ES 7.4.1 - Authentication [Rest API]

AsfK · December 16, 2019, 9:28am

Truly, I already asked the question in stackoverflow but didn't receive an answer yet, so I also create a new topic here..

I’m a newbie in ES and I have a task in my new job to upgrade from 6.4.2 to 7.4.1 – From TCP client to Rest High Level API.

Previously we built the client like this (with SSL & Certificate):

Settings settings = Settings.builder()
      .put("xpack.security.user", String.format("%s:%s",esJavaUser,esJavaPassword))
      .put("cluster.name", esClusterName)
      .put("xpack.security.transport.ssl.enabled", xpackSecurityTransportSslEnabled)
      .put("xpack.ssl.certificate_authorities", xpackSslCertificateAuthorities)
      .build();

 client = new PreBuiltXPackTransportClient(settings);

Now, in rest API, it’s changed to this:

final CredentialsProvider credentialsProvider =
        new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
        new UsernamePasswordCredentials(esJavaUser, esJavaPassword));

RestClientBuilder restClientBuilder = RestClient.builder(hosts)
        .setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
                .setDefaultCredentialsProvider(credentialsProvider));
restHighLevelClient = new RestHighLevelClient(restClientBuilder);

With this build I set ES user and password by CredentialsProvider but what about ssl.enabled and certificate_authorities”? how should I provided them with rest API?

TimV · December 17, 2019, 5:43am

The documentation you are looking for is here: Encrypted communication | Java REST Client [7.4] | Elastic

SSL is automatically enabled (or not) based on the scheme (protocol) in the HttpHost objects you pass to the builder.

RestClient.builder(hosts)

If you are using SSL, you want to pass "https" as the scheme (3rd argument) when you construct the HttpHost objects (hosts).

Unfortunately there is no simple means to pass certificate_authorities to the Rest client, you need to turn those certificates into a standard Java truststore.

You can probably find some sample code on the web ("convert PEM certificates to Java truststore"), but the gist of it is:

Open the certificate authority files as an InputStream
Create a X.509 certificate factory: java.security.cert.CertificateFactory.getInstance("X.509")
Call generateCertificates on the certificate factory to read those certificate files into java Certificate objects
Construct an empty KeyStore object
Add the loaded certificates as trusted entries
Pass that to SSLContextBuilder.loadTrustMaterial

AsfK · December 17, 2019, 5:56am

Thank you very much!!

P.S. The documentaion not mention the certificate section you wrote in your answer, maybe you might want to add it... Thanks again!

system · January 14, 2020, 5:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.