Integrating Search Guard Classic

This section describes how to install and configure Search Guard Classic on an Elasticsearch cluster and integrate it with Siren Investigate.

Before you begin

  • Ensure that Siren Investigate is running with HTTPS enabled. For more information, see Enabling HTTPS in Siren Investigate.

  • Ensure that you have prepared all required security certificates (cluster CA, node certs, admin cert, optional client certs). For more information, see Setting up security certificates for Classic.

  • Download the sgadmin tool compatible with your Elasticsearch / Classic version from the official Search Guard download portal.

Installing Search Guard Classic

A first installation requires a rolling restart (or full restart for single‑node) because TLS must be enabled on the transport layer across all nodes.

Install the plugin

Install the Search Guard Classic plugin on every node (run inside the Elasticsearch home directory):

bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.x.x-xx.x.x

If Elasticsearch was installed from a package, the command is usually at /usr/share/elasticsearch/bin/elasticsearch-plugin.

After installation, copy these files into each node’s config directory:

  • CA bundle (e.g. chain-ca.pem).

  • Node certificate (e.g. node01.crtfull.pem).

  • Node private key (e.g. node01.key.pem).

  • (Optional) Admin certificate/key pair if not already present on the node where you will run the admin tool.

Configure elasticsearch.yml

Add (or adjust) the following minimal Classic TLS and admin settings (adapt filenames, passwords):

searchguard.ssl.transport.pemcert_filepath: "node01.crtfull.pem"
searchguard.ssl.transport.pemkey_filepath: "node01.key.pem"
searchguard.ssl.transport.pemkey_password: "password"
searchguard.ssl.transport.pemtrustedcas_filepath: "chain-ca.pem"
searchguard.ssl.transport.enforce_hostname_verification: true

searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: "node01.crtfull.pem"
searchguard.ssl.http.pemkey_filepath: "node01.key.pem"
searchguard.ssl.http.pemkey_password: "password"
searchguard.ssl.http.pemtrustedcas_filepath: "chain-ca.pem"

searchguard.authcz.admin_dn:
  - "CN=sgadmin"

searchguard.allow_custom_headers: "_siren_.*"

Ensure files in the config directory are readable only by the Elasticsearch user.

Restart each node (rolling) and verify logs for successful Classic initialization.

Search Guard Classic configuration

Classic configuration (authc chain, users / backends, roles, action groups, tenants) resides in a set of YAML files uploaded to a special index via the sgadmin tool.

Typical files:

  • sg_config.yml – general / auth chain.

  • sg_action_groups.yml – reusable permission groupings.

  • sg_roles.yml – role definitions.

  • sg_internal_users.yml – internal user store (if used).

  • sg_roles_mapping.yml – map external backend roles / users to Classic roles.

  • sg_tenants.yml – tenant definitions (required even if tenants unused).

Upload configuration

Use the sgadmin command line tool to upload your configuration files. Replace the paths and filenames as needed:

sgadmin.sh -cd /path/to/sgconfig/ -icl -key /path/to/admin-key.pem -cert /path/to/admin-cert.pem -cacert /path/to/chain-ca.pem -nhnv

Check output for success messages (index created / config updated).

Verify authentication

Example auth info request (basic auth shown; replace admin credentials):

curl --cacert chain-ca.pem -u admin:password "https://localhost:9200/_searchguard/authinfo?pretty"

A successful response lists the authenticated user and mapped roles.

Next steps

Configuring Investigate with Search Guard Classic