How to setup pki auth for kibana and elasticsearch


(Rajeshwer rao Madoori) #1

Hello. I would like to set Kibana to use PKI auth instead of username/password.
I have added realms in elasticsearch.yml file. but it dint work .

`  elasticsearch.yml

cluster.name: cluster
node.master: false
node.data: false
node.name: es-coordinating
node.ingest: false
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
discovery.zen.ping.unicast.hosts: ["es-coordinating","es-master","es-data"]
node.ml: false
xpack.security.enabled: true
xpack:
  security:
    authc:
      realms:
        pki1:
          type: pki
xpack.ml.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/tls_server/tls_server/key.pem
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/tls_server/tls_server/crt.pem
xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/CA.crt" ]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key:   /usr/share/elasticsearch/config/tls_server/tls_server/key.pem
xpack.security.http.ssl.certificate:  /usr/share/elasticsearch/config/tls_server/tls_server/crt.pem
xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/CA.crt" ]`

kibana.yaml
` kibana.yaml

  server:
  name: "kibana"
  host: 0.0.0.0
  port: 5601
elasticsearch.url: "https://es-coordinating:9200"
xpack.security.enabled: true
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/tls_server/tls_server/key.pem
server.ssl.certificate: /usr/share/kibana/config/tls_server/tls_server/crt.pem
elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/certs/CA.crt`

(Brandon Kobel) #2

Hey @rmadoori, you can use PKI to authenticate the internal Kibana server user with Elasticsearch, but it's not possible to authenticate the actual logged in end-users with Elasticsearch, yet. We're tracking that effort here: https://github.com/elastic/kibana/issues/7341

To get the Kibana server user authenticating using PKI, you'll need to set the elasticsearch.ssl.certificate and elasticsearch.ssl.key settings in your kibana.yml.


(Rajeshwer rao Madoori) #3

Thanks for Prompt Response .

should i set transport.ssl.certificate or http.ssl.certificate ? in kibana


(Brandon Kobel) #4

In your kibana.yml, you set elasticsearch.ssl.certificate: /path/to/cert.crt and elasticsearch.ssl.key: /path/to/key.key

In your elasticsearch.yml, you set xpack.security.http.ssl.client_authentication: optional


(Rajeshwer rao Madoori) #5

Hi,

I have added the setting in kibana.yaml

` name: "kibana"
  host: 0.0.0.0
  port: 5601
elasticsearch.url: "https://es-coordinating:9200"
xpack.security.enabled: true
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/tls_server/tls_server/key.pem
server.ssl.certificate: /usr/share/kibana/config/tls_server/tls_server/crt.pem
elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/certs/CA.crt
elasticsearch.ssl.certificate: /usr/share/kibana/config/certs/cert.crt
elasticsearch.ssl.key: /usr/share/kibana/config/certs/key.key`

but still i am getting this error:

`{"type":"log","@timestamp":"2018-10-30T22:27:06Z","tags":["license","warning","xpack"],"pid":1,"message":"License information from the X-Pack plugin could not be obtained from Elasticsearch for the [data] cluster. [security_exception] missing authentication token for REST request [/_xpack], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } :: {\"path\":\"/_xpack\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication token for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication token for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}"}`

(Rajeshwer rao Madoori) #6


(Rajeshwer rao Madoori) #7

Hi,

I have updated this in my config

`xpack:
 security:
authc:
  realms:
    pki1:
      type: pki
      certificate_authorities: "/usr/share/elasticsearch/config/certs/CA.crt"
      enabled: true`

but still kibana is not able to connect


(Brandon Kobel) #8

@rmadoori, what error are you seeing? Have you tried using curl and the --cert and --key arguments to ensure you're able to authenticate against Elasticsearch using the certificate and key that you've specified?


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.