2

I am trying to connect to my Elasticsearch server using the Java Api and shield. I can execute index, get, delete and search operations on the existing cluster using sense plugin (e.g) and via curl on 9200. I've seen other threads about this but none of them worked and none of them were trying to connect to a Elasticsearch webserver with shield.

I used the same API to connect with my localhost of elasticsearch and it worked fine however when I try to connect with my web server I always get the same error:

Error

1342 [main] DEBUG org.elasticsearch.shield.transport.netty  - [Benjamin Jacob Grimm] connected to node [{#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}]
1431 [elasticsearch[Benjamin Jacob Grimm][generic][T#1]] DEBUG org.elasticsearch.shield.transport.netty  - [Benjamin Jacob Grimm] disconnecting from [{#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}], channel closed event
1463 [main] INFO org.elasticsearch.client.transport  - [Benjamin Jacob Grimm] failed to get node info for {#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}, disconnecting...
NodeDisconnectedException[[][HOST/HOST_IP:9300][cluster:monitor/nodes/liveness] disconnected]

...9200/_nodes

"cluster_name": "elasticsearch",
   "nodes": {
      "UYdZbCQKQZavtFYOoUpawg": {
         "name": "Desmond Pitt",
         "transport_address": "HOST_IP:9300",
         "host": "HOST_IP",
         "ip": "HOST_IP",
         "version": "2.3.3",
         "build": "218bdf1",
         "http_address": "HOST_IP:9200",
         "settings": {
            "pidfile": "/var/run/elasticsearch/elasticsearch.pid",
            "cluster": {
               "name": "elasticsearch"
            },
            "path": {
               "conf": "/etc/elasticsearch",
               "data": "/var/lib/elasticsearch",
               "logs": "/var/log/elasticsearch",
               "home": "/usr/share/elasticsearch"
            },
            "shield": {
               "http": {
                  "ssl": "true"
               },
               "https": {
                  "ssl": "true"
               },
               "transport": {
                  "ssl": "true"
               }
            },
            "name": "Desmond Pitt",
            "client": {
               "type": "node"
            },
            "http": {
               "cors": {
                  "allow-origin": "*",
                  "allow-headers": "Authorization, Origin, X-Requested-With, Content-Type, Accept",
                  "allow-credentials": "true",
                  "allow-methods": "OPTIONS, HEAD, GET, POST, PUT, DELETE",
                  "enabled": "true"
               }
            },
            "index": {
               "queries": {
                  "cache": {
                     "type": "opt_out_cache"
                  }
               }
            },
            "foreground": "false",
            "config": {
               "ignore_system_properties": "true"
            },
            "network": {
               "host": "HOST_IP",
               "bind_host": "0.0.0.0",
               "publish_host": "HOST_IP"
            }
         }

Java code:

TransportClient client = TransportClient.builder()
    .addPlugin(ShieldPlugin.class)
    .settings(Settings.builder()
        .put("cluster.name", ClusterName)
        .put("shield.user", "USER:PASSWORD")
        .build())
    .build()
    .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(HOST), 9300));

I've tried as stated on Can't connect to ElasticSearch server using Java API to sync my Java API java version and my server and currently i'm using:

Java API:

C:\Program Files\Java\jdk1.8.0_92

Server:

"version": "1.8.0_91",
"vm_name": "OpenJDK 64-Bit Server VM",

I don't know if it has any problem using ...0_91 and 0_92 but doesn't seem to make any difference because the java API works weel on my localhost server.

If you need more information feel free to ask. Thanks in advance!

UPDATE:

Changes I did in elasticsearch.yml

shield.ssl.keystore.path:          /usr/share/elasticsearch/bin/shield/elastic.jks
shield.ssl.keystore.password:      password
shield.ssl.keystore.key_password:  password

shield.transport.ssl: true
shield.http.ssl: true
shield.https.ssl: true

network.host: HOST_IP
network.publish_host: HOST_IP
shield.ssl.hostname_verification.resolve_name: false

Result of https://HOST:9200/_cluster/health?pretty=true

{
   "cluster_name": "elasticsearch",
   "status": "yellow",
   "timed_out": false,
   "number_of_nodes": 1,
   "number_of_data_nodes": 1,
   "active_primary_shards": 5,
   "active_shards": 5,
   "relocating_shards": 0,
   "initializing_shards": 0,
   "unassigned_shards": 5,
   "delayed_unassigned_shards": 0,
   "number_of_pending_tasks": 0,
   "number_of_in_flight_fetch": 0,
   "task_max_waiting_in_queue_millis": 0,
   "active_shards_percent_as_number": 50
}

UPDATE2:

I've tried activate SSL according to official documentation and I got the following errors:

2082 [elasticsearch[Steel Serpent][transport_client_worker][T#1]{New I/O worker #1}] DEBUG org.elasticsearch.shield.transport.netty  - [Steel Serpent] SSL/TLS handshake failed, closing channel: null
java.nio.channels.ClosedChannelException
    at org.jboss.netty.handler.ssl.SslHandler.channelDisconnected(SslHandler.java:575)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireChannelDisconnected(Channels.java:396)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.close(AbstractNioWorker.java:360)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:93)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Temporary Solution

After that try I did as Vladislav Kysliy suggested and disabled SSL and it worked but I'm looking for a real solution and not a temporary one.

Community
  • 1
  • 1
Emanuel
  • 31
  • 8
  • Could you describe what value is set to ClusterName? – Vladislav Kysliy Jul 08 '16 at 09:49
  • I'm using the default value as said in documentation: "elasticsearch" but I've also tried with the cluster id but got the same results. – Emanuel Jul 08 '16 at 10:14
  • You know i've set up new instance elasticsearch with shield plugin and used your code, it works very well. Do you have any code after line with TransportClient? – Vladislav Kysliy Jul 08 '16 at 12:36
  • No, i get the errors after this code. Could be any problem with my installation or with elasticsearch.yml no? Or maybe i'm not running the Java API properly. – Emanuel Jul 08 '16 at 13:15
  • It can be. did you change default config? could you add output of "http://localhost:9200/_cluster/health?pretty=true" ? – Vladislav Kysliy Jul 08 '16 at 13:31
  • Yes I changed some things when i couldn't get any results. I'll edit my question with that and with the request you've asked. – Emanuel Jul 08 '16 at 13:39

1 Answers1

0

As i can see you enabled SSL encryption. But your java code didn't activate SSL. According official documentation you should use something like this:

TransportClient client = TransportClient.builder()
.addPlugin(ShieldPlugin.class)
.settings(Settings.builder()
    .put("cluster.name", "myClusterName")
    .put("shield.user", "transport_client_user:changeme")
    .put("shield.ssl.keystore.path", "/path/to/client.jks") (1)
    .put("shield.ssl.keystore.password", "password")
    .put("shield.transport.ssl", "true")
    ...
    .build())

Moreover i would test my code without any encryption and add some new features(e.g SSL) to config and code step by step.

UPD: To be honest remotely fixing ssl issues will be tricky. This errors often appeared when client sends an invalid SSL certificate. Probably you need to disable client auth

Because of you use SSL + Shield the main idea is check your functionality step-by-step: disable SSL - check in Java -API client, enable SSL - check again.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Vladislav Kysliy
  • 3,488
  • 3
  • 32
  • 44
  • I've tried this but still get errors like: [elasticsearch[Powerpax][transport_client_worker][T#1]{New I/O worker #1}] DEBUG org.elasticsearch.netty.handler.ssl.SslHandler - SSLEngine.closeInbound() raised an exception after a handshake failure. javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? – Emanuel Jul 11 '16 at 15:18
  • No, I've used my company certificate that they already had for the website. – Emanuel Jul 12 '16 at 08:04
  • @Emanuel i've updated my answer and don't be shy add exceptions into your question. it would be helpful for other persons who will try to help. thanks! – Vladislav Kysliy Jul 12 '16 at 08:21
  • I did what you've said and I indexed with my Java API disabling SSL and it worked. However I can't stay with SSL disabled 'cause our website doesn't accept HTTP responses from elastic, for now I'll stay with this solution but I'll update my question with all that I've tried with your help and hope that someone has a solution for the problem. thanks :) – Emanuel Jul 12 '16 at 10:00