I have installed latest elasticsearch and kibana (7.14.1) version using docker images. My setup is single-node elasticsearch.
Initiated trial version for 30 days and enabled https for elasticsearch using ssl certificates.
Configured native realm and active_directory realm. Authentication works fine .
I have keycloak running with http protocol running remotely.
Following document in the official site for single sign on configuration provided oidc realm settings in elasticsearch.yml .
Reference Link:
On restarting elasticsearch node I found the error which says to use https instead of http.
Find configuration files below:
elasticsearch.yml:
cluster.name: "docker-cluster"
network.host: 0.0.0.0
xpack.license.self_generated.type: trial
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.certificate_authorities: "ca.crt"
xpack.security.http.ssl.certificate: "elasticsearch-trial.crt"
xpack.security.http.ssl.key: "elasticsearch-trial.key"
xpack.security.transport.ssl.certificate_authorities: "ca.crt"
xpack.security.transport.ssl.certificate: "elasticsearch-trial.crt"
xpack.security.transport.ssl.key: "elasticsearch-trial.key"
logger.org.elasticsearch.discovery: DEBUG
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
native.native1:
enabled: true
order: 0
active_directory.my_ad:
enabled: true
order: 1
domain_name: "example.coml"
url: "ldap://example.com:389"
user_search:
base_dn: "cn=users,dc=examplei,dc=com"
group_search:
base_dn: "cn=users,dc=examplei,dc=com"
oidc.oidc1:
enabled: true
order: 2
rp.client_id: "elk-trial"
rp.response_type: code
rp.requested_scopes: "openid"
rp.redirect_uri: "http://my-kibana:5601/api/security/oidc/callback"
op.issuer: "http://my-openid:8080/auth/realms/my-realm"
op.authorization_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/auth"
op.token_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/token"
op.jwkset_path: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/certs"
op.userinfo_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://my-openid:8080/auth/realms/my-realm/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "http://my-kibana:5601/security/logged_out"
claims.principal: preferred_username
Elasticsearch container logs:
uncaught exception in thread [main]
java.lang.IllegalStateException: security initialization failed
Likely root cause: java.lang.IllegalArgumentException: The [http] protocol is not supported as it is insecure. Use [https] instead
at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.createIdTokenValidator(OpenIdConnectAuthenticator.java:637)
at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.<init>(OpenIdConnectAuthenticator.java:149)
at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm.<init>(OpenIdConnectRealm.java:120)
at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$7(InternalRealms.java:120)
at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:227)
at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:78)
at org.elasticsearch.xpack.security.Security.createComponents(Security.java:529)
at org.elasticsearch.xpack.security.Security.createComponents(Security.java:451)
at org.elasticsearch.node.Node.lambda$new$18(Node.java:615)
at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at org.elasticsearch.node.Node.<init>(Node.java:619)
at org.elasticsearch.node.Node.<init>(Node.java:281)
at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:219)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:219)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:399)
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159)
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116)
at org.elasticsearch.cli.Command.main(Command.java:79)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81)
I couldn't undersatnd the error log is due to openid provider or elasticsearch configuration??
Any suggestion is most welcome.