Como fazer upload de dados no ElasticSearch (TLS protegido por Search Guard) usando Excelastic

tag-icon tag-icon security ssl certificate tls elasticsearch
Como fazer upload de dados no ElasticSearch (TLS protegido por Search Guard) usando Excelastic

Tenho o ElasticSearch v6.2.4 instalado. Funcionou perfeitamente bem, mas recentemente por motivos de segurança eu instaleiGuarda de Buscaplugin que fornece recursos de TLS e autenticação para cluster ElasticSearch.

Atualmente tenho apenas 1 nó com certificados de demonstração do SearchGuard instalados nele.

O Search Guard tem funcionado muito bem até agora, exceto quando preciso fazer upload de dados usandoExcelásticomostra alguns certificados que não apresentam erro.

Para fazer upload de dados no ES, o Excelastic possui um arquivo de configuração que ele lê antes de executar. Ele contém informações sobre qual é o nome de usuário e senha para autenticação.

Este:-

{
  "web_port": 7777,
  "elastic_port": 9200,
  "elastic_host": "localhost",
  "elastic_tls": true,
  "authentication": true,
  "basic": "admin:admin"
}

Abaixo estão os detalhes do log do ElasticSearch: –

[2019-04-04T10:14:30,602][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [OCMpWyk] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
    at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_74]
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
    at java.lang.Thread.run(Unknown Source) [?:1.8.0_74]

Os detalhes do registro do Excelastic são: -

 Apr 04, 2019 10:14:30 AM io.vertx.core.http.impl.HttpClientRequestImpl
>     SEVERE: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
>     Apr 04, 2019 10:14:30 AM io.netty.channel.DefaultChannelPipeline onUnhandledInbo
>     undException
>     WARNING: An exceptionCaught() event was fired, and it reached at the tail of the
>      pipeline. It usually means the last handler in the pipeline did not handle the
>     exception.
>     io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Ge
>     neral SSLEngine problem
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:459)
>             at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessage
>     Decoder.java:265)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(Abstra
>     ctChannelHandlerContext.java:340)
>             at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(Defau
>     ltChannelPipeline.java:1359)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChanne
>     lPipeline.java:935)
>             at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(Abstra
>     ctNioByteChannel.java:141)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.jav
>     a:645)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEve
>     ntLoop.java:580)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.ja
>     va:497)
>             at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
>             at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThread
>     EventExecutor.java:886)
>             at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalR
>     unnable.java:30)
>             at java.lang.Thread.run(Unknown Source)
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
>             at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
>             at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.jav
>     a:292)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
>             at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1
>     159)
>             at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
>             at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProte
>     ction(ByteToMessageDecoder.java:489)
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:428)
>             ... 16 more
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Alerts.getSSLException(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
>             at sun.security.ssl.Handshaker.processLoop(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at java.security.AccessController.doPrivileged(Native Method)
>             at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
>             at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:140
>     8)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1316)
>             ... 20 more
>     Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
>      sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
>     d certification path to requested target
>             at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>             at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>             at sun.security.validator.Validator.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
>     ce)
>             ... 29 more
>     Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
>      find valid certification path to requested target
>             at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc
>     e)
>             at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
>      Source)
>             at java.security.cert.CertPathBuilder.build(Unknown Source)
>             ... 35 more

Alguém pode sugerir alguma opção?

Responder1

Então descobri que o certificado que estou usando para TLS no ElasticSearch usando o plugin Search Guard não está presente em meu armazenamento confiável JVM. Então, quando executo o arquivo jar Excelastic, ele mostra esse erro.

Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
 sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target

Para resolver isso:

Primeiro criei um armazenamento confiável usando a ferramenta de linha de comando keytool no Windows.

$keytool -importcert -keystore mytruststore.jks -alias excelastictry -file servercert.pem

Em seguida, forneci o caminho do trustStore durante o tempo de execução ao executar o arquivo excelastic.jar assim

$java -Djavax.net.ssl.trustStore="path/to/mytruststore.jks" -jar excelastic-1.2.7.jar

E finalmente o portal excelastic conseguiu identificar a versão ES e fazer upload dos dados.

informação relacionada