Skip to main content
Version: 7.9

Elasticsearch Search Guard

Search Guard® is an Elasticsearch plugin that offers encryption, authentication, and authorization. It supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens and many more, and includes fine grained role-based access control to clusters, indices, documents and fields. Enjoy true multi tenancy in Kibana, and stay compliant with GDPR, HIPAA, PCI, SOX and ISO by using audit logging.

Search Guard supports OpenSSL for maximum performance and security. The complete code is Open Source.

Search Guard Community Edition offers all basic security features for free. The Community Edition of Search Guard can be used for all projects, including commercial projects, at absolutely no cost.

The Community Edition includes:

  • Full data in transit encryption
  • Node-to-node encryption
  • Index level access control
  • Document type based access control
  • User-, role- and permission management
  • HTTP basic authentication
  • User Impersonation
  • Proxy support

The Enterprise Edition on Search Guard adds:

  • Active Directory / LDAP
  • Kerberos / SPNEGO
  • JSON web token (JWT)
  • Document-level security
  • Field-level security
  • Audit logging to stay compliant with security compliance regulations
  • True Kibana Multi Tenancy
  • REST Management API

Resolve Actions Pro uses Search Guard Community Edition. All Elasticsearch traffic among ES nodes in Actions Pro cluster are secured by Search Guard. The communication between Actions Pro components (rscontrol/rsview/rsmgmt/rsarchive and so on) and ES nodes are also protected by Search Guard. The HTTP REST API ports on all ES nodes are also protected by Search Guard.

Search Guard feature is optional to Actions Pro. So Search Guard component is not included with standard Actions Pro installation package, but is packaged separately instead.

We built a customized install package for Search Guard in Actions Pro cluster. It only runs on Linux servers with OpenSSL installed.

It has two tar files: sg541plugin.tar and sgscripts.tar.

Search Guard Installation Procedure

Prerequisite:

  • Make sure keytool is installed and is in the PATH.

Search Guard needs to be installed on each Actions Pro server running Elasticsearch.

  1. Stop all Actions Pro instances in the cluster.
  2. Copy  sg541plugin.tar to elasticsearch/plugins directory of your Actions Pro install on server, e.g. /opt/resolve/elasticsearch/plugins
  3. Untar it and delete the file. Under plugins, you will find a new directory called search-guard-5.
  4. Copy sgscripts.tar to elasticsearch directory, e.g. /opt/resolve/elasticsearch.
  5. Untar it and delete the file. You will see a new directory called sgscripts.
  6. Make sure the hosts files are up to date, include all the IP/Hostname entries for all the nodes in the cluster.

Set up Search Guard in Actions Pro

Generate TLS Certificates Required by Search Guard

  1. Go to elasticsearch/sgscripts directory. You will see several scripts. We run buildcerts.sh script to create certificates.
  2. Open and edit buildcerts.sh script. There are several values need to be replaced by customer input.
  3. In line ORG_NAME="ResolveSystems Inc."ORG_NAME can be assigned a value from customer. If you do not change, default value, ResolveSystems Inc. works fine.
  4. Changeit is the default  keystore password used by Actions Pro. You can change it but make sure you also change client side keystore password value in Actions Pro.
  5. In line ./gen_node_cert.sh "$ORG_NAME" "CN=*.resolvesys.com,OU=SG,O=SG,L=SG,C=US" "searchguard" changeit "ca pass", *.resolvesys.com is wildcard domain name shown up in node certificates and it must be replaced by wild card domain name of your current network which runs Actions Pro ES servers.
  6. In line ./gen_client_node_cert.sh "$ORG_NAME" "CN=sgadmin,OU=SG,O=SG,L=SG,C=US" changeit "ca pass", sgadmin is administrator user name of Search Guard. It can be changed to other name, but the default name works fine.
  7. After all custom values are set in buildcerts.sh,  we can run it to generate all Search Guard certificates needed by Actions Pro by executing ./buildcerts.sh from elasticsearch/sgscripts directory.
  8. When execution is done, we can see multiple certificate files generated. Based on user’s input in step 5 and 6, the generated files have different names.
  9. Rename CN=*.resolvesys.com,OU=SG,O=SG,L=SG,C=US-keystore.jks file to nodestore.jks. This is used as Search Guard node certificate. Your file name might be different based on your input in step 5.
  10. Rename file CN=sgadmin,OU=SG,O=SG,L=SG,C=US-keystore.jks to sgadmin.jks. This is used as Search guard admin user certificate. Your file name might be different based on your input in step 6.
  11. truststore.jks is Search Guard trust store file. It is needed by both Actions Pro components and Elasticsearch nodes.

Deploy Generated Certificates

  1. Shutdown all Actions Pro components including Elasticsearch servers.
  2. All nodes in a cluster must use the same certificates. Copy nodestore.jkstruststore.jks, and  sgadmin.jks to all nodes that are in the Actions Pro cluster.
    note

    The same certificates must also be used on DR servers if site to site is enabled.

  3. Copy nodestore.jks file to elascticsearch/config directory of each Elasticsearch server in Actions Pro cluster.
  4. Copy truststore.jks file to elasticsearch/configdirectory of each Elasticsearch server in  Actions Pro cluster.
  5. Copy sgadmin.jks file to rscontrol/config directory of each Actions Pro server in Actions Pro cluster.
  6. Open and edit elasticsearch/config/elasticsearch.yml  on each  Elasticsearch server install. Add the following content to the file: 
    ######## Start Search Guard Configuration ########
    searchguard.ssl.http.clientauth_mode: OPTIONAL
    searchguard.ssl.transport.keystore_filepath: nodestore.jks
    searchguard.ssl.transport.truststore_filepath: truststore.jks
    searchguard.ssl.http.enabled: true
    searchguard.ssl.http.keystore_filepath: nodestore.jks
    searchguard.ssl.http.truststore_filepath: truststore.jks
    searchguard.authcz.admin_dn:
     - CN=sgadmin,OU=SG,O=SG,L=SG,C=US
    searchguard.ssl.transport.truststore_password: changeit
    searchguard.ssl.transport.keystore_password: changeit
    searchguard.ssl.http.keystore_password: changeit
    searchguard.ssl.http.truststore_password: changeit
    searchguard.ssl.transport.enforce_hostname_verification: false
    searchguard.ssl.transport.resolve_hostname: false
    searchguard.nodes_dn:
     - CN=*.resolvesys.com,OU=SG,O=SG,L=SG,C=US
    network.host: 0.0.0.0
    ######## End Search Guard Configuration ########

If you provide different wildcard domain name when generating the TLS certificate (step 5), you need to provide the correct value to above property searchguard.nodes_dn.

If your existing elastcisearch.yml file already have its property network.host defined, you need to replace it with new value 0.0.0.0. If a non-default name given when generating the TLS certificate (step 6), then searchguard.authcz.admin_dn needs to have a different value.

If non-default keystore or truststore passwords are used when running buildcerts.sh script, then you need to replace the default password, changeit, with your new password in above Search Guard password properties.

After the above changes, Elasticsearch server is ready for restart.

Set Up Search Guard in Actions Pro Components

  1. Open blueprint.properties file for edit on each Actions Pro server, looking for these Search Guard related properties:
    • rssearch.searchguard=false - Set rssearch.searchguard to true if Search Guard is enabled in Actions Pro, otherwise the default value false means Search Guard is disabled. If false is set, then no other Search Guard properties needs to be set.
    • rssearch.sgkeystorepwd=changeit - Property rssearch.sgkeystorepwd sets the keystore password of Search Guard admin certificate. If you leave it empty this makes Actions Pro to use its default value: changeit.
    • rssearch.sgtruststore=${DIST}/elasticsearch/config/truststore.jks Property rssearch.sgtruststore sets the file path to Search Guard root certificate created in previous step 1.k. If the file path or file name is different from the above default, you need to set it properly.
    • rssearch.sgtruststorepwd=changeit - Property rssearch.sgtruststorepwd sets the keystore password of Search Guard root certificate. If you leave it empty this makes Actions Pro to use its default value: changeit.
    • rssearch.yml.network.host=0.0.0.0  - Property rssearch.yml.network.host sets network.host property value in ElasticSearch .yml file.
  2. If Actions Pro is rsremote-only install, then open the rsremote blueprint.properties file for edit on each Actions Pro server, look for Search Guard related properties, and make the same changes described in step A. The same set of truststore.jks and sgadmin.jks must be used. Copy these files to the rsremote install machine in any desired folder and set the file path accordingly.
  3. Go to ${REOLSVE_HOME}/bin directory and execute config.sh script. It applies Search Guard properties in blueprint file to all Actions Pro components: rsview, rscontrol, rsmgmt, rsarchive.
  4. Open and check for Search Guard properties in config.xml file of each Actions Pro component on each Actions Pro server: rsview, rscontrol, rsmgmt, rsarchive. Make sure each Search Guard property has the correct value.

The Search guard properties are:

  • SEARCHGUARD="true" - Enables on disables off Search Guard features.
  • SGTRUSTSTORE="/opt/resolve/rscontrol/config/truststore.jks" - Sets path to the keystore file of Search Guard root certificate.
  • SGTRUSTSTOREPWD="" - Sets trust store password. If you leave it empty , this causes Actions Pro to use default password: changeit
  • SGKEYSTORE="/opt/resolve/rscontrol/config/sgadmin.jks" - Sets path to the keystore file of Search guard admin certificate.
  • SGKEYSTOREPWD="" - Sets keystore password of Search Guard admin certificate. If you leave it empty, this causes Actions Pro to use default password: changeit

Restart Elasticsearch  

After you have verified all property values at both Elasticsearch and Actions Pro components sides, restart Elasticsearch.

Complete Search Guard Configuration

After Elasticsearch starts, finish Search Guard configuration.

  1. chmod 770 <dist>/elasticsearch/plugins/search-guard-5/tools/hash.sh
  2. Execute:
    <dist>/elasticsearch/plugins/search-guard-5/tools/hash.sh
  3. Enter desired admin password for searchguard and copy hash
  4. Open <dist>/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml
  5. Replace the current hash for admin with the copied hash.
  6. Execute:
    <dist>/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh-cd <dist>/elasticsearch/plugins/search-guard-5/sgconfig-ks <dist>/rscontrol/config/sgadmin.jks-kspass changeit-ts <dist>/elasticsearch/config/truststore.jks-tspass changeit   -nhnv -icl
  7. Verify that Search Guard has finished configuration by executing the following command and then ensure that the current health the ES cluster is returned: 
    curl –k https://<ES ip>:9200/_cluster/health?pretty -u admin:<password>

Restart Actions Pro Components

Restart all other Actions Pro components.

note

Any time you make a configuration change to Search Guard, you need to run sgadmin.sh again.