We are trying to configure security in Elasticsearch cluster with the instructions provided in the official documentation for 7,16,3 version. Our organization provides us with the certificates in .p12 format and truststore certficates in .jks format. We are using Elasticsearch in clusterd environment and will like to enabled security on both transport and http layer. The issue here is I dont want to generate the certificates with Elasticsearch cert util but instead use the organization provided certificates to communicate with Elasticsearch.
My Yml looks like below :
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
client_authentication: required
keystore.type: PKCS12
keystore.path: myCertificate.p12
truststore.type: jks
truststore.path: my_trustore.jks
xpack.security.http.ssl:
enabled: true
verification_mode: certificate
client_authentication: required
keystore.path: myCertificate.p12
keystore.type: PKCS12
truststore.type: jks
truststore.path: my_trustore.jks
With these settings i am getting errors to start elastic cluster.
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[Keystore was tampered with, or password was incorrect]; nested: UnrecoverableKeyException[Password verification failed];
Likely root cause: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
Please suggest how to get past this error.
When we provide the passwords in the yml file it starts to work but with warnings in the client side as given below.
[299 Elasticsearch-7.16.3-"[node.data] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.http.ssl.truststore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.http.ssl.keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.transport.ssl.truststore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[node.master] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."],
[299 Elasticsearch-7.16.3-"[xpack.security.transport.ssl.keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."]