Peter
December 20, 2018, 8:11pm
1
Search Guard 6.4.0-32.0 and Elasticsearch Version: 6.4.0
Installed and used enterprise modules, LDAP authentication backend, LDAP authorization backend
Used Online TLS certificate generator
I have ElasticSearch & Search Guard working, with LDAP authentication & authorization, but for port 389 only.
When I try to enable port 636 I get the following error: “Empty file path for searchguard.ssl.transport.truststore_filepath”
I have a public pem certificate & intermediate to use, but am unsure of where to include them in Search Guard.
Currently my certificate configuration is this:
searchguard.ssl.transport.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: searchguard/chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem
searchguard.ssl.http.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem
searchguard.ssl.http.pemtrustedcas_filepath: searchguard/chain-ca.pem
Do I append the LDAP certificates to one of the existing pem files (searchguard/chain-ca.pem?) Or is there a directive I should be adding to my sg_config.yml file for certificates?
Thanks!
Please post your sg_config.yml
···
On Thursday, 20 December 2018 21:11:57 UTC+1, Peter wrote:
Search Guard 6.4.0-32.0 and Elasticsearch Version: 6.4.0
Installed and used enterprise modules, LDAP authentication backend, LDAP authorization backend
Used Online TLS certificate generator
I have ElasticSearch & Search Guard working, with LDAP authentication & authorization, but for port 389 only.
When I try to enable port 636 I get the following error: “Empty file path for searchguard.ssl.transport.truststore_filepath”
I have a public pem certificate & intermediate to use, but am unsure of where to include them in Search Guard.
Currently my certificate configuration is this:
searchguard.ssl.transport.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: searchguard/chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem
searchguard.ssl.http.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem
searchguard.ssl.http.pemtrustedcas_filepath: searchguard/chain-ca.pem
Do I append the LDAP certificates to one of the existing pem files (searchguard/chain-ca.pem?) Or is there a directive I should be adding to my sg_config.yml file for certificates?
Thanks!
You have not enabled SSL for LDAP in sg_config.ymln so far:
enable_ssl: false
enable_start_tls: false
and port is still 389
Easiest way is to include the certificate(s) directly as text in sg_config.yml
You can also refer to a pem file in the config/ dir.
Do you need client authentication or is it just the CA?
···
On Thursday, 20 December 2018 22:02:15 UTC+1, Peter wrote:
On Thursday, December 20, 2018 at 3:45:15 PM UTC-5, Search Guard wrote:
Please post your sg_config.yml
On Thursday, 20 December 2018 21:11:57 UTC+1, Peter wrote:
Search Guard 6.4.0-32.0 and Elasticsearch Version: 6.4.0
Installed and used enterprise modules, LDAP authentication backend, LDAP authorization backend
Used Online TLS certificate generator
I have ElasticSearch & Search Guard working, with LDAP authentication & authorization, but for port 389 only.
When I try to enable port 636 I get the following error: “Empty file path for searchguard.ssl.transport.truststore_filepath”
I have a public pem certificate & intermediate to use, but am unsure of where to include them in Search Guard.
Currently my certificate configuration is this:
searchguard.ssl.transport.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: searchguard/chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem
searchguard.ssl.http.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem
searchguard.ssl.http.pemtrustedcas_filepath: searchguard/chain-ca.pem
Do I append the LDAP certificates to one of the existing pem files (searchguard/chain-ca.pem?) Or is there a directive I should be adding to my sg_config.yml file for certificates?
Thanks!
ldap:
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”
password: “”
userbase: “CN=affiliated_person,dc=domain,dc=org”
usersearch: “(cn={0})”
username_attribute: “cn”
authz:
roles_from_myldap:
http_enabled: true
transport_enabled: true
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”
password: “”
rolebase: “DC=domain,DC=org”
rolesearch: “(member={0})”
userroleattribute: null
userrolename: “disabled”
rolename: “cn”
resolve_nested_roles: true
userbase: “CN=affiliated_person,dc=domain,dc=org”
usersearch: “(cn={0})”
username_attribute: “cn”
roles_from_another_ldap:
enabled: false
authorization_backend:
type: “ldap”
Peter
December 20, 2018, 9:33pm
5
Sorry, that was the working config (port 389). Here it is.
ldap:
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “ldap”
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”
password: “”
userbase: “CN=affiliated_person,dc=domain,dc=org”
usersearch: “(cn={0})”
username_attribute: “cn”
authz:
roles_from_myldap:
http_enabled: true
transport_enabled: true
authorization_backend:
type: “ldap”
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”
password: “”
rolebase: “DC=domain,DC=org”
rolesearch: “(member={0})”
userroleattribute: null
userrolename: “disabled”
rolename: “cn”
resolve_nested_roles: true
userbase: “CN=affiliated_person,dc=domain,dc=org”
usersearch: “(cn={0})”
username_attribute: “cn”
roles_from_another_ldap:
enabled: false
authorization_backend:
type: “ldap”
brian
December 20, 2018, 10:49pm
6
This worked for me. Adjust the file path and name to the cert location and name and put the following in the config in both authc and authz. Same level as ‘hosts’.
pemtrustedcas_filepath: /etc/elasticsearch/root.pem
Peter
December 20, 2018, 11:33pm
7
Thank you! That worked perfectly.
Peter
···
On Thursday, December 20, 2018 at 5:49:32 PM UTC-5, Brian wrote:
This worked for me. Adjust the file path and name to the cert location and name and put the following in the config in both authc and authz. Same level as ‘hosts’.
pemtrustedcas_filepath: /etc/elasticsearch/root.pem