Is it possible to authenticate with only a self-signed certificate (without basic auth) via NEST 6.x client to an Elasticsearch 6.8 cluster that has SSL/TLS enabled? If so, what are the requirements (ie. subscription level, realm) necessary and is there a NEST code example to establish the connection?
NEST client request attempts over HTTPS have resulted in a response back from the ES node indicating a basic authentication credential (user/pass) is required.
" The certificate in this case isn't used for certificate authentication to Elasticsearch, as the ClientCertificate method is used for, but is used for Transport Layer Security (TLS)."
-- StackOverflow Source
The cluster was created using Elastic Azure 6.8 ARM template using Certificates and CA created using Elastic utility tool.
Elasticsearch supports authentication via TLS Client Certificates using the PKI realm, which requires a minimum of a Gold (or Trial) license.
I would discourage the use of a self-signed certificate for this. It would be easier to generate your own CA certificate and use that rather than try and configure PKI with a self-signed client cert.
Tim thank you for the additional insights. Seems that there is an info gap or lack of fundamental knowledge on my end regarding the configuration necessary to authentication with just the certificate. The setup is currently designed to use just the enabled ES 6.8 security features (no PKI realm).
To confirm, is it possible to authenticate a client (NEST 6.x) by certificate only - not in addition to - removing the need for basic auth credentials?
We did create a CA cert using the elasticsearch-certutil tool which had then been used in the Azure ARM template for environment creation.
It is certainly possible to authenticate "a client" by certificate only. I cannot see a reason why that would not be possible in NEST, but I'm not a .NET engineer, so I've never done it myself.
Connect using a client certificate that is trusted by your HTTP ssl config (in this case, a certificate that was signed by the same CA as you used to generate elasticsearch-http.p12)
With NEST or Elasticsearch.Net, you can use a certificate for authentication by using the .ClientCertificate(...) method on ConnectionSettings/ConnectionConfiguration, respectively.
For example,
var settings = new ConnectionSettings(pool)
.ClientCertificate(@"C:\path_to_cert");
var client = new ElasticClient(settings);
or if you need more control over how an X509Certificate instance is created
var settings = new ConnectionSettings(pool)
.ClientCertificate(new X509Certificate2(@"C:\path_to_cert"));
var client = new ElasticClient(settings);
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.