FIPS enabled but can not it show warning

Hi

Here I configured FIPS in elasticsearch-7.6.2 but it shows below error
please anyone help here---------------

[2020-05-21T20:17:58,238][INFO ][o.e.c.s.MasterService ] [node01] elected-as-master ([1] nodes joined)[{node01}{RQX2t-LHTsaRkBJMU2fiPA}{r4_h-sunTY-4Q_K_fDG75Q}{node01.elastic.test.com}{10.101.200.176:9300}{dilm}{ml.machine_memory=8364130304, xpack.installed=true, ml.max_open_jobs=20} elect leader, BECOME_MASTER_TASK, FINISH_ELECTION], term: 740355, version: 964, delta: master node changed {previous , current [{node01}{RQX2t-LHTsaRkBJMU2fiPA}{r4_h-sunTY-4Q_K_fDG75Q}{node01.elastic.test.com}{10.101.200.176:9300}{dilm}{ml.machine_memory=8364130304, xpack.installed=true, ml.max_open_jobs=20}]}
[2020-05-21T20:17:58,290][WARN ][o.e.c.s.MasterService ] [node01] failing [elected-as-master ([1] nodes joined)[{node01}{RQX2t-LHTsaRkBJMU2fiPA}{r4_h-sunTY-4Q_K_fDG75Q}{node01.elastic.test.com}{10.101.200.176:9300}{dilm}{ml.machine_memory=8364130304, xpack.installed=true, ml.max_open_jobs=20} elect leader, BECOME_MASTER_TASK, FINISH_ELECTION]]: failed to commit cluster state version [964]
org.elasticsearch.cluster.coordination.FailedToCommitClusterStateException: publication failed
at org.elasticsearch.cluster.coordination.Coordinator$CoordinatorPublication$4.onFailure(Coordinator.java:1430) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.action.ActionRunnable.onFailure(ActionRunnable.java:88) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:39) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.EsExecutors$DirectExecutorService.execute(EsExecutors.java:225) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListener(ListenableFuture.java:106) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:68) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.Coordinator$CoordinatorPublication.onCompletion(Coordinator.java:1350) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.Publication.onPossibleCompletion(Publication.java:125) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.Publication.onPossibleCommitFailure(Publication.java:173) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.Publication.access$500(Publication.java:42) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.Publication$PublicationTarget$PublishResponseHandler.onFailure(Publication.java:369) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.Coordinator$5.onFailure(Coordinator.java:1118) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.PublicationTransportHandler$2$1.onFailure(PublicationTransportHandler.java:205) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.PublicationTransportHandler.lambda$sendClusterStateToNode$6(PublicationTransportHandler.java:271) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.PublicationTransportHandler$3.handleException(PublicationTransportHandler.java:289) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1130) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1130) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.transport.TransportService$DirectResponseChannel.processException(TransportService.java:1239) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.transport.TransportService$DirectResponseChannel$2.run(TransportService.java:1218) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:633) ~[elasticsearch-7.6.2.jar:7.6.2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:835) [?:?]
Caused by: java.lang.IllegalStateException: FIPS mode cannot be used with a [BASIC] license. It is only allowed with a Platinum or Trial license.
at org.elasticsearch.xpack.security.Security$ValidateLicenseForFIPS.accept(Security.java:1086) ~[?:?]
at org.elasticsearch.xpack.security.Security$ValidateLicenseForFIPS.accept(Security.java:1073) ~[?:?]
at java.util.function.BiConsumer.lambda$andThen$0(BiConsumer.java:72) ~[?:?]
at org.elasticsearch.cluster.coordination.Coordinator.lambda$handlePublishRequest$2(Coordinator.java:328) ~[elasticsearch-7.6.2.jar:7.6.2]
at java.util.ArrayList.forEach(ArrayList.java:1540) ~[?:?]
at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1085) ~[?:?]
at org.elasticsearch.cluster.coordination.Coordinator.handlePublishRequest(Coordinator.java:328) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.PublicationTransportHandler.acceptState(PublicationTransportHandler.java:447) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.PublicationTransportHandler.handleIncomingPublishRequest(PublicationTransportHandler.java:406) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.cluster.coordination.PublicationTransportHandler.lambda$new$0(PublicationTransportHandler.java:100) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler$1.doRun(SecurityServerTransportInterceptor.java:257) ~[?:?]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.EsExecutors$DirectExecutorService.execute(EsExecutors.java:225) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.lambda$messageReceived$0(SecurityServerTransportInterceptor.java:306) ~[?:?]
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeSystemUser(AuthorizationService.java:378) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:186) ~[?:?]
at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$1(ServerTransportFilter.java:130) ~[?:?]
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:248) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$6(AuthenticationService.java:310) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:321) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:245) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:196) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:139) ~[?:?]
at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.inbound(ServerTransportFilter.java:121) ~[?:?]
at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.messageReceived(SecurityServerTransportInterceptor.java:313) ~[?:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:63) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:762) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:692) ~[elasticsearch-7.6.2.jar:7.6.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-7.6.2.jar:7.6.2]
... 3 more

  1. xpack.security.fips_mode.enabled does not make your elasticsearch node to be FIPS 140 approved, it allows you to run Elasticsearch in a JVM that is configured to be FIPS 140 approved

  2. As the message is saying, this is supported only with a Platinum license.

1 Like

Hi @ikakavas

How can I allows you to run Elasticsearch in a JVM that is configured to be FIPS 140 approved?
can you please help here?

I believe the question you should be asking at this point is how to setup your JVM to run in a FIPS 140 approved mode. Please check https://www.bouncycastle.org/fips-java/ as an example of a Security Provider that can be set in FIPS 140 approved mode and their documentation on how to configure that.

Thanks @ikakavas