Hi,
So, for a few days now I’ve been trying to set up my opendistro stack with SSL and I cannot figure it out.
My setup is still in development, so up until now, I was using the stack on HTTP and everything worked fine, from ElasticSearch to Logstash with Kibana SSO from my Identity Server.
Now, I need to move the whole stack to HTTPS, because my identity server is now on HTTPS and all my other client are too. After playing around for a few days, I decided to go barebones and try to make the ElasticSearch-Kibana connection work on HTTPS with basicauth. It does work.
From the same config, I added back my openid paramters inside the kibana.yml, and added the required settings in the security config files. Here are the important parts of the config files:
Security config.yml:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: /usr/share/elasticsearch/config/identity_ca.pem
openid_connect_url: https://myworkingdomain/.well-known/openid-configuration
subject_key: username
roles_key: roles
authentication_backend:
type: noop
kibana.yml:
server.name: kibana
server.host: "0"
server.cors : true
server.customResponseHeaders : { "Access-Control-Allow-Credentials" : "true" }
server.ssl.enabled: true
server.ssl.certificate: /usr/share/kibana/config/backend_crt.pem
server.ssl.key: /usr/share/kibana/config/backend_key.pem
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/backend_crt.pem"]
elasticsearch.ssl.verificationMode: certificate
elasticsearch.username: username
elasticsearch.password: password
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization", "jwtToken", "x-forwarded-for", "x-forwarded-by", "access-control-allow-credentials"]
opendistro_security.multitenancy.enabled: false
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://myworkingdomain/.well-known/openid-configuration"
opendistro_security.openid.client_id: "kibanaclient"
opendistro_security.openid.client_secret: "secret"
opendistro_security.openid.scope: "openid profile email phone address"
opendistro_security.openid.base_redirect_url: "http://mykibanaredirecturl:5601"
opendistro_security.openid.root_ca: "/usr/share/kibana/config/identity_ca.pem"
Part of elasticsearch.yml:
opendistro_security.ssl.transport.pemcert_filepath: backend_crt.pem
opendistro_security.ssl.transport.pemkey_filepath: backend_key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: backend_crt.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: backend_crt.pem
opendistro_security.ssl.http.pemkey_filepath: backend_key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: backend_crt.pem
As you can see, I used backend_crt and backend_key for both Elastic and Kibana, but it worked in basicauth. So, I added the identity_ca.pem to give it in parameter in both the security config.yml and kibana.yml as root_ca, but this is not working. The security plugin cannot initialized, but there are no details (even with logging verbose).
"tags":["status","plugin:opendistro_security@1.8.0.0","error"],"pid":1,"state":"red","message":"Status changed from yellow to red - An error occurred during initialisation, please check the logs."
Do anyone have any clue on what might be wrong in my config? Thanks