I've been working on sort of unorthodox ELK stack logging POC solution where all components (ElasticSearch, Kibana, Logstash, X-Pack) are running on windows server.
I've been able to integrate Elastic search with a custom active directory realm and users are able to login to Kibana with their NT accounts however when I try to secure this communication via ldaps on port 636, I am hitting a problem
I have installed a digital certificate on the AD domain controller and imported the certificate in the ELK node server into the Trusted Root Certification Authorities. Tested that ldaps connection from the ELK server to the domain controller is enabled via the ldp.exe tool:
ld = ldap_sslinit("dc01.xxxxx.xxxx", 636, 1); Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3); Error 0 = ldap_connect(hLdap, NULL); Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); Host supports SSL, SSL cipher strength = 256 bits Established connection to dc01.devops.test. Retrieving base DSA information...
As per the official article my elasticsearch.yml is configured as follows:
#----------------------Configuration for X-Pack Security------------------------ xpack: security: authc: realms: active_directory: type: "active_directory" order: 0 domain_name: "xxxxx.xxxx" url: "ldaps://dc01.xxxxxx.xxxx:636" unmapped_groups_as_roles: true
What could I be possibly missing?
The elasticsearchlog shows the following errors when I try to access kibana
[WARN ][o.e.x.s.a.AuthenticationService] [B-ChoWB] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server dc01.devops.test:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'dc01.devops.test:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated',
I've tried to add the following to the yml configuration but then the elasticsearch service will not start and probably failing to parse the configuration
certificate_authorities: [ "CONFIG_DIR\x-pack\cacert.pem" ]
I couldn't find examples on how this configuration should look like on a windows server. How does X-Pack know where is the default configuration directory or should I set this up anywhere?
Thanks a lot!
p.s. excuse me for the long post