Mi Marco,
thanks for your feedback. Regarding TLS being mandatory - well, we’re a “security first” company and have strong opinions on that topic of course.
Search Guard always required TLS on transport level, and even though we got a lot of requests to make it optional, we always stuck to our initial decision. Reason: You will never be able to implement proper security without encrypting the data in transit. It seems that with the release of X-Pack 6 Elastic (finally!) follows our path, since TLS on transport will be mandatory also in X-Pack Security. Better late than never!
A private network alone definitely will not help here, since according to various security studies (e.g. from IBM), more than 50% of the attacks come from the inside, not the outside. That’s why all compliance standards like GDRP, HIPAA, PCI etc. require encryption for data in transit, and sometimes also at rest. The future of Enterprise Security will definitely be “zero trust networks” (e.g. https://cloud.google.com/beyondcorp/) and the least you can do is to encrypt traffic. In my opinion, the days where you could rely on private networks, VPNs, firewalls etc. are definitely over. See for example the OneLogin breaches.
Security in general and TLS in particular is definitely not an easy topic, and if someone tells you his or her security solution just works out of the box - don’t trust them. It just doesn’t. One needs to familiarize with the concepts behind any security solution to make sure it does what it’s supposed to do. We think there is no shortcut to that. For example, in order to execute sgadmin you need to provide a client certificate. This was a deliberate decision because the other option would be to provide a default password or generate a random password upon installation. Default passwords are a no-go, and randomly generated passwords are also insecure. That’s why we took the certificate based approach, even if it is a bit harder to understand than just typing admin/admin
But having said all that …
I’m curious about the hurdles you faced when creating the certificates. I always thought that creating certificates for Search Guard is not harder than, say, generating a certificate for a web server. You need to generate a CSR in both cases and submit it to a CA (be it external or your internal PKI). You get back certificates, e.g. in PEM format, and need to configure the cert and the key on the server, which is ES/SG in this case. Also with a web server certificate, you need to make sure to provide the correct information in the CSR, for example, the correct hostname.
We can definitely extend the example scripts, but they surely require Java and OpenSSL installed on the machine where you execute them. For users that cannot use them, we provide the TLS certificate generator service on our website. For companies that have a PKI infrastructure in place, TLS is usually not a problem, and we see more and more companies moving away from traditional user/password based approaches, towards certificates only infrastructure.
So I really like to learn more about the specific issues you faced and the infrastructure you’re working with, so we can improve the whole TLS topic further. You can also take this conversation private if you like by dropping me an email: jkressin@floragunn.com
Thanks for your feedback!
···
On Friday, September 29, 2017 at 2:29:13 PM UTC+2, mcostantini@np6.com wrote:
For my case, I just needed to make sure the SAN in the node certs was accurate. So, solved.
I still recommend a small education on TLS. I know it’s not your product but it is SO closely tied to it.
In lieu of that, I recommend wrapping up the ‘example’ script bundle into something more practical and non example-like. That’s what I ended up doing in the end: dropping my node info straight into the example scripts.
Thanks,
Marco.
On Thursday, September 28, 2017 at 6:17:46 PM UTC+2, mcost...@np6.com wrote:
We don’t want transport TLS. Our whole cluster exists in a private network. Regardless, we try to get it working as its required. Today, I am getting this
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching poc-profiles-es-01 found.
``
It’s not a sudden error. I’m deploying to a new cluster. After some reading, I put these properties in elasticsearch.yml
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
``
The error remains. I think many people face this same issue. Whether they need TLS or not, I think many people will want to test SG with TLS not being a variable, at some stage.
Question: Without resorting to using the demo scripts, what would be the minimal path to setting up TLS with the goal of not having to think about it.
I fully expect a wave of security concerns coming back, but my question remains.
Please and thank you.