SOLVED : Multiple ES instances with SSL

security

(Clement Ros) #1

Hi,

I have multiple instances of Elasticsearch on the same server.

I have signed my certificate with my own CA. i have created on keystore by ES instance, and in this keystore i have the root certificate, my private key, and may signed certificate.

I also had to copy the shield directory on each ES instance and make sure it had the propers rights and owner.

when i start my node i have the following error:

[2016-03-24 15:37:28,412][ERROR][shield.transport.netty ] [uat-node01] SSL/TLS handshake failed, closing channel: General SSLEngine problem

Somebody have an idea ?


(Jay Modi) #2

Is there a caused by exception in the stacktrace? The general problem could mean a lot of different things and usually the root cause is much more helpful.


(Giuseppe Tricarico) #3

Hi have the same problem posted some day ago .. Did you solve?


(Clement Ros) #4

Unfortunatly not, after many attempt we had abandoned the idea to intergrate shield with our multiple instance architecture.

But if you find one solution please share :slight_smile:


(Giuseppe Tricarico) #5

Shure

I will play next days with it according to my spare time ..

Regards

Giuseppe


(Jay Modi) #6

Hi Clement,

If you provide more details we would be more than happy to try to help.

-Jay


(Clement Ros) #7

Hi Jay,

We juste try to install shield following your documentation (part installing shield), We had plan to use native user authentification in a first time.
Then we created an user.

And after all these steps, we had no restriction to access to our cluster. So we try to search during 3 days and the next weeks we decides to stop the installation of shield for the moment.

I have uninstall shield for the moment but when i will have a little time i could retry the installation and share our issues with you.

-Clément


(Jay Modi) #8

Are you using a license already, maybe for Marvel? If so and it is a basic license, shield will not protect the cluster. You can request a trial license extension from info@elastic.co


(Clement Ros) #9

I already use a trial license. Maybe too old ?


(Jay Modi) #10

Hmm I am not sure. You can check the status by issuing a GET on /_license


(Clement Ros) #11

Okay my license is not trial :sweat_smile:

"status": "active", "type": "basic",

I sent an email to the address you gave me.
When i will have the trial license i will retry to install shield and i will tell you if its work or not.

thanks for your help :smile:


(Clement Ros) #12

Hi,

I try again to install shield.

I update the license, and i have done all the first stap of the installation.

I still have a problem of authentication.

{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [es_admin] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"unable to authenticate user [es_admin] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}

I think shield can't work with multi ES node on the same server by default.

My architecture is composed of 3 servers. There are 4 nodes on each servers.

The error occurred when i create the es_admin user on my second server.


(Clement Ros) #13

After another attempt to install shield.

I can say that the error is not because of my multiple node.

The error appeared after the shield installation.


(Jay Modi) #14

Hi Clement,

Can you provide more details about both installations? (multiple node and single node). This includes versions, how you installed (rpm/deb/tar/zip), custom configuration path, etc

Jay


(Clement Ros) #15

Thank you for the answer Jay,

I have 3 servers, the OS is CentOS 7 (v 7.2.1511).

Each server contains 4 nodes ES (v 2.2.0). 1 node is a client node, 1 node is a master node and the two others are data nodes. Each server contains also 1 redis-server (v2.8.19), logstash (v 2.2.0) and Kibana (v 4.4.0). I use keepalived to provide loadbalancing.

So i have 3 client nodes, 3 master nodes and 6 data nodes.

I installed my nodes with rpm.

For Elasticsearch the rpm commande create the directory "/etc/elasticsearch". I copied this directory in multiple directory to create each node.

To start each nodes separately, i copied the original systemd file to create 4 systemd files for each node in "/usr/lib/systemd/system/". And i changed paths to point to the correct node configuration files.

I also copied the "/etc/sysconfig/elasticsearch" file in 4 files, one for each node. And i changed the different path to point to the correct node configuration directory.

Clément


(Jay Modi) #16

Ok. The shield esusers script requires an option to be specified in this type of installation so that it places the files in the proper directory.

bin/shield/esusers useradd admin -r admin --path.conf=/path/to/configuration/directory

You can either run this command for each node config directory or manually copy the users and users_roles files


(Clement Ros) #17

Thanks it's work for me :grinning:

Thank you for your time.


(system) #18