Shield Exception

security

(Kishore) #1

I have integrated Shield with Active directory, i hope i didnt miss any step but still getting below error.

ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: AccessControlException[access denied ("java.io.FilePermission" "/home/node50.jks" "read")];

What is the fix for this?


(Joshua Rich) #2

It looks like whatever user your Elasticsearch process is running under does not have permission to access the keystore/truststore you have configured. Check the permissions on the /home/node50.jks file and ensure the Elasticsearch user has read access.


(Kishore) #3

Thanks Joshua,

I had given full permissions to the file ( chmod 777 /home/node50.jks ), even though getting the error.


(Joshua Rich) #4

Ah right, sorry this is the security manager restricting access to a keystore/truststore not located under <config_dir>/shield. i.e., you need to put this file in the same directory as the other Shield config files.


(Kishore) #5

It worked, but when i tried to login with my AD user getting below error:

[2016-09-02 02:16:59,532][WARN ][shield.authc.activedirectory] [aip_ossec] authentication failed for user [kishore.uppala]: unable to authenticate user [kishore.uppala] to active directory domain [AIPTEST-MAD.AIPTEST.LOCAL]
cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580_emphasized text_


(Jay Modi) #6

That error indicates that the Active Directory service rejected the bind attempt due to invalid credentials. Does kishore.uppala exist in the APITEST-MAD.APITEST.LOCAL domain or does the user exist in a different domain in the forest?


(Harsh Jain) #7

I was having the same issue with Kibana. I extrapolated your solution and applied to Kibana. Moving the openSSL generated key for Kibana server to the /opt/kibana/installedPlugins/shield/ directory solved the "Permission Denied" issue on the key.


(system) #8