How to upload data in ElasticSearch(TLS secured via search Guard) using Excelastic

0

I have ElasticSearch v6.2.4 installed. It worked perfectly fine but recently because of security reasons I installed Search Guard plugin which provide TLS and authentication features to ElasticSearch cluster.

Currently I have only 1 node with demo certificates of SearchGuard installed into it.

Search Guard has been working really well as of now except that when I have to upload data using Excelastic it shows some certificates not present error.

To upload data in ES, excelastic have a config file which it reads before exceuting. It contains info about what is the username and password for authentication.

This one:-

{
  "web_port": 7777,
  "elastic_port": 9200,
  "elastic_host": "localhost",
  "elastic_tls": true,
  "authentication": true,
  "basic": "admin:admin"
}

Below are the ElasticSearch log details:-

[2019-04-04T10:14:30,602][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [OCMpWyk] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
    at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_74]
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
    at java.lang.Thread.run(Unknown Source) [?:1.8.0_74]

Excelastic log details are:-

 Apr 04, 2019 10:14:30 AM io.vertx.core.http.impl.HttpClientRequestImpl
>     SEVERE: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
>     Apr 04, 2019 10:14:30 AM io.netty.channel.DefaultChannelPipeline onUnhandledInbo
>     undException
>     WARNING: An exceptionCaught() event was fired, and it reached at the tail of the
>      pipeline. It usually means the last handler in the pipeline did not handle the
>     exception.
>     io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Ge
>     neral SSLEngine problem
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:459)
>             at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessage
>     Decoder.java:265)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(Abstra
>     ctChannelHandlerContext.java:340)
>             at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(Defau
>     ltChannelPipeline.java:1359)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChanne
>     lPipeline.java:935)
>             at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(Abstra
>     ctNioByteChannel.java:141)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.jav
>     a:645)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEve
>     ntLoop.java:580)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.ja
>     va:497)
>             at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
>             at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThread
>     EventExecutor.java:886)
>             at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalR
>     unnable.java:30)
>             at java.lang.Thread.run(Unknown Source)
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
>             at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
>             at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.jav
>     a:292)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
>             at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1
>     159)
>             at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
>             at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProte
>     ction(ByteToMessageDecoder.java:489)
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:428)
>             ... 16 more
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Alerts.getSSLException(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
>             at sun.security.ssl.Handshaker.processLoop(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at java.security.AccessController.doPrivileged(Native Method)
>             at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
>             at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:140
>     8)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1316)
>             ... 20 more
>     Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
>      sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
>     d certification path to requested target
>             at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>             at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>             at sun.security.validator.Validator.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
>     ce)
>             ... 29 more
>     Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
>      find valid certification path to requested target
>             at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc
>     e)
>             at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
>      Source)
>             at java.security.cert.CertPathBuilder.build(Unknown Source)
>             ... 35 more

Can anyone suggest any options?

jatin grover

Posted 2019-04-04T09:06:44.787

Reputation: 1

Answers

0

So I figured out that the certificate that I am using for TLS in ElasticSearch using Search Guard plugin in not present in my JVM truststore. So when I execute excelastic jar file it shows this error.

Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
 sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target

To solve this:

First I created a truststore using keytool command line tool in windows. 

$keytool -importcert -keystore mytruststore.jks -alias excelastictry -file servercert.pem

Then I provided the trustStore path during runtime while executing the excelastic.jar file like this

$java -Djavax.net.ssl.trustStore="path/to/mytruststore.jks" -jar excelastic-1.2.7.jar

And finally excelastic web portal was able to identify ES version and upload the data.

jatin grover

Posted 2019-04-04T09:06:44.787

Reputation: 1

Asked: 2019-04-04T09:06:44.787

Viewed: 180 times

Active: 2019-04-06T07:39:09.980