sgadmin error

Search Guard
1

Hey Guys,

I am trying to install search guard with the following setup:

elasticsearch: 6.3.0

searchguard: 6.3.0-22.3

OS: Ubuntu

Java: openjdk version “1.8.0_171”

I have all the TLS files ready and after restarting elastic i get the following error: “Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

So, obviously, i tried to use the sgadmin but it throw the following:

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=admin.example.com,OU=RnD,O=Example,DC=example

ERR: CN=admin.example.com,OU=RnD,O=Example,DC=example is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

- “CN=admin.example.com,OU=RnD,O=Example,DC=example”

My elasticsearch.yml include the following (and as you can see it include the exact same admin_dn they mention)

bootstrap.memory_lock: true

cluster.name: demo

discovery.ec2.any_group: true

discovery.ec2.endpoint: ec2.us-east-1.amazonaws.com

discovery.ec2.host_type: private_ip

discovery.ec2.tag.es_cluster: demo

discovery.zen.hosts_provider: ec2

discovery.zen.minimum_master_nodes: 2

http.port: 9200

network.bind_host: 0.0.0.0

network.publish_host: some_host_prefix.compute-1.amazonaws.com

node.data: false

node.master: true

searchguard.authcz.admin_dn: “CN=admin.example.com,OU=RnD,O=Example,DC=example”

searchguard.cert.oid: 1.2.3.4.5.5

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: esnode_http.pem

searchguard.ssl.http.pemkey_filepath: esnode_http.key

searchguard.ssl.http.pemkey_password: abc123

searchguard.ssl.http.pemtrustedcas_filepath: my-elasticsearch-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode.key

searchguard.ssl.transport.pemkey_password: abc123

searchguard.ssl.transport.pemtrustedcas_filepath: my-elasticsearch-ca.pem

searchguard.ssl.transport.resolve_hostname: false

transport.tcp.port: 9300

Any suggestion / leads where and what to look for?

Thanks.

2

In the environmental variables you have to add JAVA_HOME with the path of your jdk or jre version. Like C:\Program Files\Java\jre1.8.0_181. After a restart it has to work! :slight_smile:

···

2018-07-23 14:20 GMT+02:00 Ohad Ben Porat ohadbp@gmail.com:

Hey Guys,

I am using elastic search 6.3 and trying to install search guard 6.3.0-22.3

I have all the TLS files ready and after restarting elastic i get the following error: “Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

So, obviously, i tried to use the sgadmin but it throw the following:

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=admin.armis.com,OU=RnD,O=Armis,DC=armis

ERR: CN=admin.armis.com,OU=RnD,O=Armis,DC=armis is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

- “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

My elasticsearch.yml include the following (and as you can see it include the exact same admin_dn they mention)

bootstrap.memory_lock: true

cluster.name: demo

discovery.ec2.any_group: true

discovery.ec2.endpoint: ec2.us-east-1.amazonaws.com

discovery.ec2.host_type: private_ip

discovery.ec2.tag.es_cluster: demo

discovery.zen.hosts_provider: ec2

discovery.zen.minimum_master_nodes: 2

http.port: 9200

network.bind_host: 0.0.0.0

network.publish_host: some_host_prefix.compute-1.amazonaws.com

node.data: false

node.master: true

searchguard.authcz.admin_dn: “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

searchguard.cert.oid: 1.2.3.4.5.5

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: esnode_http.pem

searchguard.ssl.http.pemkey_filepath: esnode_http.key

searchguard.ssl.http.pemkey_password: bDSommE07MYx

searchguard.ssl.http.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode.key

searchguard.ssl.transport.pemkey_password: EK3tUOwbVug0

searchguard.ssl.transport.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.resolve_hostname: false

transport.tcp.port: 9300

Any suggestion / leads where and what to look for?

Thanks.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/183705e4-4473-4f47-9b08-c0c730d59726%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

3

The default java chosen when JAVA_HOME isn’t configured is the correct java on my machine, but i tried your suggestion anyway - no different, still getting same error.

Thanks.

···

On Monday, July 23, 2018 at 3:28:16 PM UTC+3, csullogesztee wrote:

In the environmental variables you have to add JAVA_HOME with the path of your jdk or jre version. Like C:\Program Files\Java\jre1.8.0_181. After a restart it has to work! :slight_smile:

2018-07-23 14:20 GMT+02:00 Ohad Ben Porat oha...@gmail.com:

Hey Guys,

I am using elastic search 6.3 and trying to install search guard 6.3.0-22.3

I have all the TLS files ready and after restarting elastic i get the following error: “Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

So, obviously, i tried to use the sgadmin but it throw the following:

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=admin.armis.com,OU=RnD,O=Armis,DC=armis

ERR: CN=admin.armis.com,OU=RnD,O=Armis,DC=armis is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

- “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

My elasticsearch.yml include the following (and as you can see it include the exact same admin_dn they mention)

bootstrap.memory_lock: true

cluster.name: demo

discovery.ec2.any_group: true

discovery.ec2.endpoint: ec2.us-east-1.amazonaws.com

discovery.ec2.host_type: private_ip

discovery.ec2.tag.es_cluster: demo

discovery.zen.hosts_provider: ec2

discovery.zen.minimum_master_nodes: 2

http.port: 9200

network.bind_host: 0.0.0.0

network.publish_host: some_host_prefix.compute-1.amazonaws.com

node.data: false

node.master: true

searchguard.authcz.admin_dn: “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

searchguard.cert.oid: 1.2.3.4.5.5

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: esnode_http.pem

searchguard.ssl.http.pemkey_filepath: esnode_http.key

searchguard.ssl.http.pemkey_password: bDSommE07MYx

searchguard.ssl.http.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode.key

searchguard.ssl.transport.pemkey_password: EK3tUOwbVug0

searchguard.ssl.transport.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.resolve_hostname: false

transport.tcp.port: 9300

Any suggestion / leads where and what to look for?

Thanks.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/183705e4-4473-4f47-9b08-c0c730d59726%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

4

The searchguard.authcz.admin_dn expects an array, not a single value. So instead of:

searchguard.authcz.admin_dn: “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

``

Try as outputted in the error message:

searchguard.authcz.admin_dn:

``

···

On Monday, July 23, 2018 at 2:53:46 PM UTC+2, Ohad Ben Porat wrote:

The default java chosen when JAVA_HOME isn’t configured is the correct java on my machine, but i tried your suggestion anyway - no different, still getting same error.

Thanks.

On Monday, July 23, 2018 at 3:28:16 PM UTC+3, csullogesztee wrote:

In the environmental variables you have to add JAVA_HOME with the path of your jdk or jre version. Like C:\Program Files\Java\jre1.8.0_181. After a restart it has to work! :slight_smile:

2018-07-23 14:20 GMT+02:00 Ohad Ben Porat oha...@gmail.com:

Hey Guys,

I am using elastic search 6.3 and trying to install search guard 6.3.0-22.3

I have all the TLS files ready and after restarting elastic i get the following error: “Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

So, obviously, i tried to use the sgadmin but it throw the following:

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=admin.armis.com,OU=RnD,O=Armis,DC=armis

ERR: CN=admin.armis.com,OU=RnD,O=Armis,DC=armis is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

- “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

My elasticsearch.yml include the following (and as you can see it include the exact same admin_dn they mention)

bootstrap.memory_lock: true

cluster.name: demo

discovery.ec2.any_group: true

discovery.ec2.endpoint: ec2.us-east-1.amazonaws.com

discovery.ec2.host_type: private_ip

discovery.ec2.tag.es_cluster: demo

discovery.zen.hosts_provider: ec2

discovery.zen.minimum_master_nodes: 2

http.port: 9200

network.bind_host: 0.0.0.0

network.publish_host: some_host_prefix.compute-1.amazonaws.com

node.data: false

node.master: true

searchguard.authcz.admin_dn: “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

searchguard.cert.oid: 1.2.3.4.5.5

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: esnode_http.pem

searchguard.ssl.http.pemkey_filepath: esnode_http.key

searchguard.ssl.http.pemkey_password: bDSommE07MYx

searchguard.ssl.http.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode.key

searchguard.ssl.transport.pemkey_password: EK3tUOwbVug0

searchguard.ssl.transport.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.resolve_hostname: false

transport.tcp.port: 9300

Any suggestion / leads where and what to look for?

Thanks.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/183705e4-4473-4f47-9b08-c0c730d59726%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

5

thanks, stupid mistake on my part.

···

On Monday, July 23, 2018 at 10:49:44 PM UTC+3, Jochen Kressin wrote:

searchguard.authcz.admin_dn: “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

``

Try as outputted in the error message:

searchguard.authcz.admin_dn:

``

On Monday, July 23, 2018 at 2:53:46 PM UTC+2, Ohad Ben Porat wrote:

The default java chosen when JAVA_HOME isn’t configured is the correct java on my machine, but i tried your suggestion anyway - no different, still getting same error.

Thanks.

On Monday, July 23, 2018 at 3:28:16 PM UTC+3, csullogesztee wrote:

In the environmental variables you have to add JAVA_HOME with the path of your jdk or jre version. Like C:\Program Files\Java\jre1.8.0_181. After a restart it has to work! :slight_smile:

2018-07-23 14:20 GMT+02:00 Ohad Ben Porat oha...@gmail.com:

Hey Guys,

I am using elastic search 6.3 and trying to install search guard 6.3.0-22.3

I have all the TLS files ready and after restarting elastic i get the following error: “Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

So, obviously, i tried to use the sgadmin but it throw the following:

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=admin.armis.com,OU=RnD,O=Armis,DC=armis

ERR: CN=admin.armis.com,OU=RnD,O=Armis,DC=armis is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

- “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

My elasticsearch.yml include the following (and as you can see it include the exact same admin_dn they mention)

bootstrap.memory_lock: true

cluster.name: demo

discovery.ec2.any_group: true

discovery.ec2.endpoint: ec2.us-east-1.amazonaws.com

discovery.ec2.host_type: private_ip

discovery.ec2.tag.es_cluster: demo

discovery.zen.hosts_provider: ec2

discovery.zen.minimum_master_nodes: 2

http.port: 9200

network.bind_host: 0.0.0.0

network.publish_host: some_host_prefix.compute-1.amazonaws.com

node.data: false

node.master: true

searchguard.authcz.admin_dn: “CN=admin.armis.com,OU=RnD,O=Armis,DC=armis”

searchguard.cert.oid: 1.2.3.4.5.5

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: esnode_http.pem

searchguard.ssl.http.pemkey_filepath: esnode_http.key

searchguard.ssl.http.pemkey_password: bDSommE07MYx

searchguard.ssl.http.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode.key

searchguard.ssl.transport.pemkey_password: EK3tUOwbVug0

searchguard.ssl.transport.pemtrustedcas_filepath: armis-elasticsearch-ca.pem

searchguard.ssl.transport.resolve_hostname: false

transport.tcp.port: 9300

Any suggestion / leads where and what to look for?

Thanks.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/183705e4-4473-4f47-9b08-c0c730d59726%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

The searchguard.authcz.admin_dn expects an array, not a single value. So instead of: