Kibana Shield Configuration

security

(Hilal) #1

Hi,

I want to use shield plugin. I am using ES 2.2.0 Kibana 4.4.2.

  1. bin/plugin install license
    bin/plugin install shield

  2. service elasticsearch start

  3. bin/shield/esusers useradd es_admin -r admin

  4. curl -u es_admin -XGET 'http://localhost:9200/'

    {"name": "Archimage","cluster_name": "elasticsearch","version": {"number": "2.2.0","build_hash": "8ff36d139e16f8720f2947ef62c8167a888992fe","build_timestamp": "2016-01-27T13:32:39Z","build_snapshot": false,"lucene_version": "5.4.1"},"tagline": "You Know, for Search"}

It is true. After I did installation and configuration for kibana:

  • I add kibana4-server user in Elasticsearch file on open terminal

esusers useradd kibana4-server -r kibana4_server -p 123456

  • assign role

esusers useradd hilal -r kibana4_monitoring -p 123456

  • in kibana.yml

elasticsearch.url: "http://localhost:9200"

  • install shield in kibana file on open terminal

bin/kibana plugin --install kibana/shield/latest

  • in kibana.yml

      shield.encryptionKey: "something_secret"
      shield.sessionTimeout: 600000
    
  • After I start Kibana:

bin/kibana in kibana file:

[root@server kibana-4.4.2-linux-x64]# bin/kibana
  log   [13:59:45.763] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready
  log   [13:59:45.924] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [13:59:45.962] [info][status][plugin:marvel] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [13:59:46.025] [error][status][plugin:elasticsearch] Status changed from yellow to red - Authentication Exception
  log   [13:59:46.026] [info][status][plugin:sense] Status changed from uninitialized to green - Ready
  log   [13:59:46.105] [fatal] Error: shield.encryptionKey is required in kibana.yml.
    at ScopedPlugin.init [as externalInit] (/usr/share/kibana-4.4.2-linux-x64/installedPlugins/shield/index.js:36:59)
    at ScopedPlugin.tryCatcher (/usr/share/kibana-4.4.2-linux-x64/node_modules/bluebird/js/main/util.js:26:23)
    at Promise.attempt.Promise.try (/usr/share/kibana-4.4.2-linux-x64/node_modules/bluebird/js/main/method.js:30:24)
    at Object.register (/usr/share/kibana-4.4.2-linux-x64/src/server/plugins/Plugin.js:143:15)
    at /usr/share/kibana-4.4.2-linux-x64/node_modules/hapi/lib/plugin.js:254:14
    at iterate (/usr/share/kibana-4.4.2-linux-x64/node_modules/hapi/node_modules/items/lib/index.js:35:13)
    at Object.exports.serial (/usr/share/kibana-4.4.2-linux-x64/node_modules/hapi/node_modules/items/lib/index.js:38:9)
    at [object Object].internals.Plugin.register (/usr/share/kibana-4.4.2-linux-x64/node_modules/hapi/lib/plugin.js:236:11)
    at /usr/share/kibana-4.4.2-linux-x64/src/server/plugins/Plugin.js:150:32
    at tryCatcher (/usr/share/kibana-4.4.2-linux-x64/node_modules/bluebird/js/main/util.js:26:23)
    at Promise.fromNode (/usr/share/kibana-4.4.2-linux-x64/node_modules/bluebird/js/main/promise.js:164:30)
    at ScopedPlugin.init$ (/usr/share/kibana-4.4.2-linux-x64/src/server/plugins/Plugin.js:149:46)
    at tryCatch (/usr/share/kibana-4.4.2-linux-x64/node_modules/babel-runtime/regenerator/runtime.js:67:40)
    at GeneratorFunctionPrototype.invoke [as _invoke] (/usr/share/kibana-4.4.2-linux-x64/node_modules/babel-runtime/regenerator/runtime.js:315:22)
    at GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/usr/share/kibana-4.4.2-linux-x64/node_modules/babel-runtime/regenerator/runtime.js:100:21)
    at invoke (/usr/share/kibana-4.4.2-linux-x64/node_modules/babel-runtime/regenerator/runtime.js:136:37)
FATAL { [Error: shield.encryptionKey is required in kibana.yml.]
  cause: [Error: shield.encryptionKey is required in kibana.yml.],
  isOperational: true }

When I was connect kibana:
https://localhost:5601/
It did not connect.
localhost: 5601 Unable to connect to the server.
What is wrong? Please help me.


Elasticsearch authentication failed error
Elasticsearch authentication failed error
(pitt) #2

You have this error
Error: shield.encryptionKey is required in kibana.yml

You need to install encryption key

  1. openssl genrsa -des3 -out [domain].key 1024
  2. openssl req -new -key [domain].key -out [domain].csr
  3. openssl x509 -req -days 365 -in [domain].csr -signkey [domain].key -out [domain].crt
    This was also needed for .key file to be valid:
    openssl rsa -in [domain].key -out [domain].key

and add to kibana.yml
https://www.elastic.co/guide/en/shield/current/kibana.html


(Hilal) #3

Thank you. I did:

  • openssl genrsa -des3 -out localhost.key 1024
  • openssl req -new -key localhost.key -out localhost.csr
  • openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
  • openssl rsa -in localhost.key -out localhost.key

But I have some problems. My kibana.yml file:

# Kibana is served by a back end server. This setting specifies the port to use.

server.port: 5601

# This setting specifies the IP address of the back end server.

server.host: "0.0.0.0"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This setting
# cannot end in a slash.
# server.basePath: ""
# The maximum payload size in bytes for incoming server requests.
# server.maxPayloadBytes: 1048576
# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://localhost:9200"
# When this setting’s value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
# elasticsearch.preserveHost: true
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and 
# dashboards. Kibana creates a new index if the index doesn’t already exist.

kibana.index: ".kibana"

# The default application to load.

kibana.defaultAppId: "discover"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which 
# is proxied through the Kibana server.
# To disregard the validity of SSL certificates, change this setting’s value to false.

kibana_elasticsearch_username: kibana4-server
kibana_elasticsearch_password: deneme

# Paths to the PEM-format SSL certificate and SSL key files, respectively. These 
# files enable SSL for outgoing requests from the Kibana server to the browser.

verify_ssl: true
server.ssl.cert: /root/localhost.crt
server.ssl.key: /root/localhost.key
shield.encryptionKey: "deneme"
shield.sessionTimeout: 600000

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
# elasticsearch.ssl.cert: /path/to/your/client.crt
# elasticsearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate 
# authority for your Elasticsearch instance.
# elasticsearch.ssl.ca: /path/to/your/CA.pem
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
# elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value 
# must be a positive integer.
elasticsearch.requestTimeout: 300000
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
elasticsearch.shardTimeout: 0
# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
# elasticsearch.startupTimeout: 5000
# Specifies the path where Kibana creates the process ID file.
# pid.file: /var/run/kibana.pid
# Enables you specify a file where Kibana stores log output.
# logging.dest: stdout
# Set the value of this setting to true to suppress all logging output.
# logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
# logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information 
# and all requests.
# logging.verbose: false

(Hilal) #4

When I run elasticsearch it is ok
When I run kibana it is ok There are no error just a warning:

[root@server kibana-4.4.2-linux-x64]# bin/kibana
  log   [11:07:27.126] [warning][config] Settings for "shield" were not applied, check for spelling errors and ensure the plugin is loaded.
  log   [11:07:27.632] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready
  log   [11:07:27.668] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:07:27.672] [info][status][plugin:marvel] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:07:27.751] [info][status][plugin:sense] Status changed from uninitialized to green - Ready
  log   [11:07:27.767] [info][status][plugin:kbn_vislib_vis_types] Status changed from uninitialized to green - Ready
  log   [11:07:27.785] [info][status][plugin:markdown_vis] Status changed from uninitialized to green - Ready
  log   [11:07:27.805] [info][status][plugin:metric_vis] Status changed from uninitialized to green - Ready
  log   [11:07:28.147] [info][status][plugin:spyModes] Status changed from uninitialized to green - Ready
  log   [11:07:28.159] [info][status][plugin:statusPage] Status changed from uninitialized to green - Ready
  log   [11:07:28.166] [info][status][plugin:table_vis] Status changed from uninitialized to green - Ready
  log   [11:07:28.209] [info][listening] Server running at https://0.0.0.0:5601
  log   [11:07:28.266] [info][status][plugin:elasticsearch] Status changed from yellow to green - Kibana index ready
  log   [11:07:28.341] [info][status][plugin:marvel] Status changed from yellow to green - Marvel index ready

My problem :
localhost:5601 is not working now. I don't understand.


(Jay Modi) #5

Are you using https://localhost:5601?


(Hilal) #6

yes it works thank you so much:)


(Hilal) #7

Hi I have problem again.
I want to do index my mysql datas but it is not working.
I did mapping on sense editor and I did index with php codes.
When I run my php codes It dosen't work.

What is the problem?


(ganeshbabu) #8

Hi Hilal,

I followed the same configuration setup to enable ssl for shield to access kibana. I have created separated kibana user in esusers list, but when I am trying to login with the eskibanauser I am getting as

Oops! Invalid username/password.

Please correct me if am doing any thing wrong in setup.

Note:- I could see no errors were logged in ES

Thanks,
Ganeshbabu R


(system) #9