Issue while encrypting elasticsearch communication

rohit02bits · July 30, 2018, 5:55am

Version 6.3

I am getting following error while setting up encryption

xpack setting
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/ssl/elk.key
xpack.security.http.ssl.certificate: /home/ssl/elk.crt
xpack.security.http.ssl.certificate_authorities: [ "/home/ssl/ca.crt" ]

I have also added

xpack.security.http.ssl.secure_key_passphrase password to keystore too

Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/home/ssl/ca.crt" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_162]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_162]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_162]
at java.lang.SecurityManager.checkRead(SecurityManager.java:888) ~[?:1.8.0_162]
at sun.nio.fs.UnixChannelFactory.open(UnixChannelFactory.java:245) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:136) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:148) ~[?:?]
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:212) ~[?:?]
at java.nio.file.Files.newByteChannel(Files.java:361) ~[?:1.8.0_162]
at java.nio.file.Files.newByteChannel(Files.java:407) ~[?:1.8.0_162]
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384) ~[?:1.8.0_162]
at java.nio.file.Files.newInputStream(Files.java:152) ~[?:1.8.0_162]
at java.nio.file.Files.newBufferedReader(Files.java:2784) ~[?:1.8.0_162]
at org.elasticsearch.xpack.core.ssl.CertUtils.readCertificates(CertUtils.java:303) ~[?:?]
at org.elasticsearch.xpack.core.ssl.CertUtils.readCertificates(CertUtils.java:296) ~[?:?]
at org.elasticsearch.xpack.core.ssl.PEMTrustConfig.createTrustManager(PEMTrustConfig.java:45) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:407) ~[?:?]
at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_162]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$0(SSLService.java:453) ~[?:?]
at java.util.ArrayList.forEach(ArrayList.java:1257) ~[?:1.8.0_162]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:452) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:79) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:134) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_162]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.0.jar:6.3.0]

TimV · July 30, 2018, 7:10am

From Encrypting communications in Elasticsearch | Elasticsearch Guide [6.3] | Elastic

(1) The full path to the node key file. This must be a location within the Elasticsearch configuration directory.

You must place your certs within the Elasticsearch configuration directory.

rohit02bits · July 30, 2018, 7:50am

Thanks it worked. But I am stuck with the following issue

][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-2] caught exception while handling client http traffic, closing connection [id: 0xf09578aa, L:0.0.0.0/0.0.0.0:9200 ! R:/128.164.177.72:59210]
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a486f73743a2067626c32303034373138382e68632e636c6f75642e756b2e687362633a393230300d0a557365722d4167656e743a204d616e7469636f726520302e362e310d0a4163636570742d456e636f64696e673a20677a69702c6465666c6174650d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a70486232786b5a5735466557553d0d0a0d0a
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

Yogesh_Gaikwad · July 30, 2018, 7:58am

Please look at the documentation:

Hope this helps.

rohit02bits · July 30, 2018, 9:58am

Thanks a ton . It worked

system · August 27, 2018, 9:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to set passwords in elasticsearch with xpack Elasticsearch elastic-stack-security	10	5437	May 2, 2019
XPack Security Enabled TLS/SSL configured, still not working! Elasticsearch elastic-stack-security	5	1806	January 13, 2021
No cipher suits in common Elasticsearch elastic-stack-security	7	3085	December 24, 2019
Settings SSL/TLS with xpack Elasticsearch	6	866	May 10, 2018
Es-Sql-Query - http client did not trust this server's certificate Elasticsearch	1	404	October 7, 2020

Issue while encrypting elasticsearch communication

Related topics