Client SSL and Server SSL - ES Java Client

Initial excuse - we are still using TransportClient ( PreBuiltXPackTransportClient). Migrating to High Level Rest Client is in progress.
This question would still be relevant for High Level Rest Client

Meta:
Elasticsearch Server Version : 7.10.2
Elasticsearch Java Client Dependencies versions : 7.10.2

On Server-side, we have following settings on elasticsearch.yml :

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>

With above server, can the client - PreBuiltXPackTransportClient WITHOUT SSL params can even communicate with server ?

In effect, Server is enabled with SSL and client just using username + password authentication without client-SSL - is this combination possible ?

I conducted two tests as follows :

Test Case 1 :

Server : Only username and password WITHOUT transport SSL

Client : Tested with PrebuiltXPackTransportClient with only username and password WITHOUT SSL

Observed Behaviour : This combination works as expected with only user and password without SSL

Test Case 2 :

Server : Username + Password + Transport-SSL enabled in elasticsearch.yml

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>

Client : Tested with PrebuiltXPackTransportClient with ONLY username and password WITHOUT SSL

Observed Behavior : This combination fails with NoNodeAvailableException [None of the configured nodes are available] :

Clarifications

  1. Can non-SSL PrebuiltXPackTransportClient communicate with SSL-enabled server - only with username + password based authentication?
  2. Can Elasticsearch throw arbitrary exceptions like NoNodeEvailableException when above combination is tried - as I have mentioned in Test Case 2 above ?
  3. Is it mandatory that PrebuiltXPackTransportClient must use SSL when xpack.transport on Server side is SSL-enabled ?
  4. I did not see any logs on Elasticsearch Server side during this testing

I am referring following Client Documentation for my testing - Java Client and security | Elasticsearch Guide [7.x] | Elastic

Thanks in advance.

  • Muthu

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.