"path: /_security/api_key... api keys are not enabled" while loading prebuilt detection rules

Slavik_Fursov · February 14, 2020, 7:53am

I upgraded to 7.6.0 today.
I wanted to try Detections, but I'm getting error (below) when clicking "load prebuilt detection rules".

My complete Kibana config:

---
## Default Kibana configuration from Kibana base image.
## https://github.com/elastic/kibana/blob/master/src/dev/build/tasks/os_packages/docker_generator/templates/kibana_yml.template.js
#
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
xpack.monitoring.ui.container.elasticsearch.enabled: false

## X-Pack security credentials
#
elasticsearch.username: kibana
elasticsearch.password: ***

xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliver123lfcr'

My Elastic config:

---
## Default Elasticsearch configuration from Elasticsearch base image.
## https://github.com/elastic/elasticsearch/blob/master/distribution/docker/src/docker/config/elasticsearch.yml
#
cluster.name: "docker-cluster"
network.host: 0.0.0.0

## Use single node discovery in order to disable production mode and avoid bootstrap checks
## see https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
#
discovery.type: single-node

## X-Pack settings
## see https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-xpack.html
#
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.monitoring.collection.enabled: false

The error in Elastic log:

{"type": "server", "timestamp": "2020-02-14T06:48:22,835Z", "level": "WARN", "component": "r.suppressed", "cluster.name": "docker-cluster", "node.name": "eb198821dba9", "message": "path: /_security/api_key, params: {}", "cluster.uuid": "ikMJnjTqRYG4UlQ6SjnDBw", "node.id": "ofsLwcUiTRmAPT_Lp8FUMg" ,
"stacktrace": ["java.lang.IllegalStateException: api keys are not enabled",
"at org.elasticsearch.xpack.security.authc.ApiKeyService.ensureEnabled(ApiKeyService.java:584) ~[?:?]",
"at org.elasticsearch.xpack.security.authc.ApiKeyService.createApiKey(ApiKeyService.java:194) ~[?:?]",
"at org.elasticsearch.xpack.security.action.TransportCreateApiKeyAction.lambda$doExecute$0(TransportCreateApiKeyAction.java:67) ~[?:?]",
"at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-7.6.0.jar:7.6.0]",
"at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.lambda$getRoleDescriptors$13(CompositeRolesStore.java:295) [x-pack-security-7.6.0.jar:7.6.0]",
"at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-7.6.0.jar:7.6.0]", ...

The error in Kibana log:

{"type":"error","@timestamp":"2020-02-14T08:14:02Z","tags":,"pid":6,"level":"error","error":{"message":"[illegal_state_exception] api keys are not enabled","name":"Error","stack":"Error: [illegal_state_exception] api keys are not enabled\n at transformError (/usr/share/kibana/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.js:24:14)\n at handler (/usr/share/kibana/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.js:84:16)\n at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/api/detection_engine/rules/prepackaged","path":"/api/detection_engine/rules/prepackaged","href":"/api/detection_engine/rules/prepackaged"},"message":"[illegal_state_exception] api keys are not enabled"}
{"type":"response","@timestamp":"2020-02-14T08:14:02Z","tags":["access:siem"],"pid":6,"method":"put","statusCode":500,"req":{"url":"/api/detection_engine/rules/prepackaged","method":"put","headers":{"host":"xxx:9100","connection":"keep-alive","content-length":"0","kbn-xsrf":"true","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36","content-type":"application/json","accept":"/","origin":"http://xxx:9100","referer":"http://xxx:9100/app/siem","accept-encoding":"gzip, deflate","accept-language":"en-GB,en-US;q=0.9,en;q=0.8,ru;q=0.7"},"remoteAddress":"172.22.0.1","userAgent":"172.22.0.1","referer":"http://xxx:9100/app/siem"},"res":{"statusCode":500,"responseTime":1412,"contentLength":9},"message":"PUT /api/detection_engine/rules/prepackaged 500 1412ms - 9.0B"}
{"type":"log","@timestamp":"2020-02-14T08:14:03Z","tags":["error","plugins","security","api-key"],"pid":6,"message":"Failed to create API key: [illegal_state_exception] api keys are not enabled"}

Any idea how to fix the issue?

Frank_Hassanabad · February 14, 2020, 4:53pm

Hi Slavik_Fursov,

It looks like your Kibana instance is connecting to your Elastic through http and not https by looking at your configuration?

elasticsearch.hosts: [ "http://elasticsearch:9200" ]

If you have security and certificates setup you should be able to begin to use https:

elasticsearch.hosts: [ "https://elasticsearch:9200" ]

If you have self signed certificates without a local CA you might just need to add one additional Kibana setting of:

  ssl:
    verificationMode: 'certificate'

which would skip the hostname validation, but I would always recommend maintaining your own certificates root certificates and doing verification full even when on local intranets. On public reachable areas, of course, regular certificate CA is what I would always recommended.

After this your API keys should begin to working for you and then in turn the detection signals.

The system is trying to ensure you don't send out API keys in plain clear text when you have http is why it is stopping you from moving forward.

More details about these settings and permissioning:

https://www.elastic.co/guide/en/kibana/current/settings.html
https://www.elastic.co/guide/en/elasticsearch/reference/master/security-api-create-api-key.html
https://www.elastic.co/guide/en/siem/guide/current/detection-engine-overview.html#detections-permissions

Slavik_Fursov · February 14, 2020, 6:42pm

yes, I'm running everything via HTTP,
no HTTPS.

One reason for that is because I set up my system via Docker, so all communications are internal.

Thank you for pointing me to that. I'll go and configure my system to enable HTTPS.

Perhaps, that recent blog post about enabling Detections should have HTTPS prerequisite noted down, too:
https://www.elastic.co/guide/en/siem/guide/current/detection-engine-overview.html

Ben_Skelker · February 16, 2020, 10:33am

Thanks for the suggestion @Slavik_Fursov. I've opened a PR for improving the Detections requirements: https://github.com/elastic/stack-docs/pull/882

system · March 15, 2020, 10:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.