Unable to start elasticsearch after add keystore on RHEL7

Bikash_Swain · June 7, 2020, 2:57pm

I freshly installed elasticsearch 7.6 in RHEL7 and started it successfully.
When I add "test" keystore with command "./elasticsearch-keystore add test" and restarted elasticsearch service, its not starting up and showing below error "unknown secure setting [test]". What is the steps to add a keystore so that the key can be use in elasticsearch.yml file to replace clear text password of "auth.password:"

logs:
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) [elasticsearch-7.6.0.jar:7.6.0] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.6.0.jar:7.6.0] [2020-06-06T13:28:46,126][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [biks-m03] uncaught exception in thread [main] org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [test] please check that any required plugins are installed, or check the breaking changes documentation for removed settings at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.6.0.jar:7.6.0] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.6.0.jar:7.6.0] at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.6.0.jar:7.6.0]

Coinology · June 7, 2020, 9:42pm

The elasticsearch keystore works a bit differently. Rather than creating keys and then using those keys in place of a value in your elasticsearch.yml, you just add the setting name as a key within the keystore.

In other words, you could create a key within the keystore named xpack.security.transport.ssl.keystore.secure_password and then for the value specify whatever you want the value for the setting to be. Then, in elasticsearch.yml, you just omit that setting. Elasticsearch will read it directly out of the keystore.

It's worth noting that not all settings are supported. The setting will have (secure) within the documentation to indicate that it can be used within the keystore. I recommend seeing this and this. Hopefully that helps.

Bikash_Swain · June 8, 2020, 4:29pm

Thanks for reply..
I am using http exporter to send monitoring data and my elasticsearch.yml file is configured same as heremonitoring exporter

xpack.monitoring.exporters:
  id1:
    type: http
    host: ["http://es-mon-1:9200", "http://es-mon2:9200"]
    auth.username: remote_monitoring_user
    auth.password: YOUR_PASSWORD

I want to hide cleartext YOUR_PASSWORD . how can I achieve this?

Coinology · June 8, 2020, 10:02pm

@Bikash_Swain Looking at the monitoring settings here you will see two options to specify this password - auth.password and auth.secure_password. You will notice that auth.secure_password has (secure) next to it indicating it can be used in the keystore.

Following your example, you would add a key named xpack.monitoring.exporters.id1.auth.secure_password to the keystore and set its value to whatever you want the value to be. Then, remove the auth.password: YOUR_PASSWORD line from your elasticsearch.yml. Elasticsearch will read it directly from the keystore.

Bikash_Swain · June 9, 2020, 3:09pm

Thanks, it worked.