Centralized Pipelines referencing logstash-keystore for passwords

Hello:

So we're implementing SAML on our cluster which has led to the implementation of SSL communications instead of http. That journey is completed and functioning properly including logstash monitoring and management, but now I've hit the logstash pipelines.

Of course, I've had to change all the outputs so that the .p12 keystore and truststore are referenced. For exmple:

    keystore => "/etc/logstash/<path to file>.p12"
    keystore_password => "<password>"
    truststore => "/etc/logstash/<path to file>.p12"
    truststore_password => "password"

So that's working fine and all the pipelines are up and running.

What I want though is to reference the logstash-keystore for the truststore and keystore_password. Right now they're out in the clear and I don't want that.

When I added the passwords to the logstash keystore and then referenced the variable in the pipeline (truststore_password => "${this_pwd}" ) I get an error for each pipeline in the log indicating something like could not find the path to the certification. The pipeline can't communicate with Elasticsearch and it just repeats that error.

I know for sure the certs are fine because it works if the password is in the clear, and the logstash ssl monitoring and management settings are all fine because even though I was getting the pipeline communication error, logstash itself was still connecting to Elasticsearch and the license was verified.

I also know that the logstash keystore is fine and the password for the cert is fine because I have the keystore referenced in the monitoring and management settings (both for the user ID and password and the cert and password) in logstash.yml, and again logstash is starting and the license is being verified.

SO my question is, is it possible to reference the logstash keystore in the keystore_password and truststore_password section of the output? Am I doing something wrong with the syntax mentioned above? The documentation would suggest you can do it but there's no indication of any examples.

Thanks in advance for reading!

I assume you have read this : https://www.elastic.co/guide/en/logstash/current/keystore.html

I get an error for each pipeline in the log indicating something like could not find the path to the certification.

It's always better if you copy paste the exact error message rather than an approximation of it. Also please share the relevant parts of your configuration

Here are the relevant parts (from the output section of the pipeline.

    keystore => "/etc/logstash/<path to file>.p12"
    keystore_password => "${this_pwd}"
    truststore => "/etc/logstash/<path to file>.p12"
    truststore_password => "${this_pwd}"

Here's the exact error message:

"unable to find valid certification path to requested target".

Again that error goes away and the pipeline starts if I enter the password in plain text rather than "${this_pwd}" which references the value in the logstash keystore.

Yes I have read the document in the link you posted which is where I came up with the idea of the syntax.

In configuration files, use: output { elasticsearch {...password => "${ES_PWD}" } } }