Configure X-Pack.Security on ELK V6.2.4

(Sreejith) #1

As part of testing X-Pack.Security on Elasticsearch V6.2.4 in our UAT infra , Was trting to set passwords for build in users i am getting below error .

Can anyone please help/advise on this issue

[root@elasticsearch-uat-1 elasticsearch]# bin/x-pack/setup-passwords interactive
15:46:35.441 [main] ERROR org.elasticsearch.xpack.core.ssl.SSLService - unsupported ciphers [[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]] were requested but cannot be used in this JVM, however there are supported ciphers that will be used [[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]]. If you are trying to use ciphers with a key length greater than 128 bits on an Oracle JVM, you will need to install the unlimited strength JCE policy files.
Exception in thread "main" ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded];
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(
at java.util.HashMap.computeIfAbsent(
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$0(
at java.util.ArrayList.forEach(
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(
at org.elasticsearch.xpack.core.ssl.SSLService.(
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
at org.elasticsearch.cli.MultiCommand.execute(
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
at org.elasticsearch.cli.Command.main(
Caused by: keystore password was incorrect
at org.elasticsearch.xpack.core.ssl.CertUtils.readKeyStore(
at org.elasticsearch.xpack.core.ssl.CertUtils.trustManager(
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(
... 15 more
Caused by: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
... 20 more
[root@elasticsearch-uat-1 elasticsearch]# pwd
[root@elasticsearch-uat-1 elasticsearch]#

(Sreejith) #2

As the error showed "keystore password was incorrect" i tried adding "xpack.ssl.keystore.password" in elasticsearch.yml , BUT that also does not help

(Tim Vernum) #3

It's hard to give you specific advice without understanding your configuration, but the general cause of the problem is this:

  • You have configured a truststore (or perhaps keystore, but from the error message, I think it's more likely to be a truststore) somewhere in your elasticsearch.yml
  • You pust the password for that truststore into the elasticsearch keystore with the elasticsearch-keystore tool

In the version you are running (6.2), the setup-passwords tool is unable to read SSL passwords from the elasticsearch keystore. It needs them to be in the elasticsearch.yml file.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.