ElasticsearchException: could not initialize mac


(Ihjaz Mohamed) #1

Hi,

I'm trying to start elasticsearch in secure mode with x-pack. I have the following configuration in the elasticsearch.yml

#---------------xpack security-----------------------
xpack.ssl.key: /etc/elasticsearch/x-pack/server-key.p8
xpack.ssl.certificate: /etc/elasticsearch/x-pack/server_san.crt
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/root_Ca.crt" ]

When I start the elasticsearch service, it fails with the following exception:

[2017-07-25T20:57:46,655][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchException[Failed to load plugin class [org.elasticsearch.xpack.XPackPlugin]]; nested: InvocationTargetException; nested: ElasticsearchException[could not initialize mac]; nested: NullPointerException;
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.5.0.jar:5.5.0]
Caused by: org.elasticsearch.ElasticsearchException: Failed to load plugin class [org.elasticsearch.xpack.XPackPlugin]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:434) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:387) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:140) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.node.Node.<init>(Node.java:312) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.node.Node.<init>(Node.java:244) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:232) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:232) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:351) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.5.0.jar:5.5.0]
        ... 6 more
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:423) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:387) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:140) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:351) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.5.0.jar:5.5.0]
        ... 6 more
Caused by: org.elasticsearch.ElasticsearchException: could not initialize mac
        at org.elasticsearch.xpack.security.crypto.CryptoService.createMac(CryptoService.java:436) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService$HmacSHA1HKDF.extractAndExpand(CryptoService.java:537) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService.createSigningKey(CryptoService.java:153) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService.<init>(CryptoService.java:117) ~[?:?]
        at org.elasticsearch.xpack.security.Security.<init>(Security.java:240) ~[?:?]
at org.elasticsearch.xpack.XPackPlugin.<init>(XPackPlugin.java:208) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:423) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:387) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:140) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.node.Node.<init>(Node.java:312) ~[elasticsearch-5.5.0.jar:5.5.0]
        at org.elasticsearch.node.Node.<init>(Node.java:244) ~[elasticsearch-5.5.0.jar:5.5.0]
Caused by: java.lang.NullPointerException
        at org.bouncycastle.jcajce.provider.BaseHMac.engineReset(BaseHMac.java:153) ~[bc-fips-1.0.1.jar:?]
        at javax.crypto.Mac.reset(Mac.java:655) ~[?:1.8.0_131]
        at org.elasticsearch.xpack.security.crypto.CryptoService$HmacSHA1Provider.hmacSHA1(CryptoService.java:495) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService$HmacSHA1Provider.access$000(CryptoService.java:483) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService.createMac(CryptoService.java:432) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService$HmacSHA1HKDF.extractAndExpand(CryptoService.java:537) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService.createSigningKey(CryptoService.java:153) ~[?:?]
        at org.elasticsearch.xpack.security.crypto.CryptoService.<init>(CryptoService.java:117) ~[?:?]
        at org.elasticsearch.xpack.security.Security.<init>(Security.java:240) ~[?:?]
        at org.elasticsearch.xpack.XPackPlugin.<init>(XPackPlugin.java:208) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

Problem accessing trust store
(Tim Vernum) #2

Where did this JAR file come from?
X-Pack doesn't use the FIPS version of Bouncycastle.


(Ihjaz Mohamed) #3

Hi.

Where did this JAR file come from?
X-Pack doesn't use the FIPS version of Bouncycastle.

I have no idea. I have just installed the x-pack plugin and added the ssl configuration in the elasticsearch.yml .


(Tim Vernum) #4

Something about your environment is strange, and isn't a supported configuration.

bc-fips-1.0.1.jar indicates that you are running with the BouncyCastle FIPS provider.
That library is providing the key crypto algorithms for your JVM, and is the cause of this issue.

You'll need to track down why your JVM has been configured to use that JCE provider:

  • We don't officially support using a JCE provided other than the default provider
  • We definitely don't test with the bouncycastle FIPS provider.
  • To the best of my knowledge, the 1.0.1 BC FIPS provider is only in testing and is not available for general use, so you are trying to run with software that is not officially production ready.

(Ihjaz Mohamed) #5

Thanks Tim for the quick response.

I'm also running into another issue mentioned here: Problem accessing trust store.
Is this also because my JVM is using a JCE provider?


(Tim Vernum) #6

Yes, that is likely.

The BC FIPS provider does not support standard JKS keystores, so it will require special configuration.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.