specifying storetype with sgadmin.sh

When I run sgadmin I get the following output:

/usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -ks elasticsearch-client-keystore.jks -ts staging-elasticsearch-client-truststore.jks -nhnv

Connect to localhost:9300

Exception in thread “main” ElasticsearchSecurityException[java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.]; nested: IOException[DerInputStream.getLength(): lengthTag=109, too big.];

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:261)

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)

at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:129)

at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)

at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:139)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:198)

Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)

at sun.security.util.DerValue.init(DerValue.java:365)

at sun.security.util.DerValue.<init>(DerValue.java:320)

at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914)

at java.security.KeyStore.load(KeyStore.java:1445)

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:208)

... 6 more

The keystore and truststore are of type JKS, but it seems that they are possibly being treated as PKCS12 by Elasticsearch. Is there a way to set the storetype in the sgadmin.sh command?

So, it seems the file names need to end with ‘.jks’ in order to be parsed as JKS type instead of PKCS12.

···

On Tuesday, June 28, 2016 at 2:17:26 PM UTC-7, Max Furman wrote:

When I run sgadmin I get the following output:

/usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -ks elasticsearch-client-keystore.jks -ts staging-elasticsearch-client-truststore.jks -nhnv

Connect to localhost:9300

Exception in thread “main” ElasticsearchSecurityException[java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.]; nested: IOException[DerInputStream.getLength(): lengthTag=109, too big.];

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:261)

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.(SearchGuardKeyStore.java:139)

at com.floragunn.searchguard.ssl.SearchGuardSSLModule.(SearchGuardSSLModule.java:29)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:129)

at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)

at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:139)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:198)

Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)

at sun.security.util.DerValue.init(DerValue.java:365)

at sun.security.util.DerValue.(DerValue.java:320)

at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914)

at java.security.KeyStore.load(KeyStore.java:1445)

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:208)

… 6 more

The keystore and truststore are of type JKS, but it seems that they are possibly being treated as PKCS12 by Elasticsearch. Is there a way to set the storetype in the sgadmin.sh command?

···

On Tuesday, June 28, 2016 at 2:17:26 PM UTC-7, Max Furman wrote:

When I run sgadmin I get the following output:

/usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -ks elasticsearch-client-keystore.jks -ts staging-elasticsearch-client-truststore.jks -nhnv

Connect to localhost:9300

Exception in thread “main” ElasticsearchSecurityException[java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.]; nested: IOException[DerInputStream.getLength(): lengthTag=109, too big.];

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:261)

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.(SearchGuardKeyStore.java:139)

at com.floragunn.searchguard.ssl.SearchGuardSSLModule.(SearchGuardSSLModule.java:29)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:129)

at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)

at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:139)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:198)

Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)

at sun.security.util.DerValue.init(DerValue.java:365)

at sun.security.util.DerValue.(DerValue.java:320)

at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914)

at java.security.KeyStore.load(KeyStore.java:1445)

at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:208)

… 6 more

The keystore and truststore are of type JKS, but it seems that they are possibly being treated as PKCS12 by Elasticsearch. Is there a way to set the storetype in the sgadmin.sh command?

yes, you are right. The keystore type is detected by looking on the file extension.
If this is an issue for you pls. open a new github issue and we will fix that.

···

Am 28.06.2016 um 23:40 schrieb Max Furman <mx.furman@gmail.com>:

https://github.com/floragunncom/search-guard/blob/d844f41371eead76cee4c222cf6fee488049fa2f/src/main/java/com/floragunn/searchguard/tools/SearchGuardAdmin.java#L188

On Tuesday, June 28, 2016 at 2:17:26 PM UTC-7, Max Furman wrote:

When I run sgadmin I get the following output:

/usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -ks elasticsearch-client-keystore.jks -ts staging-elasticsearch-client-truststore.jks -nhnv
Connect to localhost:9300
Exception in thread "main" ElasticsearchSecurityException[java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.]; nested: IOException[DerInputStream.getLength(): lengthTag=109, too big.];
  at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:261)
  at com.floragunn.searchguard.ssl.SearchGuardKeyStore.<init>(SearchGuardKeyStore.java:139)
  at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:29)
  at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:129)
  at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
  at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:139)
  at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:198)
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
  at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
  at sun.security.util.DerValue.init(DerValue.java:365)
  at sun.security.util.DerValue.<init>(DerValue.java:320)
  at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914)
  at java.security.KeyStore.load(KeyStore.java:1445)
  at com.floragunn.searchguard.ssl.SearchGuardKeyStore.initSSLConfig(SearchGuardKeyStore.java:208)
  ... 6 more

The keystore and truststore are of type JKS, but it seems that they are possibly being treated as PKCS12 by Elasticsearch. Is there a way to set the storetype in the sgadmin.sh command?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c735f2cb-2cfb-4e2b-892c-9dc306e4a4c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.