Configure X-Pack.Security on ELK V6.2.4

As part of testing X-Pack.Security on Elasticsearch V6.2.4 in our UAT infra , Was trting to set passwords for build in users i am getting below error .

Can anyone please help/advise on this issue

[root@elasticsearch-uat-1 elasticsearch]# bin/x-pack/setup-passwords interactive
15:46:35.441 [main] ERROR org.elasticsearch.xpack.core.ssl.SSLService - unsupported ciphers [[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]] were requested but cannot be used in this JVM, however there are supported ciphers that will be used [[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]]. If you are trying to use ciphers with a key length greater than 128 bits on an Oracle JVM, you will need to install the unlimited strength JCE policy files.
Exception in thread "main" ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded];
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(
at java.util.HashMap.computeIfAbsent(
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$0(
at java.util.ArrayList.forEach(
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(
at org.elasticsearch.xpack.core.ssl.SSLService.(
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
at org.elasticsearch.cli.MultiCommand.execute(
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
at org.elasticsearch.cli.Command.main(
Caused by: keystore password was incorrect
at org.elasticsearch.xpack.core.ssl.CertUtils.readKeyStore(
at org.elasticsearch.xpack.core.ssl.CertUtils.trustManager(
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(
... 15 more
Caused by: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
... 20 more
[root@elasticsearch-uat-1 elasticsearch]# pwd
[root@elasticsearch-uat-1 elasticsearch]#

As the error showed "keystore password was incorrect" i tried adding "xpack.ssl.keystore.password" in elasticsearch.yml , BUT that also does not help

It's hard to give you specific advice without understanding your configuration, but the general cause of the problem is this:

  • You have configured a truststore (or perhaps keystore, but from the error message, I think it's more likely to be a truststore) somewhere in your elasticsearch.yml
  • You pust the password for that truststore into the elasticsearch keystore with the elasticsearch-keystore tool

In the version you are running (6.2), the setup-passwords tool is unable to read SSL passwords from the elasticsearch keystore. It needs them to be in the elasticsearch.yml file.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.