Shield and Java Transport Client

security

#1

When shield is integrated Java application (over transport layer) using elastic shield transport client,
if user enables SSL in elastic shield , Is it mandatory to pass username/password also along with certificate information ?


(Jay Modi) #2

It is not mandatory if you set up a PKI realm that will be able to authenticate the client certificate.


#3

Thanks Jay.

Can you please confirm if my following configuration is right (I have added my comments against few of the params for clarification ) ?

// For Java Client Using Transport Layer

In elasticsearch.yml file

shield:
authc:
realms:
pki1:
type: pki
truststore:
path: "/path/to/pki_truststore.jks" //Is this field mandatory if client certifcate is signed by same CA ?
// can I use keystore path instead of truststore ?
password: "changeme"

In role_mapping.yml

my_role:

  • "cn=unique cn"

In my Java client

TransportClient client = TransportClient.builder()
.addPlugin(ShieldPlugin.class)
.settings(Settings.builder()
.put("cluster.name", "myClusterName")
.put("shield.ssl.keystore.path", "/path/to/client.jks")
.put("shield.ssl.keystore.password", "password")
...
.build());

What should be format(extension) of certificate in shield.ssl.keystore.path.

// For Http Client (python) in my case , how can I pass certificate and key from the input.

es = Elasticsearch(
['localhost', 'otherhost'],
http_auth=('user', 'secret'), // Can I omit this ?
port=443,
use_ssl=True,
ca_certs='/path/to/cacert.pem', // what shall be path here ? because there we are passing jks path .
client_cert='/path/to/client_cert.pem', // what shall be path here ? will just .crt file work ?
client_key='/path/to/client_key.pem', // what shall be path here ? will just the .key file work ?
)

//For Http Client (Kibana and curl) etc. I do want to keep using http username/password authentication .

Do I need to change any existing configuration for this, right now it's authenticated using native realm users.


Please let me know in case I'm missing anything in my configuration(s).

//----------

Is it possible to achieve the same functionality using native realm, i.e. not passing username/password from client (transport and http) ?


(Jay Modi) #4

not mandatory since the CA is already trusted

Yes keystore file path would have been fine[quote="gsb, post:3, topic:73653"]
ca_certs='/path/to/cacert.pem', // what shall be path here ? because there we are passing jks path .
[/quote]

This should be the path to the CA certificate. JKS is really only for java.

Yes the certificate file.[quote="gsb, post:3, topic:73653"]
// what shall be path here ? will just the .key file work ?
[/quote]

The .key file will work.

You will need to enable http client auth and make it optional: shield.http.ssl.client.auth: optional. You also need to add a native realm definition in your elasticsearch.yml if you haven't already.

This should be a java keystore file.

The only way would be by enabling anonymous but that means anyone can access it...


#5

Thanks for detailed answers.

In python client - when passing certificate.

http_auth=('user', 'secret'), // Can I omit this ?

In the above case if I made it optional , does it mean user can make a rest call without http header(username/password) in a rest client ?

Also does the same mean , user can login to kibana without username/password ?


(Jay Modi) #6

Client authentication in this context is about SSL/TLS. This means that a client will be asked to present its certificate and the server will verify it. When set to optional, the server requests it but does not require it. This allows both PKI and username/password authentication to work. However, this does not change the overall authentication requirement, so username and password will be required as long as the user does not have a trusted certificate.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.