Client SSL and Server SSL - ES Java Client

Muthukumaran_Kothand · September 7, 2021, 8:40am

Initial excuse - we are still using TransportClient ( PreBuiltXPackTransportClient). Migrating to High Level Rest Client is in progress.
This question would still be relevant for High Level Rest Client

Meta:
Elasticsearch Server Version : 7.10.2
Elasticsearch Java Client Dependencies versions : 7.10.2

On Server-side, we have following settings on elasticsearch.yml :

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>

With above server, can the client - PreBuiltXPackTransportClient WITHOUT SSL params can even communicate with server ?

In effect, Server is enabled with SSL and client just using username + password authentication without client-SSL - is this combination possible ?

I conducted two tests as follows :

Test Case 1 :

Server : Only username and password WITHOUT transport SSL

Client : Tested with PrebuiltXPackTransportClient with only username and password WITHOUT SSL

Observed Behaviour : This combination works as expected with only user and password without SSL

Test Case 2 :

Server : Username + Password + Transport-SSL enabled in elasticsearch.yml

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>

Client : Tested with PrebuiltXPackTransportClient with ONLY username and password WITHOUT SSL

Observed Behavior : This combination fails with NoNodeAvailableException [None of the configured nodes are available] :

Clarifications

Can non-SSL PrebuiltXPackTransportClient communicate with SSL-enabled server - only with username + password based authentication?
Can Elasticsearch throw arbitrary exceptions like NoNodeEvailableException when above combination is tried - as I have mentioned in Test Case 2 above ?
Is it mandatory that PrebuiltXPackTransportClient must use SSL when xpack.transport on Server side is SSL-enabled ?
I did not see any logs on Elasticsearch Server side during this testing

I am referring following Client Documentation for my testing - Java Client and security | Elasticsearch Guide [7.x] | Elastic

Thanks in advance.

Muthu

system · October 5, 2021, 8:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Connecting to TLS/SSL secured elastic cluster through transport client Elasticsearch elastic-stack-security	11	2450	July 21, 2019
Configuring the Transport Client to work with a Secured Cluster Elasticsearch elastic-stack-security	2	628	March 16, 2022
Exception caught on transport layer (es6.4.2) Elasticsearch elastic-stack-security	46	16851	February 14, 2019
Client did not trust this server's certificate, closing connection Netty4TcpChannel Elasticsearch elastic-stack-security	19	35668	July 9, 2019
Xpack transport client issue ES 5.6.3 Elasticsearch	3	441	August 10, 2018

Client SSL and Server SSL - ES Java Client

Related Topics