[X-Pack] Logstash PKI client authentication not working

Bozzerreaneaux · September 25, 2017, 9:36am

Hello,

I am struggling with getting Logstash to present a client certificate to ES instance. After couple discussions and misunderstandings from my side I realized that X-Pack supports client certificates through the keystore options. I thought I had set up everything correctly but I am getting a "missing authentication token for REST request" when I start Logstash.

When I start logstash in the console with this command:
logstash.bat -f C:\Logstash\conf.d\logstash.json

I am getting:

[2017-09-25T13:06:00,663][ERROR][logstash.outputs.elasticsearch] Got a bad response code from server, but this code is not considered retryable. Request will be dropped {:code=>403, :response_body=>"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [indices:data/write/bulk] is unauthorized for user [app01]\"}],\"type\":\"security_exception\",\"reason\":\"action [indices:data/write/bulk] is unauthorized for user [app01]\"},\"status\":403}"}
[2017-09-25T13:06:04,620][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>https://logstash_system:xxxxxx@ELK02.devops.test:9200/, :path=>"/"}

Then, In the stdout log for Logstash I see:

"missing authentication token for REST request"

The error makes me think that Logstash is not able to attach the client certificate to the ES calls.

Could I please ask someone to verify my configuration:

ES:

xpack:
    security:
        authc:
            realms:
                pki1:
                    type: pki
                    order: 0
                    certificate_authorities: "x-pack/certificate-bundle/ca/ca.crt"

LS:

 output {
  stdout { codec => rubydebug  } elasticsearch {
    hosts => [ "https://ELK02.devops.test:9200" ]
	ssl => true
	cacert => "C:/Program Files/filebeat-5.5.2/certs/ca.crt"
	keystore => "C:/Program Files/filebeat-5.5.2/certs/Logstash-client-app1.jks"
	keystore_password => "******"
    manage_template => false
    index => "app1-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

The client certificate was created with certgen tool and I put "app01" under instance during the creation so in the certificate CN=app01

The following is output from the keytool -list command

Alias name: 1
Creation date: Sep 15, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=app01
Issuer: CN=Elastic Certificate Tool Autogenerated CA

I have created the following role mapping using the mapping API:

PUT _xpack/security/role_mapping/Logstash_users
{
  "roles" : [ "app1_logstash" ],
  "rules" : { "field" : {
    "dn" : "cn=app01"
  } },
  "enabled": true
}

Bozzerreaneaux · September 26, 2017, 1:11pm

It seems the role mapping was not picking the user set under the client cert DN.

I had set it before as "cn=app01". Once I recreated the mapping and changed this to"CN=app01", it worked.

So, it seems this field is case sensitive.

system · October 24, 2017, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PKI authentication in logstash Elastic Search Output not working Elasticsearch	22	4120	July 5, 2017
Logstash security_exception, can't write to ES after installing X-pack Logstash	3	5701	July 10, 2017
PKI issue for Logstash monitoring Logstash	3	731	September 6, 2017
Can't configure PKI authentication Elasticsearch	15	2908	July 6, 2017
Logstash with x-pack authentication problems Logstash	10	17750	April 28, 2017

[X-Pack] Logstash PKI client authentication not working

Related topics