Skip to content

Monitoring Exporter attempts to read closed SecureSettings #30344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mellieA opened this issue May 2, 2018 · 5 comments
Closed

Monitoring Exporter attempts to read closed SecureSettings #30344

mellieA opened this issue May 2, 2018 · 5 comments
Assignees
@tvernum
Labels
:Data Management/Monitoring :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Comments

@mellieA
Copy link

mellieA commented May 2, 2018

Using 6.2.3 and secure monitoring settings below causes bootstrap errors below:

java.lang.IllegalStateException: password has been cleared
        at java.security.KeyStore$PasswordProtection.getPassword(KeyStore.java:347) ~[?:1.8.0_161]
        at sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1304) ~[?:?]
        at java.security.KeyStore.getEntry(KeyStore.java:1521) ~[?:1.8.0_161]
        at org.elasticsearch.common.settings.KeyStoreWrapper.getString(KeyStoreWrapper.java:351) ~[elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.common.settings.Settings$PrefixedSecureSettings.getString(Settings.java:1450) ~[elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.common.settings.SecureSetting$SecureStringSetting.getSecret(SecureSetting.java:153) ~[elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.common.settings.SecureSetting$SecureStringSetting.getSecret(SecureSetting.java:143) ~[elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.common.settings.SecureSetting.get(SecureSetting.java:94) ~[elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.xpack.core.ssl.CertUtils.createKeyConfig(CertUtils.java:216) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:199) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLConfiguration.<init>(SSLConfiguration.java:82) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.sslConfiguration(SSLService.java:345) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.sslIOSessionStrategy(SSLService.java:141) ~[?:?]
        at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.configureSecurity(HttpExporter.java:461) ~[?:?]
        at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.createRestClient(HttpExporter.java:296) ~[?:?]
        at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.<init>(HttpExporter.java:229) ~[?:?]
        at org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter.<init>(HttpExporter.java:216) ~[?:?]
        at org.elasticsearch.xpack.monitoring.Monitoring.lambda$createComponents$1(Monitoring.java:148) ~[?:?]
        at org.elasticsearch.xpack.monitoring.exporter.Exporters.initExporters(Exporters.java:162) ~[?:?]
        at org.elasticsearch.xpack.monitoring.exporter.Exporters.doStart(Exporters.java:85) ~[?:?]
        at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:66) ~[elasticsearch-6.2.3.jar:6.2.3]
        at java.util.ArrayList.forEach(ArrayList.java:1257) ~[?:1.8.0_161]
        at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) ~[?:1.8.0_161]
        at org.elasticsearch.node.Node.start(Node.java:598) ~[elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:262) ~[elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:332) [elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.3.jar:6.2.3]
        at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.3.jar:6.2.3]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.3.jar:6.2.3]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.3.jar:6.2.3]

Keystore settings:

sudo /usr/share/elasticsearch/bin/elasticsearch-keystore list 
keystore.seed 
xpack.monitoring.exporters.ppe-mon.ssl.keystore.secure_password 
xpack.security.http.ssl.keystore.secure_password 
xpack.security.transport.ssl.keystore.secure_password

Is there any workaround?

Related to: https://github.com/elastic/x-pack-elasticsearch/issues/3950
@mellieA mellieA added :Data Management/Monitoring :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels May 2, 2018
@mellieA
Copy link
Author

mellieA commented May 2, 2018

@tvernum I moved it here :)

@tvernum tvernum self-assigned this May 2, 2018
@tvernum tvernum changed the title PKI bootstrap-check attempts to read Secure monitoring setting Monitoring Exporter attempts to read closed SecureSettings May 2, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

@hub-cap hub-cap removed the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label May 3, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@hub-cap hub-cap added the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label May 3, 2018
@mellieA
Copy link
Author

mellieA commented May 8, 2018

@tvernum I realize this is a similar but issue than #3950, any idea if there is any sort of workaround for a customer waiting to go into Prod for this?

@tvernum
Copy link
Contributor

tvernum commented May 9, 2018

The only workaround that I'm aware of is to not use secure settings with monitoring.
For now, the key(store) passwords would need to be kept in elasticsearch.yml

@tvernum tvernum mentioned this issue May 10, 2018
Closed
@tvernum tvernum mentioned this issue May 30, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvernum tvernum

Labels
:Data Management/Monitoring :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hub-cap @tvernum @elasticmachine @mellieA