Keystore.password deprecated

EExisT · November 18, 2022, 4:45pm

Hello,

i'm triyng to resolve this deprecated setting but i can't rn.

I add the secure version(keystore.secure_password) in the keystore by elasticsearch-keystore add but it didn't work.

I tried also to put it in the yml but it doesn't work.

Can u help me?

Thank u very much.
Lorenzo

stephenb · November 19, 2022, 12:29am

Hi @EExisT

Apologies but I think we need a little more information

What Component?
What Version?
Share the configuration.yml?
Exactly what setting are you trying to secure?
Exactly What command did you run?

EExisT · November 21, 2022, 10:29am

Hi @stephenb ,

1,2.
Elasticsearch v.7.13.3

cluster.name: net-monitoring-cluster

network.host: _ens224_
http.port: 9200

#discovery.zen.ping.unicast.hosts:
discovery.seed_hosts:
  - "es-md-01"
  - "es-md-02"
  - "es-md-03"
  - "es-md-04"
  - "es-md-05"
  - "es-md-06"
  - "es-md-07"
  - "es-md-08"
  - "es-md-09"
  - "es-md-10"
  - "es-md-11"
  - "srv-es-cn"

cluster.initial_master_nodes:
  - "es-md-01"
  - "es-md-02"
  - "es-md-03"
  - "es-md-04"
  - "es-md-05"
  - "es-md-06"
  - "es-md-07"
  - "es-md-08"
  - "es-md-09"
  - "es-md-10"
  - "es-md-11"

node.name: "es-md-01"
node.attr.temp: "hot"
node.roles: [data,master]

#cluster.remote.connect: false
#node.remote_cluster_client: false

path:
  logs: /var/log/elasticsearch
  data: /data
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/etc/elasticsearch/xxxxx.p12"
#xpack.security.http.ssl.keystore.password: "xxxxx"
#xpack.security.http.ssl.keystore.secure_password: "xxxxx"
xpack.security.http.ssl.verification_mode: "certificate"
xpack.security.http.ssl.client_authentication: "optional"

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: "none"
xpack.security.transport.ssl.keystore.path: "/etc/elasticsearch/xxxx.p12"
#xpack.security.transport.ssl.keystore.password: "xxxxx"
#xpack.security.transport.ssl.keystore.secure_password: "xxxxx"

#Shard rebalancing settings - Enable the rebalancing of shards between nodes for all kinds of shards
cluster.routing.rebalance.enable: all

#Enabling shards allocation
cluster.routing.allocation.enable : all

[DEPRECATION][o.e.d.c.s.Settings       ] [es-md-01] [keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See th
e breaking changes documentation for the next major version.

the command i gave was:

elasticsearch-keystore add setting

stephenb · November 21, 2022, 4:05pm

If you want to set the keystore password you now use the passwd option .. is that what you are looking for ?

That will be the preferred method in 8.x

passwd
Changes or sets the keystore password. If the keystore is password protected, you are prompted to enter the current password and the new one. You can optionally use an empty string to remove the password. If the keystore is not password protected, you can use this command to set a password.

EExisT · November 21, 2022, 4:21pm

Hi @stephenb , really i'm trying to understand what es means...is keystore.password a precise setting that i have to change with another sintax? Or maybe es means something else saying that keystore.password is deprecated?

For example this setting change from xpack.security.http.ssl.keystore.password to xpack.security.http.ssl.keystore.secure_password.

So is the same for keystore.password?

stephenb · November 21, 2022, 5:00pm

Ahh I see, yes confusing... there are ssl keystores as well.

Can you do a list on the keystore and see what settings you have?
$ ./bin/elasticsearch-keystore list

And just confirming, that error is when you run the elasticsearch-keystore command not when you are starting elasticsearch?,

The error you are giving is looking like that is from running elasticsearch on startup NOT the elasticsearch-keystore command.

stephenb · November 21, 2022, 5:26pm

Ok I see your other post

Yes it is about the ssl settings...
xpack.security.http.ssl.keystore.password: "xxxxx"

I get the same in the deprecation log ...

So you take that out...

AND Then you need to add they new setting to the keystore

./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

That got rid of the error...seems the docs are missing the deprecation warning on the settings

Yes to it looks like everywhere there is an ssl password they are being replaced with secure_password which should be store in the elasticsearch-keystore

What makes it confusing of some of the ssl setting are for the ssl / java keystore

There is a note at the top of the new docs

All of these settings can be added to the elasticsearch.yml configuration file, with the exception of the secure settings, which you add to the Elasticsearch keystore. For more information about creating and updating the Elasticsearch keystore, see Secure settings.

that means anything starting with secure_

EExisT · November 24, 2022, 12:13pm

I added the "secure" settings in the keystore and i'havent new deprecated logs, so it worked.
Then setting well the settings concerning an SSL Password es doesn't produce the keystore.password deprecated log.

thank u very much fot the support

system · December 22, 2022, 12:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.