searchguard support for Rest Api

Hi,

I am working on Searchguard Rest api to work with Role,User,Permission

I have tried this

  1. Download search-guard-ssl-5.3.0

  2. Configure Elasticsearch 5.3.2 for Repespective searchguard version

Follow the blog to setup ssl ,

Now when i hitting this command on VM

curl --insecure --cert chain.pem --key kirk.key.pem “https://localhost:9200/_searchguard/api/configuration/config

its having some Error saying

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:527) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:481) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.7.Final.jar:4.1.7.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:?]

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]

at io.netty.handler.ssl.SslHandler$SslEngineType$2.unwrap(SslHandler.java:218) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1893) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:153) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_131]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1893) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

this is elasticsearh.yml

···

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

searchguard.ssl.http.clientauth_mode: OPTIONAL

did u solve it? I have the same problem…

在 2017年5月4日星期四 UTC+8下午2:06:23,Vikash Singh写道:

···

Hi,

I am working on Searchguard Rest api to work with Role,User,Permission

I have tried this

  1. Download search-guard-ssl-5.3.0
  1. Configure Elasticsearch 5.3.2 for Repespective searchguard version

Follow the blog to setup ssl ,

Now when i hitting this command on VM

curl --insecure --cert chain.pem --key kirk.key.pem “https://localhost:9200/_searchguard/api/configuration/config

its having some Error saying

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:527) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:481) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.7.Final.jar:4.1.7.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:?]

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]

at io.netty.handler.ssl.SslHandler$SslEngineType$2.unwrap(SslHandler.java:218) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1893) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:153) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_131]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1893) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[?:?]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[?:?]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]

… 15 more

this is elasticsearh.yml


######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

searchguard.ssl.http.clientauth_mode: OPTIONAL