I am trying to set-up the sgadmin, following this article https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md
When running the sgadmin tool I am getting the following. I do have the Java Cryptography Extension installed.
$ ./sgadmin.sh -ts truststore.jks -tspass changeit -ks kirk-keystore.jks -kspass changeit -cd …/sgconfig -icl -nhnv
Will connect to localhost:9300 … done
ERR: An unexpected ElasticsearchSecurityException occured: no valid cipher suites for transport protocol
Trace:
ElasticsearchSecurityException[no valid cipher suites for transport protocol]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:155)
at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:40)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:128)
at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)
at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:141)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:315)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:101)
Here is system setup:
ls -l /elasticsearch-2.4.3/plugins/search-guard-2/tools
-rw-rw-r–. 1 214 Feb 3 12:50 hash.bat
-rw-rw-r–. 1 197 Feb 3 12:50 hash.sh
-rw-rw-r–. 1 4423 Feb 17 12:56 kirk-keystore.jks
-rw-rw-r–. 1 222 Feb 3 12:50 sgadmin.bat
-rwxrwxrwx. 1 218 Feb 3 12:50 sgadmin.sh
-rw-rw-r–. 1 1096 Feb 17 12:56 truststore.jks
$ java -version
java version “1.8.0”
Java™ SE Runtime Environment (build pxa6480sr4-20170127_01(SR4))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20170117_333500 (JIT enabled, AOT enabled)
J9VM - R28_20170117_0200_B333500
JIT - tr.r14.java.green_20170115_130932
GC - R28_20170117_0200_B333500_CMPRSS
J9CL - 20170117_333500)
JCL - 20170125_01 based on Oracle jdk8u121-b13
elasticsearch.yml:
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn: CN=kirk,OU=client,O=client,L=test, C=DE
“elasticsearch.yml” 135L, 4552C
Output of ES:
[2017-02-17 19:56:02,420][INFO ][node ] [Nekra] version[2.4.3], pid[1430], build[d38a34e/2016-12-07T16:28:56Z]
[2017-02-17 19:56:02,421][INFO ][node ] [Nekra] initializing …
[2017-02-17 19:56:03,226][INFO ][com.floragunn.searchguard.ssl.SearchGuardSSLPlugin] Search Guard 2 plugin also available
[2017-02-17 19:56:03,245][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Clustername: elasticsearch
[2017-02-17 19:56:03,245][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Node [null] is a transportClient: false/tribeNode: false/tribeNodeClient: false
[2017-02-17 19:56:03,246][INFO ][plugins ] [Nekra] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites
[2017-02-17 19:56:03,278][INFO ][env ] [Nekra] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [5.6gb], net total_space [9.9gb], spins? [unknown], types [rootfs]
[2017-02-17 19:56:03,278][INFO ][env ] [Nekra] heap size [1.9gb], compressed ordinary object pointers [true]
[2017-02-17 19:56:03,278][WARN ][env ] [Nekra] max file descriptors [4096] for elasticsearch process likely too low, consider increasing to at least [65536]
[2017-02-17 19:56:03,335][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL
[2017-02-17 19:56:03,780][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] Config directory is /opt/elastic/ElasticSearch/elasticsearch-2.4.3/config/, from there the key- and truststore files are resolved relatively
[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTPProvider:null with ciphers
[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-02-17 19:56:04,137][INFO ][com.floragunn.searchguard.configuration.ConfigurationModule] FLS/DLS valve not bound (noop)
[2017-02-17 19:56:04,139][INFO ][com.floragunn.searchguard.auditlog.AuditLogModule] Auditlog not available
[2017-02-17 19:56:04,304][INFO ][transport ] [Nekra] Using [com.floragunn.searchguard.transport.SearchGuardTransportService] as transport service, overridden by [search-guard2]
[2017-02-17 19:56:04,304][INFO ][transport ] [Nekra] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2017-02-17 19:56:07,110][INFO ][node ] [Nekra] initialized
[2017-02-17 19:56:07,110][INFO ][node ] [Nekra] starting …
[2017-02-17 19:56:07,292][INFO ][com.floragunn.searchguard.transport.SearchGuardTransportService] [Nekra] publish_address {10.240.0.24:9300}, bound_addresses {[::]:9300}
[2017-02-17 19:56:07,296][INFO ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Nekra] Check if searchguard index exists …
[2017-02-17 19:56:07,302][DEBUG][action.admin.indices.exists.indices] [Nekra] no known master node, scheduling a retry
[2017-02-17 19:56:07,308][INFO ][discovery ] [Nekra] elasticsearch/pRteXY99TWyxyGZtUAkBJQ
[2017-02-17 19:56:10,444][INFO ][cluster.service ] [Nekra] new_master {Nekra}{pRteXY99TWyxyGZtUAkBJQ}{10.240.0.24}{10.240.0.24:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)
[2017-02-17 19:56:10,508][INFO ][http ] [Nekra] publish_address {10.240.0.24:9200}, bound_addresses {[::]:9200}
[2017-02-17 19:56:10,508][INFO ][node ] [Nekra] started
[2017-02-17 19:56:10,527][INFO ][gateway ] [Nekra] recovered [0] indices into cluster_state
[2017-02-17 19:56:10,528][INFO ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Nekra] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster