I have integrated Shield with Active directory, i hope i didnt miss any step but still getting below error.
ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: AccessControlException[access denied ("java.io.FilePermission" "/home/node50.jks" "read")];
What is the fix for this?
It looks like whatever user your Elasticsearch process is running under does not have permission to access the keystore/truststore you have configured. Check the permissions on the /home/node50.jks file and ensure the Elasticsearch user has read access.
Thanks Joshua,
I had given full permissions to the file ( chmod 777 /home/node50.jks ), even though getting the error.
Ah right, sorry this is the security manager restricting access to a keystore/truststore not located under <config_dir>/shield. i.e., you need to put this file in the same directory as the other Shield config files.
It worked, but when i tried to login with my AD user getting below error:
[2016-09-02 02:16:59,532][WARN ][shield.authc.activedirectory] [aip_ossec] authentication failed for user [kishore.uppala]: unable to authenticate user [kishore.uppala] to active directory domain [AIPTEST-MAD.AIPTEST.LOCAL]
cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580_emphasized text_
That error indicates that the Active Directory service rejected the bind attempt due to invalid credentials. Does kishore.uppala exist in the APITEST-MAD.APITEST.LOCAL domain or does the user exist in a different domain in the forest?
I was having the same issue with Kibana. I extrapolated your solution and applied to Kibana. Moving the openSSL generated key for Kibana server to the /opt/kibana/installedPlugins/shield/ directory solved the "Permission Denied" issue on the key.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.