Client SSL and Server SSL - ES Java Client

Muthukumaran_Kothand · September 7, 2021, 8:40am

Initial excuse - we are still using TransportClient ( PreBuiltXPackTransportClient). Migrating to High Level Rest Client is in progress.
This question would still be relevant for High Level Rest Client

Meta:
Elasticsearch Server Version : 7.10.2
Elasticsearch Java Client Dependencies versions : 7.10.2

On Server-side, we have following settings on elasticsearch.yml :

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>

With above server, can the client - PreBuiltXPackTransportClient WITHOUT SSL params can even communicate with server ?

In effect, Server is enabled with SSL and client just using username + password authentication without client-SSL - is this combination possible ?

I conducted two tests as follows :

Test Case 1 :

Server : Only username and password WITHOUT transport SSL

Client : Tested with PrebuiltXPackTransportClient with only username and password WITHOUT SSL

Observed Behaviour : This combination works as expected with only user and password without SSL

Test Case 2 :

Server : Username + Password + Transport-SSL enabled in elasticsearch.yml

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: <cert_path>
xpack.security.transport.ssl.truststore.path: <cert_path>

Client : Tested with PrebuiltXPackTransportClient with ONLY username and password WITHOUT SSL

Observed Behavior : This combination fails with NoNodeAvailableException [None of the configured nodes are available] :

Clarifications

Can non-SSL PrebuiltXPackTransportClient communicate with SSL-enabled server - only with username + password based authentication?
Can Elasticsearch throw arbitrary exceptions like NoNodeEvailableException when above combination is tried - as I have mentioned in Test Case 2 above ?
Is it mandatory that PrebuiltXPackTransportClient must use SSL when xpack.transport on Server side is SSL-enabled ?
I did not see any logs on Elasticsearch Server side during this testing

I am referring following Client Documentation for my testing - Java Client and security | Elasticsearch Guide [7.x] | Elastic

Thanks in advance.

Muthu

system · October 5, 2021, 8:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication using Java API and TransportClient Elasticsearch	12	6540	July 6, 2017
Connecting to TLS/SSL secured elastic cluster through transport client Elasticsearch elastic-stack-security	11	2453	July 21, 2019
Configuring the Transport Client to work with a Secured Cluster Elasticsearch elastic-stack-security	2	629	March 16, 2022
Add elasticsearch security by x-pack authentificaiton Elasticsearch elastic-stack-security	2	520	April 9, 2019
Client did not trust this server's certificate, closing connection Netty4TcpChannel Elasticsearch elastic-stack-security	19	35853	July 9, 2019

Client SSL and Server SSL - ES Java Client

Related topics