-KRB5-DES-CBC-MD5, EXP-ADH-RC4-MD5, EXP-RC4-MD5, EXP-KRB5-RC4-SHA, EXP-KRB5-RC4-MD5]

``

When I don’t have SG running but SG SSL is running, the cluster is green . With SG and SG SSL installed, I am still getting the error.

Maybe I am missing something from the configuration? Some parameters mandatory for the SG configuration?

Thanks again!! :slight_smile: