Issue while encrypting elasticsearch communication

rohit02bits · July 30, 2018, 5:55am

Version 6.3

I am getting following error while setting up encryption

xpack setting
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/ssl/elk.key
xpack.security.http.ssl.certificate: /home/ssl/elk.crt
xpack.security.http.ssl.certificate_authorities: [ "/home/ssl/ca.crt" ]

I have also added

xpack.security.http.ssl.secure_key_passphrase password to keystore too

Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/home/ssl/ca.crt" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_162]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_162]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_162]
at java.lang.SecurityManager.checkRead(SecurityManager.java:888) ~[?:1.8.0_162]
at sun.nio.fs.UnixChannelFactory.open(UnixChannelFactory.java:245) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:136) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:148) ~[?:?]
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:212) ~[?:?]
at java.nio.file.Files.newByteChannel(Files.java:361) ~[?:1.8.0_162]
at java.nio.file.Files.newByteChannel(Files.java:407) ~[?:1.8.0_162]
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384) ~[?:1.8.0_162]
at java.nio.file.Files.newInputStream(Files.java:152) ~[?:1.8.0_162]
at java.nio.file.Files.newBufferedReader(Files.java:2784) ~[?:1.8.0_162]
at org.elasticsearch.xpack.core.ssl.CertUtils.readCertificates(CertUtils.java:303) ~[?:?]
at org.elasticsearch.xpack.core.ssl.CertUtils.readCertificates(CertUtils.java:296) ~[?:?]
at org.elasticsearch.xpack.core.ssl.PEMTrustConfig.createTrustManager(PEMTrustConfig.java:45) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:407) ~[?:?]
at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_162]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$0(SSLService.java:453) ~[?:?]
at java.util.ArrayList.forEach(ArrayList.java:1257) ~[?:1.8.0_162]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:452) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:79) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:134) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_162]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:643) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:557) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:162) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.node.Node.(Node.java:252) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.0.jar:6.3.0]

TimV · July 30, 2018, 7:10am

From Encrypting communications in Elasticsearch | Elasticsearch Guide [6.3] | Elastic

(1) The full path to the node key file. This must be a location within the Elasticsearch configuration directory.

You must place your certs within the Elasticsearch configuration directory.

rohit02bits · July 30, 2018, 7:50am

Thanks it worked. But I am stuck with the following issue

][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-2] caught exception while handling client http traffic, closing connection [id: 0xf09578aa, L:0.0.0.0/0.0.0.0:9200 ! R:/128.164.177.72:59210]
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a486f73743a2067626c32303034373138382e68632e636c6f75642e756b2e687362633a393230300d0a557365722d4167656e743a204d616e7469636f726520302e362e310d0a4163636570742d456e636f64696e673a20677a69702c6465666c6174650d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a70486232786b5a5735466557553d0d0a0d0a
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

Yogesh_Gaikwad · July 30, 2018, 7:58am

Please look at the documentation:

Hope this helps.

rohit02bits · July 30, 2018, 9:58am

Thanks a ton . It worked

system · August 27, 2018, 9:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.