Shield and x509 auth for http(s) clients

security

(Anton Demenev) #1

Hi all!
Can anyone help me?

I want to secure AWS and our elasticsearch installation with SSL and (for simplest usage) with x509 authentication.

What I do:
1 - Set up CA authority by this article
2 - Import created CA certificate to system java cacerts keystore.
3 - Import CA to trusted keystore (trusted.jks)
4 - Make a client keystore with rsa key (node00 on this example)
5 - Make CSR based on client key
6 - Make the certificate for client with my CA
7 - import CA cert with root alias to client jks (node00.jks)
8 - import client cert to node00.jks
9 - additionally I exported all from node00.jks to PCSK12 file and import to my browser for test authentication.
(I understand, that some steps is excess, I does it when I try to get wanted results from system).
10 - I add ssl support to elasticsearch.yml, following Shield documentation:

# cat elasticsearch.yml:
shield: authc: realms: pki1: type: pki order: 1 esusers1: type: esusers order: 0 ssl: keystore: path: "/etc/elasticsearch/ssl/node00.jks" password: "changeme" key_password: "changeme" truststore: path: "/etc/elasticsearch/ssl/trusted.jks" password: "changeme" hostname_verification: false hostname_verification.resolve_name: false http: ssl: true client: auth: required transport: ssl: true client: auth: optional

# cat shield/role_mapping.yml:
`admin:

  • "cn=node00,ou=test cluster,o=h33x test env"
    `

Output of OpenSSL for verification:
# openssl x509 -subject -nameopt RFC2253 -noout -in 02.pem:
subject= CN=node00,OU=test cluster,O=h33x test env,L=Novosibirsk,ST=Siberia,C=RU

Also, in first iteration of tests, block with esusers realms does not exists.
But anyway I saw only HTTP basic authentication. HTTPS works great, no errors on log files (exclude messages about missing tokens if press Cancel on Auth request on browser)

What I does wrong?

PS Sorry for my poor English :frowning:


(system) #2