PKI authentication with shield - client certificate not requested

security

(Elad Benedict) #1

Hi,

I'm trying to configure shield with PKI user authentication.
SSL seems to be configured and working properly (e.g. I can query over https).

When I configure a realm chain with PKI it appears that a client certificate is not requested during the SSL handshake. Any idea what might be causing it?

This is my elasticsearch.yml:

script.engine.groovy.inline.aggs: on
shield.ssl.keystore.path: C:\elasticsearch-2.3.3\elasticsearch-2.3.3\config\shield\keyStore.jks
shield.ssl.keystore.password: password
shield.ssl.truststore.path: C:\elasticsearch-2.3.3\elasticsearch-2.3.3\config\shield\keyStore.jks
shield.ssl.truststore.password: password
shield.transport.ssl : true
shield.http.ssl: true
shield.authc:
realms:
pki1:
type: pki
username_pattern: CN=(.*?)(?:,|$)

Thanks,
Elad


#2

I also have encountered the same problem. Couldn't find why I don't see any sign for client authentication using PKI and I have almost the same configuration. I can see three way SSL handshake and all steps of key exchange but not client authentication. Would also love to get some insights about this issue.


(Elad Benedict) #3

Mystery solved -
shield.http.ssl.client.auth: optional

See full documentation here: https://www.elastic.co/guide/en/shield/2.0/reference.html

Geez, I'd expect this to be in the PKI tutorial... :S


(system) #4