Xpack transport client issue ES 5.6.3

Rah · July 12, 2018, 6:56am

Hi,

I am trying to enable SSL on two node elasticsearch setup with single xpack transport client.
I generated cert based on below entries in instances.yaml
instances:

name: "node1"
ip:
- "192.168.11.115"
  dns:
- "node1.abc.com"
name: "node2"
ip:
- "192.168.11.217"
  dns:
- "node2.abc.com"

With this and the properties in elasticsearch.yml, I am able to bring my elastic search server up on both the nodes. But in my client how do I say it to connect to both the nodes. I am building the settings as below for my PreBuiltXPackTransportClient.

     builder.put("xpack.security.user", "elastic:changeme")
                     .put("xpack.security.transport.ssl.enabled","true")
                     .put("xpack.ssl.key", "<path to node1 key>")
                     .put("xpack.ssl.certificate", "<path to node1 path>")
                     .put("xpack.ssl.certificate_authorities","<path to ca cert>")
Settings settings = builder.build();
transportClient = new PreBuiltXPackTransportClient(settings);
....TransportAddress address = new InetSocketTransportAddress(....);
transportClient.addTransportAddress(address);

As my client takes just one xpack.ssl.key and certificate, how would my client know about the other node running because at a time I can only specify on node key and cert. Based on the documentation, I see ca certificate(xpack.ssl.certificate_authorities) can be array.

TimV · July 12, 2018, 7:50am

You don't.
The key and certificate you provide to the transport client are there to identify your client. You should use a unique certificate and key per client, signed by the same CA that signed the node's certificates.

Essentially, each participant (node or transport client) should have their own certificate and associated private key.

Rah · July 13, 2018, 6:51pm

Thanks. It worked.

system · August 10, 2018, 6:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.