Configure X-Pack.Security on ELK V6.2.4


(Sreejith) #1

As part of testing X-Pack.Security on Elasticsearch V6.2.4 in our UAT infra , Was trting to set passwords for build in users i am getting below error .

Can anyone please help/advise on this issue

[root@elasticsearch-uat-1 elasticsearch]# bin/x-pack/setup-passwords interactive
15:46:35.441 [main] ERROR org.elasticsearch.xpack.core.ssl.SSLService - unsupported ciphers [[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]] were requested but cannot be used in this JVM, however there are supported ciphers that will be used [[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]]. If you are trying to use ciphers with a key length greater than 128 bits on an Oracle JVM, you will need to install the unlimited strength JCE policy files.
Exception in thread "main" ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded];
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:72)
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:419)
at java.util.HashMap.computeIfAbsent(HashMap.java:1118)
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$0(SSLService.java:465)
at java.util.ArrayList.forEach(ArrayList.java:1249)
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:464)
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:91)
at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:92)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$InteractiveSetup.execute(SetupPasswordTool.java:172)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.elasticsearch.xpack.core.ssl.CertUtils.readKeyStore(CertUtils.java:276)
at org.elasticsearch.xpack.core.ssl.CertUtils.trustManager(CertUtils.java:267)
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:70)
... 15 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
... 20 more
[root@elasticsearch-uat-1 elasticsearch]# pwd
/usr/share/elasticsearch
[root@elasticsearch-uat-1 elasticsearch]#


(Sreejith) #2

As the error showed "keystore password was incorrect" i tried adding "xpack.ssl.keystore.password" in elasticsearch.yml , BUT that also does not help


(Tim Vernum) #3

It's hard to give you specific advice without understanding your configuration, but the general cause of the problem is this:

  • You have configured a truststore (or perhaps keystore, but from the error message, I think it's more likely to be a truststore) somewhere in your elasticsearch.yml
  • You pust the password for that truststore into the elasticsearch keystore with the elasticsearch-keystore tool

In the version you are running (6.2), the setup-passwords tool is unable to read SSL passwords from the elasticsearch keystore. It needs them to be in the elasticsearch.yml file.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.