Using TransportClient with Search guard

Sameer_Pokarna · May 15, 2018, 5:46am

Hi,

I have managed to get the node-to-node encryption between ElasticSearch nodes using the standard instructions given in the documentation.

Is it possible to use same certificates to get a TransportClient to connect to ElasticSearch? I continue to get an error about “unknown_certificate”. Does anyone have a good pointer to a set of instructions to get TransportClient to work?

Thanks and regards,

Sameer

···

======

Search Guard 6.2.2-22
Elasticsearch version 6.2.2
JVM version and operating system version - RHEL 7.4
Search Guard configuration

Fabien_Wernli · May 15, 2018, 11:20am

You could look at the code I wrote implementing the SG client mode in elasticsearch destination for syslog-ng:

github.com/syslog-ng/syslog-ng

F/searchguard

syslog-ng:master ← ccin2p3:f/searchguard

opened 02:03PM - 04 Oct 16 UTC

faxm0dem

+56 -1

WIP: implements an additional `client-mode(searchguard)` this was tested agains…t searchguard 2.4.0.6 and searchguard-ssl 2.4.0.16 ``` destination d_elastic { elasticsearch2( client-lib-dir("/usr/share/elasticsearch/lib/*.jar:/tmp/all-sg-jars/") resource("/etc/syslog-ng/elasticsearch/elasticsearch.yml") client-mode("searchguard") port("9300") concurrent_requests("1") flush_limit("1") index("syslog-$YEAR.$MONTH") type("syslog") skip-cluster-health-check("yes") template("$(format-json -s all-nv-pairs -x __* -x tmp.* -x SOURCE -x PROGRAM -x MESSAGE -x PID -x HOST_FROM -x HOST -x LEGACY_MSGHDR -p uniqid=$UNIQID --rekey timestamp --add-prefix @ --rekey .classifier.* --add-prefix pdb --rekey .SDATA.auto.* --shift 12 --rekey .SDATA.* --shift 7 --rekey .* --shift 1)") ); }; ``` ``` yaml --- cluster: name: elasticsearch node: client: true name: syslog_ng path: data: /tmp home: /tmp http: enabled: false searchguard: ssl: transport: enabled: true keystore_filepath: "/etc/syslog-ng/elasticsearch/node-1-keystore.jks" keystore_password: changeit truststore_filepath: "/etc/syslog-ng/elasticsearch/truststore.jks" truststore_password: changeit enforce_hostname_verification: false http: enabled: false audit: type: internal_elasticsearch authcz: admin_dn: - CN=sgadmin - "CN=node-0.example.com, OU=SSL, L=Test, C=DE" ``` This fixes #1221

Sameer_Pokarna · May 17, 2018, 3:28am

Thanks Fabien for your pointer, I will look at ESTransportSearchGuardClient in this project and let you know.

Thanks and regards,

Sameer

···

On Tue, May 15, 2018 at 4:50 PM, Fabien Wernli swissunix@gmail.com wrote:

You could look at the code I wrote implementing the SG client mode in elasticsearch destination for syslog-ng:

https://github.com/balabit/syslog-ng/pull/1223/files

–

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d80c9c2a-6a6b-4105-b7da-2d7d87e00a8a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Sameer_Pokarna · May 17, 2018, 7:11am

Hi Fabien,

Looks like these are the options you are using to access ElasticSearch enabled using SG. Does this work with PEM formats as well, or only PKCS12?

Also, have you tried with native protocol, or with HTTP only? Is HTTP authentication required for TransportClient to work with SG, or can I have certificate based encryption only? If possible, I would like to avoid using authentication for now.

java_keystore_filepath(“”)
java_keystore_password(“”)
java_truststore_filepath(“”)
java_truststore_password(“”)
java_ssl_insecure(“false”)
http_auth_type(“none”)
http_auth_type_basic_username(“”)
http_auth_type_basic_password(“”)

Thanks and regards,

Sameer

···

On Tue, May 15, 2018 at 4:50 PM, Fabien Wernli swissunix@gmail.com wrote:

You could look at the code I wrote implementing the SG client mode in elasticsearch destination for syslog-ng:

https://github.com/balabit/syslog-ng/pull/1223/files

–

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d80c9c2a-6a6b-4105-b7da-2d7d87e00a8a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Fabien_Wernli · May 24, 2018, 10:43am

I think you’re misunderstanding the transport mode.
ES used to offer 3 different communication means for a client to communicate with a cluster.
These are node, transport and http.

The first two are more or less the same, and mean that your client will be part of the cluster to some extent. They are both deprecated, as far as clients are
concerned. I’d strongly advise you to use HTTP!

Sameer_Pokarna · May 24, 2018, 2:25pm

For now, I have to try out with Transport, since changing that in my current project is not an option. Eventually, we will move, but not for now.

Regards,

Sameer

···

On Thu, May 24, 2018 at 4:13 PM, Fabien Wernli swissunix@gmail.com wrote:

I think you’re misunderstanding the transport mode.
ES used to offer 3 different communication means for a client to communicate with a cluster.
These are node, transport and http.

The first two are more or less the same, and mean that your client will be part of the cluster to some extent. They are both deprecated, as far as clients are
concerned. I’d strongly advise you to use HTTP!

–

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0d9a8231-c405-445d-a6b8-cca62ccade9d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Fabien_Wernli · May 24, 2018, 3:16pm

I think java 8 supports pem format to answer your earlier question.

Topic		Replies	Views
client using node transport Search Guard	5	349	May 12, 2016
Search Guard client configuration issue Search Guard	1	613	March 12, 2019
use elasticsearch client rest API(for connection) Search Guard	0	430	October 22, 2018
How to authenticate via a transport client certificate? Search Guard	2	336	May 27, 2017
ERR: You try to connect with a ssl node certificate instead of an admin client certificate Search Guard	7	485	April 4, 2018

Using TransportClient with Search guard

Related Topics