Secure_Password in ES Keystore for HTTP Exporters


(Dietmar Derenbach) #1

When I set the passphrase for the parameter xpack.monitoring.exporters.admincluster.ssl.keystore.secure_password in ES-Keestore, an error occurs when starting ES: java.lang.IllegalStateException: password has been cleared.

Is anyone able to help me?

Viel Grüße
Dietmar


(Ioannis Kakavas) #2

Hi,

Please tell us which version of Elasticsearch you are running and paste here a portion of your logs around where the exception is thrown


(Dietmar Derenbach) #3

Hallo,

the Version is 6.1.3.

Here the log snipped :
[2018-06-19T13:22:10,625][INFO ][o.e.n.Node ] [ls01130y] initialized
[2018-06-19T13:22:10,625][INFO ][o.e.n.Node ] [ls01130y] starting ...
[2018-06-19T13:22:10,648][ERROR][o.e.b.Bootstrap ] [ls01130y] Exception
java.lang.IllegalStateException: password has been cleared
at java.security.KeyStore$PasswordProtection.getPassword(KeyStore.java:347) ~[?:1.8.0_152]
at sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1304) ~[?:?]
at java.security.KeyStore.getEntry(KeyStore.java:1521) ~[?:1.8.0_152]
at org.elasticsearch.common.settings.KeyStoreWrapper.getString(KeyStoreWrapper.java:346) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.Settings$PrefixedSecureSettings.getString(Settings.java:1450) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.Settings$PrefixedSecureSettings.getString(Settings.java:1450) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.Settings$PrefixedSecureSettings.getString(Settings.java:1450) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.SecureSetting$SecureStringSetting.getSecret(SecureSetting.java:152) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.SecureSetting$SecureStringSetting.getSecret(SecureSetting.java:142) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.SecureSetting.get(SecureSetting.java:93) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.xpack.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:217) ~[?:?]
at org.elasticsearch.xpack.ssl.SSLConfiguration.(SSLConfiguration.java:75) ~[?:?]
at org.elasticsearch.xpack.ssl.SSLService.sslConfiguration(SSLService.java:334) ~[?:?]
at org.elasticsearch.xpack.ssl.SSLService.sslIOSessionStrategy(SSLService.java:137) ~[?:?]
at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.configureSecurity(HttpExporter.java:429) ~[?:?]
at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.createRestClient(HttpExporter.java:262) ~[?:?]
at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.(HttpExporter.java:196) ~[?:?]
at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.(HttpExporter.java:183) ~[?:?]
at org.elasticsearch.xpack.monitoring.Monitoring.lambda$createComponents$1(Monitoring.java:157) ~[?:?]
at org.elasticsearch.xpack.monitoring.exporter.Exporters.initExporters(Exporters.java:165) ~[?:?]
at org.elasticsearch.xpack.monitoring.exporter.Exporters.doStart(Exporters.java:89) ~[?:?]
at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:66) ~[elasticsearch-6.1.3.jar:6.1.3]
at java.util.ArrayList.forEach(ArrayList.java:1257) ~[?:1.8.0_152]
at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) ~[?:1.8.0_152]
at org.elasticsearch.node.Node.start(Node.java:588) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:261) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:331) [elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.1.3.jar:6.1.3]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.1.3.jar:6.1.3]
[2018-06-19T13:22:10,657][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [ls01130y] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: password has been cleared
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.1.3.jar:6.1.3]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.1.3.jar:6.1.3]
Caused by: java.lang.IllegalStateException: password has been cleared
at java.security.KeyStore$PasswordProtection.getPassword(KeyStore.java:347) ~[?:1.8.0_152]
at sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1304) ~[?:?]
at java.security.KeyStore.getEntry(KeyStore.java:1521) ~[?:1.8.0_152]
at org.elasticsearch.common.settings.KeyStoreWrapper.getString(KeyStoreWrapper.java:346) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.Settings$PrefixedSecureSettings.getString(Settings.java:1450) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.Settings$PrefixedSecureSettings.getString(Settings.java:1450) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.Settings$PrefixedSecureSettings.getString(Settings.java:1450) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.SecureSetting$SecureStringSetting.getSecret(SecureSetting.java:152) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.SecureSetting$SecureStringSetting.getSecret(SecureSetting.java:142) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.common.settings.SecureSetting.get(SecureSetting.java:93) ~[elasticsearch-6.1.3.jar:6.1.3]
at org.elasticsearch.xpack.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:217) ~[?:?]
at org.elasticsearch.xpack.ssl.SSLConfiguration.(SSLConfiguration.java:75) ~[?:?]
at org.elasticsearch.xpack.ssl.SSLService.sslConfiguration(SSLService.java:334) ~[?:?]
at org.elasticsearch.xpack.ssl.SSLService.sslIOSessionStrategy(SSLService.java:137) ~[?

Viele Grüße
Dietmar


(Ioannis Kakavas) #4

Was the command to store the password in the elasticsearch keystore successful ? It does look like there is no entry for that key in the keystore.

Does running
bin/elasticsearch-keystore list

print out xpack.monitoring.exporters.admincluster.ssl.keystore.secure_password among others ?


(Dietmar Derenbach) #5

Yes, the command was successful and the output of bin/elasticsearch-keystore list shows xpack.monitoring.exporters.admincluster.ssl.keystore.secure_password.

Viele Grüße

Dietmar


(Tim Vernum) #6

Sorry, this is a bug in all current versions of X-Pack.

The only workaround at this time is to enter the password using the non secure version.
This will be fixed in an upcoming release.


(Dietmar Derenbach) #7

Thank you for the answers.

We solved this problem by using the same keystore for ES-Server and Monitoring-Client.
For this we have only set the global xpack.ssl Parameter. See below :

    xpack:
      monitoring.exporters:
        admincluster:
          type: http
          host:
            - ${ES_ADMINCLUSTER_NODE1}
            - ${ES_ADMINCLUSTER_NODE2}
      ssl:
        keystore:
          path: ${ES_PATH_CONF}/x-pack/${HOSTNAME}.p12
          type: PKCS12
        certificate_authorities: ${ES_PATH_CONF}/x-pack/Root_CA_01.cer
        supported_protocols: TLSv1.2
        client_authentication: required
        verification_mode: full
      security:
.
.
.

The password for the pkcs12-Keystore is then stored in the ES-keystore with Parameter xpack.ssl.keystore.secure_password

Viele Grüße

Dietmar


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.