Siren Platform User Guide

Search Guard installation

Install the Search Guard plugin on each node in the Elasticsearch cluster by changing to the node folder and running the following commands (with the appropriate version number):

$ bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:<version>

To find the most recent version of the plugins for your Elasticsearch version, consult the Search Guard version matrix.

Note

Elasticsearch requires a matching version of Search Guard. For example, Elasticsearch 6 requires Search Guard 6.

Then, copy the following files to the config folder of each node:

  • The truststore file (for example truststore.jks).
  • The keystore file containing the node certificate (for example CN=localhost-keystore.jks).
  • The keystore file containing the certificate for the Elasticsearch HTTP server, only if different from the node certificate.

Open the config/elasticsearch.yml file and set the following Search Guard options:

Node to node transport options

  • searchguard.ssl.transport.enabled: Must be set to true for Search Guard to work.
  • searchguard.ssl.transport.keystore_filepath: The filename of the keystore file that contains the node certificate.
  • searchguard.ssl.transport.keystore_password: The password of the keystore file that contains the node certificate.
  • searchguard.ssl.transport.truststore: The filename of the truststore file that contains the root certificate chain.
  • searchguard.ssl.transport.truststore_password: The password of the truststore file that contains the root certificate chain.
  • searchguard.ssl.transport.enforce_hostname_verification: Set to true to enable hostname verification, false otherwise.

REST API options:

  • searchguard.ssl.http.enabled: Set to true to enable SSL on the HTTP interface.
  • searchguard.ssl.http.keystore_filepath: The filename of the keystore file that contains the certificate for the HTTP interface.
  • searchguard.ssl.http.keystore_password: The password of the keystore file that contains the certificate for the HTTP interface.
  • searchguard.ssl.http.truststore: The filename of the truststore file that contains the root certificate chain for the HTTP certificate.
  • searchguard.ssl.http.truststore_password: The password of the truststore file that contains the root certificate chain for the HTTP certificate.

Administrative user options:

  • searchguard.authcz.admin_dn: A list of Distinguished Names in SSL client certificates which are authorized to submit administrative requests.

Client certificate authentication options:

  • searchguard.ssl.http.clientauth_mode: Set to OPTIONAL to enable optional client certificate authentication on the REST endpoint.

For example:

searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: <password>
searchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: <password>
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: <password>
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: <password>
searchguard.authcz.admin_dn:
  - CN=sgadmin
searchguard.ssl.http.clientauth_mode: OPTIONAL

Note

Ensure that all the files in the configuration folder and the certificate files are readable only by the user running Elasticsearch.

Start Elasticsearch:

$ bin/elasticsearch

If either a certificate or a password is incorrect, Elasticsearch will not start.

Search results

    No results found