Skip to content

XPack: active_directory ssl.truststore.password (docs vs code) #41663

New issue
New issue
Closed
#42336
Closed
XPack: active_directory ssl.truststore.password (docs vs code)#41663
#42336
Assignees
tvernum
Labels
:Security/SecuritySecurity issues without another label>bug
@chriswhite199

Description

@chriswhite199
chriswhite199
opened on Apr 30, 2019

Bug Report:

Elasticsearch version 7.0.0
Plugins installed: []
JVM version (java -version):
OS version (uname -a if on a Unix-like system):
Description of the problem including expected versus actual behavior:

The docs note that to use a truststore paired with active_directory authentication realm, you should use the configuration suffix ssl.truststore.password, but this errors with unknown setting [xpack.security.authc.realms.active_directory.myrealm.ssl.truststore.password]

Instead, inspection of the code, and testing, shows that the property looked for is truststore.password, as can be seen at https://github.com/elastic/elasticsearch/blob/master/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java#L119:

public static final Function<String, Setting.AffixSetting<SecureString>> LEGACY_TRUST_STORE_PASSWORD_REALM = realmType ->
            Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "truststore.password",
                    LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE);

The corresponding ssl.truststore.path can be seen to use the ssl prefix in the code (line 107):

public static final Function<String, Setting.AffixSetting<Optional<String>>> TRUST_STORE_PATH_REALM = realmType ->
            Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "ssl.truststore.path", TRUST_STORE_PATH_TEMPLATE);

Steps to reproduce:

  1. Configure an active_directory realm with a truststore + password, as detailed using the documentation properties
xpack.security.authc.realms.active_directory.myrealm:
  ssl:
    verification_mode: full
    truststore:
      path: certs/cacerts.jks
      password: changeit
  1. Where as currently, 7.0.0 requires this setup instead (contradictory to the docs), but then there is an error loading the keystore (password verification failed), which i can only assume is because the password is not being picked up - manual keytool verification works)
xpack.security.authc.realms.active_directory.myrealm:
  ssl:
    verification_mode: full
    truststore:
      path: certs/cacerts.jks
  truststore:
    password: changeit

Metadata

Metadata

Assignees

Labels

:Security/SecuritySecurity issues without another label>bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions