We cant initialize SeaarchGuard

installed ver. 2.2.0

when i start the elastic, the elastic start normally
but Search guard not inicialize

curl -XGET localhost:9200

Search Guard not initialized (SG11)

then i execute sgadmin and get this:

./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig -ks /usr/share/elasticsearch/plugins/search-guard-ssl/example-pki-scripts/kirk-keystore.jks -ts /usr/share/elasticsearch/plugins/search-guard-ssl/example-pki-scripts/truststore.jks -nhnv -tspass tspass -kspass kspass

Connect to localhost:9300
[09:54:40,345][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.SearchGuardKeyStore - AES 256 not supported, max key length for AES is 128. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:286)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:351)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:340)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:840)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:860)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:144)

any ideas?
what happened?

Here the log of Elastic:
[2016-05-18 09:54:09,487][INFO ][node ] [Hildegarde] stopping …
[2016-05-18 09:54:09,505][INFO ][node ] [Hildegarde] stopped
[2016-05-18 09:54:09,506][INFO ][node ] [Hildegarde] closing …
[2016-05-18 09:54:09,511][INFO ][node ] [Hildegarde] closed
[2016-05-18 09:54:10,270][WARN ][bootstrap ] unable to install syscall filter: seccomp unavailable: requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in
[2016-05-18 09:54:10,596][INFO ][node ] [Mad Jim Jaspers] version[2.2.0], pid[20043], build[8ff36d1/2016-01-27T13:32:39Z]
[2016-05-18 09:54:10,596][INFO ][node ] [Mad Jim Jaspers] initializing …
[2016-05-18 09:54:11,523][INFO ][plugins ] [Mad Jim Jaspers] modules [lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites
[2016-05-18 09:54:11,553][INFO ][env ] [Mad Jim Jaspers] using [1] data paths, mounts [[/ (/dev/md1)]], net usable_space [1.2tb], net total_space [1.7tb], spins? [possibly], types [ext4]
[2016-05-18 09:54:11,553][INFO ][env ] [Mad Jim Jaspers] heap size [989.8mb], compressed ordinary object pointers [true]
[2016-05-18 09:54:11,618][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: /tmp/libnetty-tcnative3908967867615620475.so: libssl.so.1.0.0: cannot open shared object file: No such file or directory
[2016-05-18 09:54:11,947][WARN ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] AES 256 not supported, max key length for AES is 128. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2016-05-18 09:54:11,948][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2016-05-18 09:54:11,948][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2016-05-18 09:54:11,948][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null with ciphers
[2016-05-18 09:54:12,373][INFO ][transport ] [Mad Jim Jaspers] Using [com.floragunn.searchguard.transport.SearchGuardTransportService] as transport service, overridden by [search-guard2]
[2016-05-18 09:54:12,373][INFO ][transport ] [Mad Jim Jaspers] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-05-18 09:54:14,175][INFO ][node ] [Mad Jim Jaspers] initialized
[2016-05-18 09:54:14,176][INFO ][node ] [Mad Jim Jaspers] starting …
[2016-05-18 09:54:14,262][INFO ][com.floragunn.searchguard.transport.SearchGuardTransportService] [Mad Jim Jaspers] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-05-18 09:54:14,275][INFO ][discovery ] [Mad Jim Jaspers] elasticsearch/v1JRbYwESGuxU2o-r9eMhg
[2016-05-18 09:54:14,277][DEBUG][action.admin.cluster.health] [Mad Jim Jaspers] no known master node, scheduling a retry
[2016-05-18 09:54:18,317][INFO ][cluster.service ] [Mad Jim Jaspers] new_master {Mad Jim Jaspers}{v1JRbYwESGuxU2o-r9eMhg}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)
[2016-05-18 09:54:18,335][INFO ][http ] [Mad Jim Jaspers] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2016-05-18 09:54:18,335][INFO ][node ] [Mad Jim Jaspers] started
[2016-05-18 09:54:18,504][INFO ][gateway ] [Mad Jim Jaspers] recovered [0] indices into cluster_state

Thanks for all!
Regards!

Hi,

I think this is your answer: “AES 256 not supported, max key length for AES is 128”

Regards

Hi thanks for reply, i solved the AES 256 problem, but i have still same error:

/usr/share/elasticsearch/

plugins/search-guard-2/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig -ks /usr/share/elasticsearch/plugins/search-guard-ssl/example-pki-scripts/kirk-keystore.jks -ts /usr/share/elasticsearch/plugins/search-guard-ssl/example-pki-scripts/truststore.jks -nhnv -tspass tspass -kspass kspass
Connect to localhost:9300
Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:286)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:351)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:340)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:840)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:860)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:144)

any idea?

Log:
[2016-05-18 11:14:39,676][INFO ][node ] [Lightmaster] stopping …
[2016-05-18 11:14:39,703][INFO ][node ] [Lightmaster] stopped
[2016-05-18 11:14:39,704][INFO ][node ] [Lightmaster] closing …
[2016-05-18 11:14:39,715][INFO ][node ] [Lightmaster] closed
[2016-05-18 11:14:40,472][WARN ][bootstrap ] unable to install syscall filter: seccomp unavailable: requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in
[2016-05-18 11:14:40,769][INFO ][node ] [Remy LeBeau] version[2.2.0], pid[25089], build[8ff36d1/2016-01-27T13:32:39Z]
[2016-05-18 11:14:40,769][INFO ][node ] [Remy LeBeau] initializing …
[2016-05-18 11:14:41,673][INFO ][plugins ] [Remy LeBeau] modules [lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites
[2016-05-18 11:14:41,699][INFO ][env ] [Remy LeBeau] using [1] data paths, mounts [[/ (/dev/md1)]], net usable_space [1.2tb], net total_space [1.7tb], spins? [possibly], types [ext4]
[2016-05-18 11:14:41,699][INFO ][env ] [Remy LeBeau] heap size [989.8mb], compressed ordinary object pointers [true]
[2016-05-18 11:14:41,756][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: /tmp/libnetty-tcnative1777480401129028067.so: libssl.so.1.0.0: cannot open shared object file: No such file or directory
[2016-05-18 11:14:42,067][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2016-05-18 11:14:42,067][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2016-05-18 11:14:42,068][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null with ciphers
[2016-05-18 11:14:42,478][INFO ][transport ] [Remy LeBeau] Using [com.floragunn.searchguard.transport.SearchGuardTransportService] as transport service, overridden by [search-guard2]
[2016-05-18 11:14:42,479][INFO ][transport ] [Remy LeBeau] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-05-18 11:14:43,901][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] CN=kirk,OU=client,O=client,l=Test, C=De
[2016-05-18 11:14:43,902][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 admin DN’s [CN=kirk,OU=client,O=client,l=Test, C=De]
[2016-05-18 11:14:43,904][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 impersonation DN’s {CN=l2,OU=SSL,O=Test,L=Test,C=DE=[deal]}
[2016-05-18 11:14:44,072][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] CN=kirk,OU=client,O=client,l=Test, C=De
[2016-05-18 11:14:44,072][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 admin DN’s [CN=kirk,OU=client,O=client,l=Test, C=De]
[2016-05-18 11:14:44,073][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 impersonation DN’s {CN=l2,OU=SSL,O=Test,L=Test,C=DE=[deal]}
[2016-05-18 11:14:44,076][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] CN=kirk,OU=client,O=client,l=Test, C=De
[2016-05-18 11:14:44,076][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 admin DN’s [CN=kirk,OU=client,O=client,l=Test, C=De]
[2016-05-18 11:14:44,076][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 impersonation DN’s {CN=l2,OU=SSL,O=Test,L=Test,C=DE=[deal]}
[2016-05-18 11:14:44,163][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] CN=kirk,OU=client,O=client,l=Test, C=De
[2016-05-18 11:14:44,163][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 admin DN’s [CN=kirk,OU=client,O=client,l=Test, C=De]
[2016-05-18 11:14:44,164][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 impersonation DN’s {CN=l2,OU=SSL,O=Test,L=Test,C=DE=[deal]}
[2016-05-18 11:14:44,167][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] CN=kirk,OU=client,O=client,l=Test, C=De
[2016-05-18 11:14:44,168][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 admin DN’s [CN=kirk,OU=client,O=client,l=Test, C=De]
[2016-05-18 11:14:44,168][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 impersonation DN’s {CN=l2,OU=SSL,O=Test,L=Test,C=DE=[deal]}
[2016-05-18 11:14:44,168][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] CN=kirk,OU=client,O=client,l=Test, C=De
[2016-05-18 11:14:44,168][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 admin DN’s [CN=kirk,OU=client,O=client,l=Test, C=De]
[2016-05-18 11:14:44,168][DEBUG][com.floragunn.searchguard.configuration.AdminDNs] Loaded 1 impersonation DN’s {CN=l2,OU=SSL,O=Test,L=Test,C=DE=[deal]}
[2016-05-18 11:14:44,172][INFO ][node ] [Remy LeBeau] initialized
[2016-05-18 11:14:44,172][INFO ][node ] [Remy LeBeau] starting …
[2016-05-18 11:14:44,801][DEBUG][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [Remy LeBeau] Node client configured for SSL
[2016-05-18 11:14:44,803][DEBUG][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [Remy LeBeau] using profile[default], worker_count[16], port[9300-9400], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connections_per_node[2/3/6/1/1], receive_predictor[512kb->512kb]
[2016-05-18 11:14:44,831][DEBUG][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [Remy LeBeau] Node server configured for SSL
[2016-05-18 11:14:44,832][DEBUG][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [Remy LeBeau] binding server bootstrap to: 127.0.0.1
[2016-05-18 11:14:44,854][DEBUG][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [Remy LeBeau] Bound profile [default] to address {127.0.0.1:9300}
[2016-05-18 11:14:44,855][INFO ][com.floragunn.searchguard.transport.SearchGuardTransportService] [Remy LeBeau] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-05-18 11:14:44,875][INFO ][discovery ] [Remy LeBeau] elasticsearch/ovb6xGwfQ8yhAuQjE93_jA
[2016-05-18 11:14:44,876][DEBUG][action.admin.cluster.health] [Remy LeBeau] no known master node, scheduling a retry
[2016-05-18 11:14:48,912][INFO ][cluster.service ] [Remy LeBeau] new_master {Remy LeBeau}{ovb6xGwfQ8yhAuQjE93_jA}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)
[2016-05-18 11:14:48,927][INFO ][http ] [Remy LeBeau] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2016-05-18 11:14:48,928][INFO ][node ] [Remy LeBeau] started
[2016-05-18 11:14:49,101][INFO ][gateway ] [Remy LeBeau] recovered [0] indices into cluster_state
[2016-05-18 11:15:18,929][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve failure config no such index
[2016-05-18 11:15:18,930][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve failure roles no such index
[2016-05-18 11:15:18,930][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve failure rolesmapping no such index
[2016-05-18 11:15:18,930][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve failure internalusers no such index
[2016-05-18 11:15:18,930][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve failure actiongroups no such index

Regards

Try to look at my thread : https://groups.google.com/forum/#!topic/search-guard/rOTqyyPk4KI

I had the same error, the sg support helped me to solve my problem.

Regards

Mmm i trying to connect to 9300 and i get this.

openssl s_client -connect localhost:9300

socket: Connection refused
connect:errno=111

it’s Ok?

Regards

Well… my bad, the ip tables blocked the 9300…
now the sgadmin run sussefully.

now… this is ok?:

curl -XGET localhost:9200

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no remote ip”}],“type”:“security_exception”,“reason”:“no remote ip”},“status”:400}

Regards

can you provide your configuration (sg_config.yml)? Seems like the xff config is wrong or you have no X-Fowarded-For header in your request.

try something like this:
curl --header "X-Forwarded-For: 192.168.0.1" localhost:9200

Set

searchguard:
  dynamic:
    http:
      xff:
        enabled: false

if you dont need it

···

Am 18.05.2016 um 17:43 schrieb soportecanopus@gmail.com:

Well.. my bad, the ip tables blocked the 9300...
now the sgadmin run sussefully.

now.. this is ok?:

# curl -XGET localhost:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"no remote ip"}],"type":"security_exception","reason":"no remote ip"},"status":400}

Regards

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/34aed0b3-7b00-4a52-80f2-c15e809c5775%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.