{"id":57,"date":"2019-01-06T22:02:10","date_gmt":"2019-01-06T21:02:10","guid":{"rendered":"http:\/\/mhichri.com\/?p=57"},"modified":"2023-02-10T19:04:55","modified_gmt":"2023-02-10T18:04:55","slug":"secure-your-elasticsearch-cluster-for-free-with-searchguard","status":"publish","type":"post","link":"https:\/\/mhichri.com\/index.php\/2019\/01\/06\/secure-your-elasticsearch-cluster-for-free-with-searchguard\/","title":{"rendered":"Secure your Elasticsearch cluster “for free” with Searchguard"},"content":{"rendered":"\n

intro<\/h2>\n\n\n\n

If you want to secure your Elasticsearch cluster, you may use Shield (X-Pack component) , however, in order to use it, you need to pay \ud83d\ude41<\/p>\n\n\n\n

Another solution can be used in order to secure your Elasticsearch cluster “for free” \ud83d\ude00 ==> Search guard<\/p>\n\n\n\n

<\/p>\n\n\n\n

Search guard offers the possibility to secure your Elasticsearch for free ! however, some features are NOT ! so you need to pay for a licence if you want for instance to implement active directory\/LDAP based authentication.<\/p>\n\n\n\n

You can check search guard site in order to get an idea of which features are free for use in a production environment : https:\/\/search-guard.com\/product\/<\/a><\/p>\n\n\n\n

In this blog post, I will try to explain how to secure your Elasticsearch cluster with a basic authentication mechanism.<\/p>\n\n\n\n

<\/p>\n\n\n\n

First, you need an Elasticsearch cluster up\/running. You can check my previous blog in order to set one : https:\/\/mhichri.com\/index.php\/2018\/02\/18\/setup-a-prod-elasticsearch-instance-on-aws-ec2-server\/<\/a><\/p>\n\n\n\n

setup<\/h2>\n\n\n\n

First of all, make sure that you have JAVA <\/strong>and OPENSSL <\/strong>installed on your server<\/p>\n\n\n\n

1- install searchguard plugin for elasticsearch<\/strong>\u00a0:
.\/bin\/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.5.4-24.0<\/p>\n\n\n\n

in order to check if the searchguard is correctly installed, you should find a folder called \u00ab search-guard-6 \u00bb inside your elasticsearch_path\/plugins. For instance : <\/p>\n\n\n\n

[admin@localhost plugins]$ pwd
\/home\/admin\/elasticsearch\/elasticsearch-6.5.4\/plugins
[admin@localhost plugins]$ ll
total 8
drwxr-xr-x. 4 admin admin 4096  6 janv. 18:49 search-guard-6
[admin@localhost plugins]$<\/p>\n\n\n\n

2 – then, you need to generate the keystore\/trustore files<\/strong>. In this example, we will use the example file provided by searchguard (not for production use).<\/p>\n\n\n\n

2.1 – Download<\/strong>\u00a0:<\/p>\n\n\n\n

wget https:\/\/github.com\/floragunncom\/search-guard-ssl\/archive\/es-6.0.0.zip<\/a><\/p>\n\n\n\n

unzip es-6.0.0.zip<\/p>\n\n\n\n

cd search-guard-ssl-es-6.0.0\/<\/p>\n\n\n\n

cd example-pki-scripts<\/p>\n\n\n\n

2.2 – we will then edit the example.sh file\u00a0:<\/strong><\/p>\n\n\n\n

cp example.sh example.sh.old<\/p>\n\n\n\n

cat example.sh \u21d2
#!\/bin\/bash
OPENSSL_VER=”$(openssl version)”<\/p>\n\n\n\n

if [[ $OPENSSL_VER == *”0.9″* ]]; then
    echo “Your OpenSSL version is too old: $OPENSSL_VER”
    echo “Please install version 1.0.1 or later”
    exit -1
else
    echo “Your OpenSSL version is: $OPENSSL_VER”
fi<\/p>\n\n\n\n

set -e
#.\/clean.sh
.\/gen_root_ca.sh capass changeit
.\/gen_node_cert.sh node1 changeit capass
#.\/gen_node_cert.sh 1 changeit capass
#.\/gen_node_cert.sh 2 changeit capass
#.\/gen_revoked_cert_openssl.sh “\/CN=revoked.example.com\/OU=SSL\/O=Test\/L=Test\/C=DE<\/a>” “revoked.example.com<\/a>” “revoked” changeit capass
#.\/gen_node_cert_openssl.sh “\/CN=es-node.example.com\/OU=SSL\/O=Test\/L=Test\/C=DE<\/a>” “es-node.example.com<\/a>” “es-node” changeit capass
#.\/gen_node_cert_openssl.sh “\/CN=node-4.example.com\/OU=SSL\/O=Test\/L=Test\/C=DE<\/a>” “node-4.example.com<\/a>” “node-4” changeit capass
.\/gen_client_node_cert.sh admin_es changeit capass
#.\/gen_client_node_cert.sh kirk changeit capass
#.\/gen_client_node_cert.sh logstash changeit capass
#.\/gen_client_node_cert.sh filebeat changeit capass
#.\/gen_client_node_cert.sh kibana changeit capass
#.\/gen_client_node_cert.sh sgadmin changeit capass
#rm -f .\/*tmp*<\/p>\n\n\n\n

\u21d2 here we left  the line where we will generate a Certification Authority (CA)
\u21d2  we left also the line where we generate a keystore for the elasticsearch node named \u00ab node1 \u00bb .
\u21d2 we left the line where we generate a client certificate in order to use it as an admin certificate (mandatory in order to update searchguard configuration. PS : you cannot use the node certificate as an admin certificate)<\/p>\n\n\n\n

2.3 – then , we will edit also the file \u00ab\u00a0gen_node_cert\u00a0.sh\u00bb\u00a0:<\/strong>
[admin@localhost example-pki-scripts]$ diff gen_node_cert.sh gen_node_cert.sh.old\u00a0
10c10
< NODE_NAME=$1

> NODE_NAME=node-$1<\/p>\n\n\n\n

so here, we will only change NODE_NAME=$1 instead of node-$1<\/p>\n\n\n\n

make sure that you\u2019re using the correct node name (already setted in you conf\/elasticsearch.yml file) :
node.name<\/a>: node1<\/p>\n\n\n\n

2.4 \u2013 run .\/example.sh<\/strong><\/p>\n\n\n\n

you should have these files created : 
[admin@localhost example-pki-scripts]$ pwd
\/home\/admin\/elasticsearch\/search-guard-ssl-es-6.0.0\/example-pki-scripts
[admin@localhost example-pki-scripts]$ ls -rtlh
total 76K
-rwxr-xr-x. 1 admin admin 2,0K 24 nov.   2017 gen_root_ca.sh
-rwxr-xr-x. 1 admin admin 2,1K 24 nov.   2017 gen_revoked_cert_openssl.sh
-rwxr-xr-x. 1 admin admin 1,8K 24 nov.   2017 gen_node_cert_openssl.sh
-rwxr-xr-x. 1 admin admin 2,3K 24 nov.   2017 gen_client_node_cert.sh
drwxrwxr-x. 2 admin admin   49 24 nov.   2017 etc
-rwxr-xr-x. 1 admin admin  169 24 nov.   2017 clean.sh
-rwxr-xr-x. 1 admin admin 1,1K  6 janv. 19:30 example.sh.old
-rwxr-xr-x. 1 admin admin 1,1K  6 janv. 19:33 example.sh
-rwxr-xr-x. 1 admin admin 2,7K  6 janv. 19:36 gen_node_cert.sh.old
-rwxr-xr-x. 1 admin admin 2,7K  6 janv. 19:36 gen_node_cert.sh
drwxrwxr-x. 2 admin admin    6  6 janv. 19:44 crl
drwxrwxr-x. 2 admin admin    6  6 janv. 19:44 certs
drwxrwxr-x. 4 admin admin  182  6 janv. 19:44 ca
-rw-rw-r–. 1 admin admin 1,1K  6 janv. 19:44 truststore.jks
-rw-rw-r–. 1 admin admin 1,2K  6 janv. 19:45 node1.csr
-rw-rw-r–. 1 admin admin 1,6K  6 janv. 19:45 node1-signed.pem
-rw-rw-r–. 1 admin admin 4,5K  6 janv. 19:45 node1-keystore.jks
-rw-rw-r–. 1 admin admin 5,3K  6 janv. 19:45 node1-keystore.p12
-rw-rw-r–. 1 admin admin 1,9K  6 janv. 19:45 node1.key.pem
-rw-rw-r–. 1 admin admin 5,4K  6 janv. 19:45 node1.crt.pem<\/p>\n\n\n\n

2.5 \u2013 now, we will copy the files that we need (node1-keystore.jks and truststore.jks) under elasticsearch_path\/conf directory\u00a0:<\/strong><\/p>\n\n\n\n

cp node1-keystore.jks \/home\/admin\/elasticsearch\/elasticsearch-6.5.4\/config\/
cp truststore.jks \/home\/admin\/elasticsearch\/elasticsearch-6.5.4\/config\/<\/p>\n\n\n\n

2.6 get the OWNER\u00a0:<\/strong><\/p>\n\n\n\n

keytool -printcert -v -file \/home\/admin\/elasticsearch\/search-guard-ssl-es-6.0.0\/example-pki-scripts\/admin_es-signed.pem \u21d2<\/p>\n\n\n\n

CN=admin_es,OU=client,O=client,L=Test,C=DE<\/p>\n\n\n\n

2.7 edit elasticsearch conf file (conf\/elasticsearch.yml)<\/strong><\/p>\n\n\n\n

# Search guard
#
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.keystore_filepath: node1-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false<\/p>\n\n\n\n

searchguard.authcz.admin_dn:
 – “CN=admin_es,OU=client,O=client,L=Test,C=DE”<\/p>\n\n\n\n

xpack.security.enabled: false<\/p>\n\n\n\n

2.8 – run sgadmin<\/strong><\/p>\n\n\n\n

searchguard stores its configuration\/permissions in a specific indice in Elasticsearch. Search guard provides a file called \u00ab\u00a0sgadmin.sg<\/a>\u00a0\u00bb that helps you change the search guard configuration or permissions without restarting your elasticsearch cluster.<\/p>\n\n\n\n

You can find the \u00ab sgadmin.sh \u00bb file under \u00ab elasticsearch_path\/plugins\/search-guard-6\/tools \u00bb, for instance :<\/p>\n\n\n\n

[admin@localhost tools]$ pwd
\/home\/admin\/elasticsearch\/elasticsearch-6.5.4\/plugins\/search-guard-6\/tools<\/p>\n\n\n\n

run sgadmin\u00a0(here we will use keystore\/truststore)\u00a0:\u00a0<\/p>\n\n\n\n


[admin@localhost tools]$ .\/sgadmin.sh -cd ..\/sgconfig -icl -nhnv -ts \/home\/admin\/elasticsearch\/search-guard-ssl-es-6.0.0\/example-pki-scripts\/truststore.jks -tspass changeit -ks \/home\/admin\/elasticsearch\/search-guard-ssl-es-6.0.0\/example-pki-scripts\/admin_es-keystore.jks -kspass changeit<\/p>\n\n\n\n

\u21d2 output :<\/p>\n\n\n\n

WARNING: JAVA_HOME not set, will use \/usr\/bin\/java
Search Guard Admin v6
Will connect to localhost:9300 … done
Elasticsearch Version: 6.5.4
Search Guard Version: 6.5.4-24.0
Connected as CN=admin_es,OU=client,O=client,L=Test,C=DE
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: application-mhichri
Clusterstate: GREEN<\/strong>
Number of nodes: 1
Number of data nodes: 1
searchguard index does not exists, attempt to create it … done (0-all replicas)
Populate config from \/home\/admin\/elasticsearch\/elasticsearch-6.5.4\/plugins\/search-guard-6\/sgconfig
Will update ‘sg\/config’ with ..\/sgconfig\/sg_config.yml\u00a0
\u00a0\u00a0 SUCC: Configuration for ‘config’ created or updated
Will update ‘sg\/roles’ with ..\/sgconfig\/sg_roles.yml\u00a0
\u00a0\u00a0 SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg\/rolesmapping’ with ..\/sgconfig\/sg_roles_mapping.yml\u00a0
\u00a0\u00a0 SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg\/internalusers’ with ..\/sgconfig\/sg_internal_users.yml\u00a0
\u00a0\u00a0 SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg\/actiongroups’ with ..\/sgconfig\/sg_action_groups.yml\u00a0
\u00a0\u00a0 SUCC: Configuration for ‘actiongroups’ created or updated
Done with success<\/strong><\/p>\n\n\n\n

[admin@localhost tools]$        <\/p>\n\n\n\n

now, when you try to connect to http:\/\/localhost:9200<\/a> , an authentication window will prompt asking for a username\/password.<\/p>\n\n\n\n

By default, there is an admin user that already exists with these credentials\u00a0:
username\u00a0: admin
password\u00a0: admin<\/em>
<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

intro If you want to secure your Elasticsearch cluster, you may use Shield (X-Pack component) , however, in order to use it, you need to pay \ud83d\ude41 Another solution can be used in order to secure your Elasticsearch cluster “for free” \ud83d\ude00 ==> Search guard Search guard offers the possibility to secure your Elasticsearch for …<\/p>\n

Secure your Elasticsearch cluster “for free” with Searchguard<\/span> Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"","footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/posts\/57"}],"collection":[{"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/comments?post=57"}],"version-history":[{"count":4,"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/posts\/57\/revisions"}],"predecessor-version":[{"id":62,"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/posts\/57\/revisions\/62"}],"wp:attachment":[{"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/media?parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/categories?post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mhichri.com\/index.php\/wp-json\/wp\/v2\/tags?post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}