Configuration of OpenID connect for Elasticsearch 7.14.1 is getting failed with trial version

Elastic Security
,
1

I have installed latest elasticsearch and kibana (7.14.1) version using docker images. My setup is single-node elasticsearch.
Initiated trial version for 30 days and enabled https for elasticsearch using ssl certificates.
Configured native realm and active_directory realm. Authentication works fine .

I have keycloak running with http protocol running remotely.
Following document in the official site for single sign on configuration provided oidc realm settings in elasticsearch.yml .

Reference Link:

On restarting elasticsearch node I found the error which says to use https instead of http.

Find configuration files below:

elasticsearch.yml:

cluster.name: "docker-cluster"
network.host: 0.0.0.0

xpack.license.self_generated.type: trial
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.certificate_authorities: "ca.crt"
xpack.security.http.ssl.certificate: "elasticsearch-trial.crt"
xpack.security.http.ssl.key: "elasticsearch-trial.key"
xpack.security.transport.ssl.certificate_authorities: "ca.crt"
xpack.security.transport.ssl.certificate: "elasticsearch-trial.crt"
xpack.security.transport.ssl.key: "elasticsearch-trial.key"
logger.org.elasticsearch.discovery: DEBUG
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
    native.native1:
      enabled: true
      order: 0
    active_directory.my_ad:
      enabled: true
      order: 1
      domain_name: "example.coml"
      url: "ldap://example.com:389"
      user_search:
        base_dn: "cn=users,dc=examplei,dc=com"
      group_search:
        base_dn: "cn=users,dc=examplei,dc=com"
    oidc.oidc1:
      enabled: true
      order: 2
      rp.client_id: "elk-trial"
      rp.response_type: code
      rp.requested_scopes: "openid"
      rp.redirect_uri: "http://my-kibana:5601/api/security/oidc/callback"
      op.issuer: "http://my-openid:8080/auth/realms/my-realm"
      op.authorization_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/auth"
      op.token_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/token"
      op.jwkset_path: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/certs"
      op.userinfo_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/userinfo"
      op.endsession_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/logout"
      rp.post_logout_redirect_uri: "http://my-kibana:5601/security/logged_out"
      claims.principal: preferred_username

Elasticsearch container logs:

uncaught exception in thread [main]
java.lang.IllegalStateException: security initialization failed
Likely root cause: java.lang.IllegalArgumentException: The [http] protocol is not supported as it is insecure. Use [https] instead
        at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.createIdTokenValidator(OpenIdConnectAuthenticator.java:637)
        at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.<init>(OpenIdConnectAuthenticator.java:149)
        at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm.<init>(OpenIdConnectRealm.java:120)
        at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$7(InternalRealms.java:120)
        at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:227)
        at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:78)
        at org.elasticsearch.xpack.security.Security.createComponents(Security.java:529)
        at org.elasticsearch.xpack.security.Security.createComponents(Security.java:451)
        at org.elasticsearch.node.Node.lambda$new$18(Node.java:615)
        at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
        at org.elasticsearch.node.Node.<init>(Node.java:619)
        at org.elasticsearch.node.Node.<init>(Node.java:281)
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:219)
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:219)
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:399)
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159)
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116)
        at org.elasticsearch.cli.Command.main(Command.java:79)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81)

I couldn't undersatnd the error log is due to openid provider or elasticsearch configuration??
Any suggestion is most welcome.

2

You need to use https for your SSO urls.

3

Thanks @legoguy1000 for the reply.

But my keycloak server is not ssl enabled. I have configured the same OpenID provider for Opendistro for Elasticsearch and it works fine.

Is it compulsory to use https protocol for openID connection in ELK setup?

Can't we try with insecure openID connection in ELK setup ?

4

OpenDistro is not the same as Elasticsearch due to the split in the code base. It's security code is different. I don't know if u can use SSO without ssl.

5

As already said, Opendistro uses a different security implementation.

I'm not sure if SSO works without https, but this line in your configuration will force https anyway:

xpack.security.http.ssl.enabled: true

You could test it, remove or comment all the xpack.security.http.ssl.* lines from your configuration and check if you still got the error.

6

Thanks @leandrojmp for your suggestion.

No luck with that configuration. Still same error for http supported elasticsearch.

I think default SSO support is https in ELK setup.

7

I could see here as Elastic supports insecure openID connection.

(ELK Stack integration with Keycloak)

Can anyone suggest me on insecure connection??

8

They were using 7.5, I suspect that the code was updated to require secured connections.

9

We currently only mandate that the JWKS URL (op.jwkset_path) is an https one. The link you referenced is to a setup that uses a local file for the jwks and this is why it works. You can do the same, you can get the JWKS as file from Keycloack, bind mount it to your elasticsearch container and point your op.jwkset_path to that location

10

Thanks @ikakavas for the solution.

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.