Hi ,
I am trying to create SAML SSO authentication and secure elk with TLS/SSL on kubernetes . Following the post .
Kibana is unable to connect to elasticsearch. I could successfully deploy elasticsearch with x-pack tls/ssl . Querying the https://localhost:9200 gives me
{
"name" : "nPzJYMW",
"cluster_name" : "sample-elasticsearch-cluster",
"cluster_uuid" : "Ec7pRhtkQKCHOFFBwp5H_w",
"version" : {
"number" : "6.6.2",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "3bd3e59",
"build_date" : "2019-03-06T15:16:26.864148Z",
"build_snapshot" : false,
"lucene_version" : "7.6.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
When i try to query https://locahost:5601 for kibana i get "kibana server is not ready". Part of the logs shows as below
{"type":"log","@timestamp":"2019-10-22T11:59:16Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"No living connections"}
{"type":"error","@timestamp":"2019-10-22T11:59:18Z","tags":["connection","client","error"],"pid":1,"level":"error","error":{"message":"socket hang up","name":"Error","stack":"Error: socket hang up\n at TLSSocket.onSocketClose (_tls_wrap.js:761:23)\n at TLSSocket.emit (events.js:194:15)\n at _handle.close (net.js:600:12)\n at Socket.done (_tls_wrap.js:388:7)\n at Object.onceWrapper (events.js:277:13)\n at Socket.emit (events.js:189:13)\n at TCP._handle.close (net.js:600:12)","code":"ECONNRESET"},"message":"socket hang up"}
{"type":"error","@timestamp":"2019-10-22T11:59:18Z","tags":["connection","client","error"],"pid":1,"level":"error","error":{"message":"socket hang up","name":"Error","stack":"Error: socket hang up\n at TLSSocket.onSocketClose (_tls_wrap.js:761:23)\n at TLSSocket.emit (events.js:194:15)\n at _handle.close (net.js:600:12)\n at Socket.done (_tls_wrap.js:388:7)\n at Object.onceWrapper (events.js:277:13)\n at Socket.emit (events.js:189:13)\n at TCP._handle.close (net.js:600:12)","code":"ECONNRESET"},"message":"socket hang up"}
{"type":"error","@timestamp":"2019-10-22T11:59:18Z","tags":["connection","client","error"],"pid":1,"level":"error","error":{"message":"socket hang up","name":"Error","stack":"Error: socket hang up\n at TLSSocket.onSocketClose (_tls_wrap.js:761:23)\n at TLSSocket.emit (events.js:194:15)\n at _handle.close (net.js:600:12)\n at Socket.done (_tls_wrap.js:388:7)\n at Object.onceWrapper (events.js:277:13)\n at Socket.emit (events.js:189:13)\n at TCP._handle.close (net.js:600:12)","code":"ECONNRESET"},"message":"socket hang up"}
{"type":"error","@timestamp":"2019-10-22T11:59:18Z","tags":["connection","client","error"],"pid":1,"level":"error","error":{"message":"socket hang up","name":"Error","stack":"Error: socket hang up\n at TLSSocket.onSocketClose (_tls_wrap.js:761:23)\n at TLSSocket.emit (events.js:194:15)\n at _handle.close (net.js:600:12)\n at Socket.done (_tls_wrap.js:388:7)\n at Object.onceWrapper (events.js:277:13)\n at Socket.emit (events.js:189:13)\n at TCP._handle.close (net.js:600:12)","code":"ECONNRESET"},"message":"socket hang up"}
{"type":"log","@timestamp":"2019-10-22T11:59:19Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"Unable to revive connection: https://sample-elasticsearch:9200/"}
{"type":"log","@timestamp":"2019-10-22T11:59:19Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"No living connections"}
Kibana config :
kibana.yml: |
server.name: sample-kibana
server.host: "0.0.0.0"
elasticsearch.url: https://sample-elasticsearch:9200
xpack.monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.username: kibana
elasticsearch.password: password1$
xpack.security.encryptionKey: "bharathkumarkvvenkataramanaiahkvtarba"
elasticsearch.ssl.certificateAuthorities: "/usr/share/kibana/config/elastic-stack-ca.pem"
server.ssl.enabled: true
server.ssl.key: "/usr/share/kibana/config/instance.key"
server.ssl.certificate: "/usr/share/kibana/config/instance.crt"
xpack.monitoring.elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.verificationMode: certificate
xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: saml-aad.elastictest.co
elasticsearch config:
elasticsearch.yml: |
cluster.name: "sample-elasticsearch-cluster"
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
# Update max_local_storage_nodes value based on number of nodes
node.max_local_storage_nodes: 1
xpack.security.enabled: true
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.license.self_generated.type: basic
xpack.ssl.keystore.type: PKCS12
xpack.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.ssl.keystore.password: password1$
xpack.ssl.truststore.type: PKCS12
xpack.ssl.truststore.path: "/usr/share/elasticsearch/config/elastic-certificates.p12"
xpack.ssl.truststore.password: password1$
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.ssl.verification_mode: certificate
http.cors.enabled: true
http.cors.allow-origin: "*"
http.max_header_size: 16kb
xpack:
security:
authc:
realms:
native1:
type: native
order: 0
saml1:
type: saml
order: 2
idp.metadata.path: "/usr/share/elasticsearch/config/Elasticsearch.xml"
idp.entity_id: "https://sts.windows.net/6d5e78da-01ca-4ff1-82fe-bad7a7e64f96/"
sp.entity_id: "https://saml-aad.elastictest.co:5601"
sp.acs: "https://saml-aad.elastictest.co:5601/api/security/v1/saml"
sp.logout: "https://saml-aad.elastictest.co:5601/logout"
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/roles"
role_mapping.yml: |