ES 5.2.2 with search guard - access denied ("java.security.SecurityPermission" "getProperty.ssl.KeyManagerFactory.algorithm")


(Siva) #1

We are using elastic search 5.2.2 along with search guard pluging for DB indexing, where we are using hte self signed certificate of the nodes for ssl.transport during clustering. And java is openjdk 1.8 of build 151.
Our setup is working with out any issues in non prod and when we moved to prod we are getting below error when we are starting the elastic search service, anyany has any approach please help me.

Note: I tried updaing the JAVAOPTS for overridding the search guard policy instead of the default jvm java policy as mentioned another forum but of no luck.

[2018-02-22T11:51:06,146][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively

       .... CROPPING MIDDLE ONES DUE TO LIMITATION ON THE CHARS TO BE POSTED.

        ... 6 more
Caused by: java.security.AccessControlException: access denied ("java.security.SecurityPermission" "getProperty.ssl.KeyManagerFactory.algorithm")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_151]
        at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_151]
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_151]
        at java.security.Security.getProperty(Security.java:760) ~[?:1.8.0_151]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1078) ~[?:?]
        at io.netty.handler.ssl.JdkSslServerContext.newSSLContext(JdkSslServerContext.java:245) ~[?:?]
        at io.netty.handler.ssl.JdkSslServerContext.<init>(JdkSslServerContext.java:226) ~[?:?]
        at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:409) ~[?:?]
        at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:402) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore$1.run(DefaultSearchGuardKeyStore.java:657) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore$1.run(DefaultSearchGuardKeyStore.java:654) ~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_151]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLContext0(DefaultSearchGuardKeyStore.java:654) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:588) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:254) ~[?:?]
        at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:147) ~[?:?]
        at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:192) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_151]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:373) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:336) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:132) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:297) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:232) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:241) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:241) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-5.2.2.jar:5.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-5.2.2.jar:5.2.2]
        ... 6 more
testuser@dummyhostname[PRD][elasticsearch] $

(David Pilato) #2

I think you need to ask the author of this project and open an issue may be in their repo.


(Siva) #3

Thanks, will defenitely do the same as our support licensing is under process.

Between any other trouble shooting pointers or a workaround already tried by any one should help us as an intermitent relief.

Thanks
Siva


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.