OpenId authentication failing with Certificate issue

Security
1

Hi,

I am using elasticsearch-oss 7.0.1 rpm and installed opendistro_security(1.0.0.2) standalone plugin.
I am trying to authenticate access to elasticsearch via keycloak by enabling openid authentication.
Authentication is failing with the error: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The keycloak server is configured with a self signed certificate and I have added this certificate to JAVA truststore where elasticsearch is running. I have also configured this certificate in pemtrustedcas_filepath parameter as shown below.

Attaching the relevant section of the config file.

basic_internal_auth_domain:
    description: "Authenticate via HTTP Basic against internal users database"
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern
  openid_auth_domain:
    http_enabled: true
    order: 1
    http_authenticator:
      type: openid
      challenge: false
      config:
        subject_key: preferred_username
        roles_key: roles
        openid_connect_url: https://<keycloak-server>/auth/realms/elk/.well-known/openid-configuration
        pemtrustedcas_filepath: /home/tls.pem
    authentication_backend:
      type: noop

Can you please look into this and help me resolve this error?

Thanks,
Shivani

2

Hi, I know this topic was created some time ago but if the problem is there please take a look here: Incorrect documentation on OpenID config

Probably you have an incorrect configuration with pemtrustedcas_filepath as it requires openid_connect_idp prefix.

1 Like
3

@shivani did you get this resolved? If not which version of odfe are you running?

4

@Anthony, yes it did get resolved after adding openid_connect_idp in the configuration for ssl parameters. Seems like a documentation bug in the openid page that needs to be fixed :slight_smile: - OpenID Connect - Open Distro Documentation :

        openid_auth_domain:
          http_enabled: true             
          order: 1
          http_authenticator:
            type: openid
            challenge: false
            config:
              subject_key: preferred_username
              roles_key: roles
              openid_connect_url: https://<keycloak-server>/auth/realms/elk/.well-known/openid-configuration
              openid_connect_idp:
                enable_ssl: true
                verify_hostnames: false
                pemtrustedcas_filepath: /home/tls.pem