How to transpose Xpack configuration from Java PreBuiltXPackTransportClient (old java client + Xpack) to RestHighLevelClient (new REST client + Xpack)?

How to set up Xpack for the Java RestHighLevelClient ?

For the PreBuiltXPackTransportClient (old java client + Xpack), I did the following which runs just fine:

                    ses.log(null, "DEBUG", "QESHost_elastic21", "connect()", 3, "Login", login);
                ses.log(null, "DEBUG", "QESHost_elastic21", "connect()", 3, "Path certificat", pathCertificate);
                ses.log(null, "DEBUG", "QESHost_elastic21", "connect()", 3, "Path authorities", pathAuthorities);


                // Connection avec Xpack installe: driver=login|password|path_certificat
                Settings settings = null;
                
                    ses.log(null, "DEBUG", "QESHost_elastic21", "connect()", 3, "Avec certificats");
                    settings = Settings.builder()
                        .put("cluster.name", cluster)
                        .put("xpack.security.user", login + ":" + password)
                        .put("xpack.ssl.keystore.path", pathCertificate)
                        .put("xpack.ssl.truststore.path", pathAuthorities)
                        .put("xpack.security.transport.ssl.enabled", "true")
                        .put("xpack.security.transport.ssl.verification_mode", "certificate")
                        .build();
               

                client = new PreBuiltXPackTransportClient(settings).addTransportAddress(new TransportAddress(InetAddress.getByName(host), port));

For RestHighLevelClient (new REST client + Xpack), for which I could not find many code examples, I tried this (which fails) .....

                ses.log(null, "DEBUG", "QESHost_elastic62", "connect()", 3, "login", login);
                ses.log(null, "DEBUG", "QESHost_elastic62", "connect()", 3, "Path certificat", pathCertificate);
                ses.log(null, "DEBUG", "QESHost_elastic62", "connect()", 3, "Path authorities", pathAuthorities);

                KeyStore truststore = KeyStore.getInstance("jks");
                try (InputStream is = Files.newInputStream(Paths.get(pathCertificate),CREATE)) {
                    truststore.load(is, pathCertificate.toCharArray());
                }
                SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
                final SSLContext sslContext = sslBuilder.build();
                
                final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
                credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(login, password));

                RestClientBuilder builder = RestClient.builder(new HttpHost(host, port))
                    .setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
                        @Override
                        public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                            return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext);
                        }
                    });

                client = new RestHighLevelClient(builder);

... and gives this message:

2018/06/04 15:33:07 816-qes3.4.3-null-DEBUG-QESHost_elastic62-connect()	: Connection avec Xpack|
2018/06/04 15:33:07 816-qes3.4.3-null-DEBUG-QESHost_elastic62-connect()	: login:elastic|
2018/06/04 15:33:07 816-qes3.4.3-null-DEBUG-QESHost_elastic62-connect()	: Path certificat:/usr/software/conf/elastic-certificates.p12|
2018/06/04 15:33:07 817-qes3.4.3-null-DEBUG-QESHost_elastic62-connect()	: Path authorities:/usr/software/conf/elastic-certificates.p12|
2018/06/04 15:33:07 867-qes3.4.3-null-ERROR-QESHost_elastic62-connect()	: Erreur de connexion:keystore password was incorrect|
java.io.IOException: keystore password was incorrect
	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
	at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:238)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
	at java.security.KeyStore.load(KeyStore.java:1445)
	at com.qwam.qeshost.QESHost_elastic62.connect(QESHost_elastic62.java:154)
	at com.qwam.qeshost.QESHost_elastic62.sessionClient(QESHost_elastic62.java:278)
	at com.qwam.qeshost.QESHost_elastic62.setBase(QESHost_elastic62.java:351)
	at com.qwam.qesutil.qeselasticindex.connectelastic(qeselasticindex.java:192)
	at com.qwam.qesutil.qeselasticindex.main(qeselasticindex.java:819)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	... 9 more
2018/06/04 15:33:07 868-qes3.4.3-null-ERROR-QESHost_elastic62-sessionClient()	: Connexion impossible:null|

Looks like I am mixing pears and apples, but cannot figure out what is wrong and which password is needed.

Can you help me ?

^ This is the mistake.
That second argument is the password for the KeyStore.
Based on your old (transport client) setup, it looks like your keystore has a blank password, so try:

 truststore.load(is, new char[0]);

This did the trick !

Another thing to think about (if someone ever falls in the trap with me) is to use port 9200 for RestHighLevelClient instead the good old 9300 that we used for the old java client.

You can close the case.

Thank you Tim for your valuable help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.