Initial excuse - we are still using TransportClient ( PreBuiltXPackTransportClient
). Migrating to High Level Rest Client is in progress.
This question would still be relevant for High Level Rest Client
Meta:
Elasticsearch Server Version : 7.10.2
Elasticsearch Java Client Dependencies versions : 7.10.2
On Server-side, we have following settings on elasticsearch.yml
:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>
With above server, can the client - PreBuiltXPackTransportClient
WITHOUT SSL params can even communicate with server ?
In effect, Server is enabled with SSL and client just using username + password authentication without client-SSL - is this combination possible ?
I conducted two tests as follows :
Test Case 1 :
Server : Only username and password WITHOUT transport SSL
Client : Tested with PrebuiltXPackTransportClient
with only username and password WITHOUT SSL
Observed Behaviour : This combination works as expected with only user and password without SSL
Test Case 2 :
Server : Username + Password + Transport-SSL enabled in elasticsearch.yml
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>
Client : Tested with PrebuiltXPackTransportClient
with ONLY username and password WITHOUT SSL
Observed Behavior : This combination fails with NoNodeAvailableException [None of the configured nodes are available]
:
Clarifications
- Can non-SSL
PrebuiltXPackTransportClient
communicate with SSL-enabled server - only with username + password based authentication? - Can Elasticsearch throw arbitrary exceptions like
NoNodeEvailableException
when above combination is tried - as I have mentioned in Test Case 2 above ? - Is it mandatory that PrebuiltXPackTransportClient must use SSL when xpack.transport on Server side is SSL-enabled ?
- I did not see any logs on Elasticsearch Server side during this testing
I am referring following Client Documentation for my testing - Java Client and security | Elasticsearch Guide [7.x] | Elastic
Thanks in advance.
- Muthu