Unable to parse private key for saml encryption

Ronnie16 · May 27, 2019, 11:55am

Hi,

I'm using SAML for kibana. SAML is working fine without enabling encryption from IDP end.
I want to test now with encryption enabled and have generated saml cert and key using:-

bin/x-pack/certutil cert -pem -days 1100 -name saml-sign -out saml-sign.zip

and provided the same-sign.crt to IDP team, my saml config in Elasticsearch.yml is -
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: /usr/share/elasticsearch/config/saml/idp-metadata.xml
idp.entity_id: "MineSSO"
sp.entity_id: "{entity_id}"
sp.acs: "{acs}"
sp.logout: "{logout}"
attributes.principal: "nameid:persistent"
encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
encryption.certificate: /usr/share/elasticsearch/config/saml-cert/saml-sign.crt

I'm doing this in kubernetes, so uploading certificates via TLS secrets. When I start elasticsearch, get below error (I also tried changing the cert format but gets the same error.)

Caused by: java.lang.IllegalStateException: Error parsing Private Key from: /usr/share/elasticsearch/config/saml-cert/saml-key.pem

at org.elasticsearch.xpack.core.ssl.PemUtils.readPrivateKey(PemUtils.java:107) ~[?:?]

at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.readPrivateKey(PEMKeyConfig.java:97) ~[?:?]

at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createKeyManager(PEMKeyConfig.java:58) ~[?:?]

at org.elasticsearch.xpack.core.ssl.CertParsingUtils.getKeyManager(CertParsingUtils.java:196) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildCredential(SamlRealm.java:321) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildEncryptionCredential(SamlRealm.java:300) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.getSpConfiguration(SamlRealm.java:294) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.create(SamlRealm.java:196) ~[?:?]

at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$5(InternalRealms.java:106) ~[?:?]

at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:192) ~[?:?]

at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:69) ~[?:?]

at org.elasticsearch.xpack.security.Security.createComponents(Security.java:485) ~[?:?]

at org.elasticsearch.xpack.security.Security.createComponents(Security.java:414) ~[?:?]

at org.elasticsearch.node.Node.lambda$new$11(Node.java:472) ~[elasticsearch-6.7.0.jar:6.7.0]

at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]

at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654) ~[?:?]

at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]

at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]

at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]

at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]

at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]

at org.elasticsearch.node.Node.<init>(Node.java:475) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.0.jar:6.7.0]

... 6 more

Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/saml-cert/saml-key.pem

at sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) ~[?:?]

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) ~[?:?]

at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:215) ~[?:?]

ikakavas · May 27, 2019, 7:22pm

You say that your configuration is

encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
encryption.certificate: /usr/share/elasticsearch/config/saml-cert/saml-sign.crt

but the error above indicates that your encryption.key is actually set to

encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-key.pem

Once you resolve this, and ensure that encryption.key points to the actual filename for your key, this will be resolved.

Ronnie16 · May 28, 2019, 3:41am

@ikakavas Actually I tried with changing the format of key also so by mistake I posted the error with key.pem but I was getting the same error for same-sign.key as well. Please consider the below now

NOTE - My private key starts with -----BEGIN RSA PRIVATE KEY
encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
encryption.certificate: /usr/share/elasticsearch/config/saml-cert/saml-sign.crt

Error -

Caused by: java.lang.IllegalStateException: Error parsing Private Key from: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
	at org.elasticsearch.xpack.core.ssl.PemUtils.readPrivateKey(PemUtils.java:107) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.readPrivateKey(PEMKeyConfig.java:97) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createKeyManager(PEMKeyConfig.java:58) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.getKeyManager(CertParsingUtils.java:196) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildCredential(SamlRealm.java:321) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildEncryptionCredential(SamlRealm.java:300) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.getSpConfiguration(SamlRealm.java:294) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.create(SamlRealm.java:196) ~[?:?]
	at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$5(InternalRealms.java:106) ~[?:?]
	at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:192) ~[?:?]
	at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:69) ~[?:?]
	at org.elasticsearch.xpack.security.Security.createComponents(Security.java:485) ~[?:?]
	at org.elasticsearch.xpack.security.Security.createComponents(Security.java:414) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$11(Node.java:472) ~[elasticsearch-6.7.0.jar:6.7.0]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:475) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.0.jar:6.7.0]
	... 6 more
Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) ~[?:?]
	at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:215) ~[?:?]
	at java.nio.file.Files.newByteChannel(Files.java:370) ~[?:?]
	at java.nio.file.Files.newByteChannel(Files.java:421) ~[?:?]
	at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]

ikakavas · May 28, 2019, 4:41am

Still,

This file doesn't seem to exist.

Can you share some more details around this ? I'm not very familiar with kubernetes but I can only assume that there is something wrong in your setup and the key and certificate files do not get copied into the container where ES is running.

Topic		Replies	Views
Getting unauthorised saml user error Elasticsearch elastic-stack-security	9	3699	May 21, 2019
Settings SSL/TLS setup with PKCS8 keys Elasticsearch	2	2738	May 8, 2018
SAML Authentication unknown secure setting Elasticsearch	3	853	August 15, 2018
Elastic Search SSL installation issue Elasticsearch elastic-stack-security	17	2907	September 11, 2019
Kibana SAML integration issue Kibana	6	1411	August 3, 2018

Unable to parse private key for saml encryption

Related topics