Okta integration with Elasticsearch

Hi All,

We are trying to do an integration of elasticsearch with Okta, we have succeded the integration for our development box, where we have not enabled any TLS/SSL.

But when do the integration for production setup, we are not able to succeed, have done all the configurations and while starting the service it fails, log says

[2020-09-22T06:38:17,612][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [1.3.5.2] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/1.3.5.2:9200, remoteAddress=/1.4.2.9:65391}

I see there is some error with certificate, but i dont have knowledge on certificate part, can someone tell me where the certificate error, should i need to provide the certificate generated in elasticsearch and ask them to add in Okta
or should i need to get okta certificate and add it in elasticsearch.

or is there any other configurations i need to do.

This is my Okta configuration in elasticsearch.yml

xpack.security.authc.realms.saml.prod-saml-prod:
   order: 2
   idp.metadata.path: "/etc/elasticsearch/certs/ELK_Prod.xml"
   idp.entity_id: "http://www.okta.com/kalxreufkjdfnsliaw8"
   sp.entity_id: "https://dashboard.prod.com:5601"
   sp.acs: "https://dashboard.prod.com:5601/api/security/v1/saml"
   sp.logout: "https://dashboard.prod.com:5601/logout"
   attributes.principal: "nameid"
   attributes.groups: "groups"

Any advice please.

Thanks
Gautham

Any advice please??? :frowning:

Thanks
Gautham

The log you shared is from a client connection to elasticsearch, and the client does not trust the certificate that elasticsearch is presenting. This is unrelated to saml and okta.

If you still have this issue you should share your elasticsearch tls configuration and figure out what is running on 1.4.2.9 as this is what tries to connect and fails

@ikakavas Here is my TLS configuration,

#-------------------------------------TLS/SSL--------------------------------------
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
#

Trying to figure out whats stopping me in 1.4.2.9 , will update soon.

Thanks
Gautham