Auto authenticate with Ealsticsearch shield using PKI

security

(Kev) #1

I am using the shield addon for my elasticsearch. I want to configure Shield to auto authenticate when a user hit the rest endpoint in the browser, looking at the browser's cert. How can i achieve this?

In my elasticsearch.yml I have:

shield.transport.ssl: true
shield.http.ssl: true
shield.ssl.keystore.path : /path/keystore.jks
shield.ssl.keystore.password: password

shield.authc.realms.pki1.type: pki
shield.authc.realms.pki1.truststore.path: path/allTruststore.jks
shield.authc.realms.pki1.truststore.password: changeme

But the authentication window still pops up every time asking for a log in.


(Jay Modi) #2

You also need to enable client authentication for http. Set shield.http.ssl.client.auth: optional in your elasticsearch.yml. This will request the client certificate and if not presented, it will allow fallback to username/password authentication.


(Kev) #3

I set to Required, and i got a ssl_error_bad_cert_alert. Guess im getting somewhere..


(system) #4