Hi all!
Can anyone help me?
I want to secure AWS and our elasticsearch installation with SSL and (for simplest usage) with x509 authentication.
What I do:
1 - Set up CA authority by this article
2 - Import created CA certificate to system java cacerts keystore.
3 - Import CA to trusted keystore (trusted.jks)
4 - Make a client keystore with rsa key (node00 on this example)
5 - Make CSR based on client key
6 - Make the certificate for client with my CA
7 - import CA cert with root alias to client jks (node00.jks)
8 - import client cert to node00.jks
9 - additionally I exported all from node00.jks to PCSK12 file and import to my browser for test authentication.
(I understand, that some steps is excess, I does it when I try to get wanted results from system).
10 - I add ssl support to elasticsearch.yml, following Shield documentation:
# cat elasticsearch.yml:
shield: authc: realms: pki1: type: pki order: 1 esusers1: type: esusers order: 0 ssl: keystore: path: "/etc/elasticsearch/ssl/node00.jks" password: "changeme" key_password: "changeme" truststore: path: "/etc/elasticsearch/ssl/trusted.jks" password: "changeme" hostname_verification: false hostname_verification.resolve_name: false http: ssl: true client: auth: required transport: ssl: true client: auth: optional
# cat shield/role_mapping.yml:
`admin:
- "cn=node00,ou=test cluster,o=h33x test env"
`
Output of OpenSSL for verification:
# openssl x509 -subject -nameopt RFC2253 -noout -in 02.pem:
subject= CN=node00,OU=test cluster,O=h33x test env,L=Novosibirsk,ST=Siberia,C=RU
Also, in first iteration of tests, block with esusers realms does not exists.
But anyway I saw only HTTP basic authentication. HTTPS works great, no errors on log files (exclude messages about missing tokens if press Cancel on Auth request on browser)
What I does wrong?
PS Sorry for my poor English