Unable to parse private key for saml encryption

Ronnie16 · May 27, 2019, 11:55am

Hi,

I'm using SAML for kibana. SAML is working fine without enabling encryption from IDP end.
I want to test now with encryption enabled and have generated saml cert and key using:-

bin/x-pack/certutil cert -pem -days 1100 -name saml-sign -out saml-sign.zip

and provided the same-sign.crt to IDP team, my saml config in Elasticsearch.yml is -
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: /usr/share/elasticsearch/config/saml/idp-metadata.xml
idp.entity_id: "MineSSO"
sp.entity_id: "{entity_id}"
sp.acs: "{acs}"
sp.logout: "{logout}"
attributes.principal: "nameid:persistent"
encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
encryption.certificate: /usr/share/elasticsearch/config/saml-cert/saml-sign.crt

I'm doing this in kubernetes, so uploading certificates via TLS secrets. When I start elasticsearch, get below error (I also tried changing the cert format but gets the same error.)

Caused by: java.lang.IllegalStateException: Error parsing Private Key from: /usr/share/elasticsearch/config/saml-cert/saml-key.pem

at org.elasticsearch.xpack.core.ssl.PemUtils.readPrivateKey(PemUtils.java:107) ~[?:?]

at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.readPrivateKey(PEMKeyConfig.java:97) ~[?:?]

at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createKeyManager(PEMKeyConfig.java:58) ~[?:?]

at org.elasticsearch.xpack.core.ssl.CertParsingUtils.getKeyManager(CertParsingUtils.java:196) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildCredential(SamlRealm.java:321) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildEncryptionCredential(SamlRealm.java:300) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.getSpConfiguration(SamlRealm.java:294) ~[?:?]

at org.elasticsearch.xpack.security.authc.saml.SamlRealm.create(SamlRealm.java:196) ~[?:?]

at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$5(InternalRealms.java:106) ~[?:?]

at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:192) ~[?:?]

at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:69) ~[?:?]

at org.elasticsearch.xpack.security.Security.createComponents(Security.java:485) ~[?:?]

at org.elasticsearch.xpack.security.Security.createComponents(Security.java:414) ~[?:?]

at org.elasticsearch.node.Node.lambda$new$11(Node.java:472) ~[elasticsearch-6.7.0.jar:6.7.0]

at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]

at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654) ~[?:?]

at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]

at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]

at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]

at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]

at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]

at org.elasticsearch.node.Node.<init>(Node.java:475) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.0.jar:6.7.0]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.0.jar:6.7.0]

... 6 more

Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/saml-cert/saml-key.pem

at sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) ~[?:?]

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) ~[?:?]

at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:215) ~[?:?]

ikakavas · May 27, 2019, 7:22pm

You say that your configuration is

encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
encryption.certificate: /usr/share/elasticsearch/config/saml-cert/saml-sign.crt

but the error above indicates that your encryption.key is actually set to

encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-key.pem

Once you resolve this, and ensure that encryption.key points to the actual filename for your key, this will be resolved.

Ronnie16 · May 28, 2019, 3:41am

@ikakavas Actually I tried with changing the format of key also so by mistake I posted the error with key.pem but I was getting the same error for same-sign.key as well. Please consider the below now

NOTE - My private key starts with -----BEGIN RSA PRIVATE KEY
encryption.key: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
encryption.certificate: /usr/share/elasticsearch/config/saml-cert/saml-sign.crt

Error -

Caused by: java.lang.IllegalStateException: Error parsing Private Key from: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
	at org.elasticsearch.xpack.core.ssl.PemUtils.readPrivateKey(PemUtils.java:107) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.readPrivateKey(PEMKeyConfig.java:97) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createKeyManager(PEMKeyConfig.java:58) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.getKeyManager(CertParsingUtils.java:196) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildCredential(SamlRealm.java:321) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildEncryptionCredential(SamlRealm.java:300) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.getSpConfiguration(SamlRealm.java:294) ~[?:?]
	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.create(SamlRealm.java:196) ~[?:?]
	at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$5(InternalRealms.java:106) ~[?:?]
	at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:192) ~[?:?]
	at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:69) ~[?:?]
	at org.elasticsearch.xpack.security.Security.createComponents(Security.java:485) ~[?:?]
	at org.elasticsearch.xpack.security.Security.createComponents(Security.java:414) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$11(Node.java:472) ~[elasticsearch-6.7.0.jar:6.7.0]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:475) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.0.jar:6.7.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.0.jar:6.7.0]
	... 6 more
Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/saml-cert/saml-sign.key
	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) ~[?:?]
	at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:215) ~[?:?]
	at java.nio.file.Files.newByteChannel(Files.java:370) ~[?:?]
	at java.nio.file.Files.newByteChannel(Files.java:421) ~[?:?]
	at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]

ikakavas · May 28, 2019, 4:41am

Still,

This file doesn't seem to exist.

Can you share some more details around this ? I'm not very familiar with kubernetes but I can only assume that there is something wrong in your setup and the key and certificate files do not get copied into the container where ES is running.

system · June 25, 2019, 4:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana- not able to login using saml Kibana	11	714	May 20, 2020
Kibana SAML authentication issue Elasticsearch elastic-stack-security	16	8044	March 14, 2018
Getting unauthorised saml user error Elasticsearch elastic-stack-security	9	3577	May 21, 2019
SAML Configuration Questions for Elastic Cloud Kibana elastic-stack-security	2	188	October 24, 2023
Issue connecting google saml with es stack Elasticsearch	6	1459	September 14, 2018

Unable to parse private key for saml encryption

Related topics