Configure SSL with organization provided certificates

We are trying to configure security in Elasticsearch cluster with the instructions provided in the official documentation for 7,16,3 version. Our organization provides us with the certificates in .p12 format and truststore certficates in .jks format. We are using Elasticsearch in clusterd environment and will like to enabled security on both transport and http layer. The issue here is I dont want to generate the certificates with Elasticsearch cert util but instead use the organization provided certificates to communicate with Elasticsearch.
My Yml looks like below :

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.type: PKCS12
  keystore.path: myCertificate.p12
  truststore.type: jks
  truststore.path: my_trustore.jks

xpack.security.http.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required
  keystore.path: myCertificate.p12
  keystore.type: PKCS12
  truststore.type: jks
  truststore.path: my_trustore.jks

With these settings i am getting errors to start elastic cluster.

ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[Keystore was tampered with, or password was incorrect]; nested: UnrecoverableKeyException[Password verification failed];
Likely root cause: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)

Please suggest how to get past this error.

When we provide the passwords in the yml file it starts to work but with warnings in the client side as given below.

[299 Elasticsearch-7.16.3-"[node.data] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.http.ssl.truststore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.http.ssl.keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.transport.ssl.truststore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[node.master] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.transport.ssl.keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."]

I guess that should be fine for now in your cluster's version, Starting ES version 8
The xpack.security.http.ssl.enabled setting is now required to configure xpack.security.http.ssl settings.

Details
It is now an error to configure any SSL settings for xpack.security.http.ssl without also configuring xpack.security.http.ssl.enabled .

Impact
If using other xpack.security.http.ssl settings, you must explicitly specify the xpack.security.http.ssl.enabled setting.

If you do not want to enable SSL and are currently using other xpack.security.http.ssl settings, do one of the following:

  • Explicitly specify xpack.security.http.ssl.enabled as false
  • Discontinue use of other xpack.security.http.ssl settings

If you want to enable SSL, follow the instructions in Encrypting HTTP client communications. As part of this configuration, explicitly specify xpack.security.http.ssl.enabled as true .

more details here : Migrating to 8.0 | Elasticsearch Guide [master] | Elastic

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.