- java-version: 1.8
- elastic-version: 7.10
- ubuntu: 18.04LTS
I am trying to connect to the elasticsearch using java, we already setup the security in elastic by using xpack security and elastic is password protected and working fine but problem occurs when I try to establish secure elastic connection using java.
NOTE: Elasticsearch and java both are in different linux machine.
I added these parameter in elasticsearch.yml
cluster.name: la-test-elastic-2
network.host: 0.0.0.0
http.port: 9200
xpack.security.enable: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
also created the Create a certificate authority for your Elasticsearch cluster. using
bin/elasticsearch-certutil ca
and Generate a certificate and private key for each node in your cluster.
Use the elasticsearch-certutil cert command:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
java code using REST client
String keyStorePass = "";
Path trustStorePath = Paths.get("lib/elastic-certificates.p12");
KeyStore truststore = KeyStore.getInstance("pkcs12");
try (InputStream is = Files.newInputStream(trustStorePath)) {
truststore.load(is, keyStorePass.toCharArray());
}
SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
final CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("elastic", "elastic"));
// 3. Changes for add multiple IP address
String[] hosts = elasticHost.split(",");
HttpHost[] httpHosts = Arrays.stream(hosts)
.map(host -> new HttpHost(host.trim(), elasticPort, "https"))
.collect(Collectors.toList())
.toArray(new HttpHost[hosts.length]);
// 4. Build the low-level client
RestClientBuilder builder = RestClient.builder(httpHosts)
.setHttpClientConfigCallback(new HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(
HttpAsyncClientBuilder httpClientBuilder) {
// set Basic credentials
httpClientBuilder.setDefaultCredentialsProvider(credsProvider);
// set SSL context
return httpClientBuilder.setSSLContext(sslContext);
}
});
// 5. Build the high-level client
client = new RestHighLevelClient(builder);
//try to search existing index
SearchRequest searchRequest = new SearchRequest("idx");
SearchResponse searchResponse = client.search(searchRequest, RequestOptions.DEFAULT);
System.out.println("searchResponse : " + searchResponse.toString());
I found the above code, but my question is what path sould I mention in the 2 line of code i.e:
Path trustStorePath = Paths.get("lib/elastic-certificates.p12"); // I try giving /etc/elasticsearch/elastic-certificates.p12 but getting no such file exception error
and my second doubt is what is :
KeyStore truststore = KeyStore.getInstance("pkcs12");
which file should I give here
If I run the exact above the then I get this error:
Error: :Received fatal alert: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:860)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:275)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:262)
at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1632)
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1602)
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1572)
at org.elasticsearch.client.RestHighLevelClient.search(RestHighLevelClient.java:1088)
at testsecureelastic.TestSecureElasticConnection.getElasticConnectionOther(TestSecureElasticConnection.java:164)
at testsecureelastic.TestSecureElasticConnection.main(TestSecureElasticConnection.java:279)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:575)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:531)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:398)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:377)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:271)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:316)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.lang.Thread.run(Thread.java:748)
