Truststore.secure_password is not configured

I am getting the following error when I try to start the cluster with the PKI realm.
> [2017-11-14T13:08:04,841][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [prdpywdcstt5301] fatal error in thread [main], exiting

java.lang.Error: security initialization failed
at org.elasticsearch.xpack.XPackPlugin.createComponents(XPackPlugin.java:279) ~[?:?]
at org.elasticsearch.node.Node.lambda$new$7(Node.java:412) ~[elasticsearch-5.6.3.jar:5.6.3]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_151]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1380) ~[?:1.8.0_151]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_151]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_151]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_151]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_151]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_151]
at org.elasticsearch.node.Node.(Node.java:414) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.node.Node.(Node.java:245) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:233) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:233) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:342) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:132) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:123) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:70) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.6.3.jar:5.6.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.6.3.jar:5.6.3]
Caused by: java.lang.IllegalArgumentException: [xpack.security.authc.realms.clients_pki.truststore.secure_password] is not configured
at org.elasticsearch.xpack.security.authc.pki.PkiRealm.trustManagersFromTruststore(PkiRealm.java:198) ~[?:?]
at org.elasticsearch.xpack.security.authc.pki.PkiRealm.trustManagers(PkiRealm.java:189) ~[?:?]
at org.elasticsearch.xpack.security.authc.pki.PkiRealm.(PkiRealm.java:80) ~[?:?]
at org.elasticsearch.xpack.security.authc.pki.PkiRealm.(PkiRealm.java:74) ~[?:?]
at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$4(InternalRealms.java:89) ~[?:?]
at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:179) ~[?:?]
at org.elasticsearch.xpack.security.authc.Realms.(Realms.java:69) ~[?:?]
at org.elasticsearch.xpack.security.Security.createComponents(Security.java:384) ~[?:?]
at org.elasticsearch.xpack.XPackPlugin.createComponents(XPackPlugin.java:276) ~[?:?]
... 20 more

My es yml has the following settings

    clients_pki:
      type: pki
      order: 1
      truststore:
        path: "/etc/elasticsearch/certs/truststore.jks"
        password: "********"
      username_pattern: ********
      files:
        role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"

What I don't understand is why the file is requiring a secure_password when it appears to be optional in the documentation for 5.6.3. I did try adding parameter but with no luck. Any ideas are much appreciated. Thanks!

This is a bug in 5.6.3 that is fixed in 5.6.4

https://www.elastic.co/guide/en/x-pack/5.6/xpack-change-list.html#bug-5.6.4

Enabled PKI realms to obtain the password for the truststore from either the truststore.secure_password or the truststore.password setting. For more information, see PKI Realm Settings.

If you are unable to upgrade to 5.6.4, then you will need to use the truststore.secure_password setting in your elasticsearch.keystore file instead of the truststore.password in your elasticsearch.yml file.

1 Like

Thanks! I'll upgrade.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.