How to disable host verification while integrating kibana with keycloak

I am using open distro version 1.13.1. I am trying to integrate kibana with keycloak but it is showing some TLS related error. My kibana is on http and keycloak is on https. Below are the configurations of kibana and elasticsearch
elasticsearch configurations:
config.yml

config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
description: “Authenticate via Keycloak OpenID”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: false
verify_hostnames: false
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://<keycloak_host>:/auth/realms/Obf/.well-known/openid-configuration
authentication_backend:
type: noop

kibana.yml:

elasticsearch.hosts: http://distro-elasticsearch-master:9200
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist :

• securitytenant
• Authorization
  elasticsearch.ssl.verificationMode: none
  elasticsearch.username: kibanaserver
  newsfeed.enabled: false
  opendistro_security.auth.type: openid
  opendistro_security.cookie.secure: false
  opendistro_security.multitenancy.enabled: true
  opendistro_security.multitenancy.tenants.preferred:
• Private
• Global
  opendistro_security.openid.base_redirect_url: http://<kibana_host>:/
  opendistro_security.openid.client_id: Kibana
  opendistro_security.openid.client_secret: 73853e5e-43b7-4704-a92c-08d099beb329
  opendistro_security.openid.connect_url: https://<keycloak_host>:/auth/realms/Obf/.well-known/openid-configuration
  opendistro_security.openid.verify_hostnames: false
  opendistro_security.readonly_mode.roles:
• kibana_read_only
  server.host: “0”
  server.name: kibana
  telemetry.enabled: false

when we are using these configurations getting below

{“type”:“log”,“@timestamp”:“2021-04-22T12:39:44Z”,“tags”:[“error”,“plugins”,“opendistroSecurityKibana”],“pid”:1,“message”:“{ Error: self signed certificate\n at TLSSocket.onConnectSecure (_tls_wrap.js:1088:34)\n at TLSSocket.emit (events.js:198:13)\n at TLSSocket._finishInit (_tls_wrap.js:666:8)\n code: ‘DEPTH_ZERO_SELF_SIGNED_CERT’,\n trace:\n [ { method: ‘GET’,\n url:\n ‘https://<keycloak_host>:/auth/realms/Obf/.well-known/openid-configuration’ } ],\n isBoom: true,\n isServer: true,\n data: null,\n output:\n { statusCode: 502,\n payload:\n { message: ‘Client request error: self signed certificate’,\n statusCode: 502,\n error: ‘Bad Gateway’ },\n headers: {} } }”}
{“type”:“log”,“@timestamp”:“2021-04-22T12:39:44Z”,“tags”:[“warning”,“environment”],“pid”:1,“message”:“Detected an unhandled Promise rejection.\nError: Failed when trying to obtain the endpoints from your IdP”}

It is working fine when I provide keycloak root certificate but how will it work by disabling the host verification. Thanks in advance

Hi @Vivek123

Your error refers to your self-signed certificate. You need to present SSL certificate of your Keycloak VM in config.yml (see example below). Also be sure that keycloak certificate contains at least IP or FQDN of Keycloak VM in certificate’s CN or SAN.

image888×239 15 KB

In Kibana also add Keycloak’s root_ca, in my case it was self-signed cert.

image923×153 18.1 KB