2

I am trying to connect to my Elasticsearch server using the Java Api and shield. I can execute index, get, delete and search operations on the existing cluster using sense plugin (e.g) and via curl on 9200. I've seen other threads about this but none of them worked and none of them were trying to connect to a Elasticsearch webserver with shield.

I used the same API to connect with my localhost of elasticsearch and it worked fine however when I try to connect with my web server I always get the same error:

Error

1342 [main] DEBUG org.elasticsearch.shield.transport.netty  - [Benjamin Jacob Grimm] connected to node [{#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}]
1431 [elasticsearch[Benjamin Jacob Grimm][generic][T#1]] DEBUG org.elasticsearch.shield.transport.netty  - [Benjamin Jacob Grimm] disconnecting from [{#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}], channel closed event
1463 [main] INFO org.elasticsearch.client.transport  - [Benjamin Jacob Grimm] failed to get node info for {#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}, disconnecting...
NodeDisconnectedException[[][HOST/HOST_IP:9300][cluster:monitor/nodes/liveness] disconnected]

...9200/_nodes

"cluster_name": "elasticsearch",
   "nodes": {
      "UYdZbCQKQZavtFYOoUpawg": {
         "name": "Desmond Pitt",
         "transport_address": "HOST_IP:9300",
         "host": "HOST_IP",
         "ip": "HOST_IP",
         "version": "2.3.3",
         "build": "218bdf1",
         "http_address": "HOST_IP:9200",
         "settings": {
            "pidfile": "/var/run/elasticsearch/elasticsearch.pid",
            "cluster": {
               "name": "elasticsearch"
            },
            "path": {
               "conf": "/etc/elasticsearch",
               "data": "/var/lib/elasticsearch",
               "logs": "/var/log/elasticsearch",
               "home": "/usr/share/elasticsearch"
            },
            "shield": {
               "http": {
                  "ssl": "true"
               },
               "https": {
                  "ssl": "true"
               },
               "transport": {
                  "ssl": "true"
               }
            },
            "name": "Desmond Pitt",
            "client": {
               "type": "node"
            },
            "http": {
               "cors": {
                  "allow-origin": "*",
                  "allow-headers": "Authorization, Origin, X-Requested-With, Content-Type, Accept",
                  "allow-credentials": "true",
                  "allow-methods": "OPTIONS, HEAD, GET, POST, PUT, DELETE",
                  "enabled": "true"
               }
            },
            "index": {
               "queries": {
                  "cache": {
                     "type": "opt_out_cache"
                  }
               }
            },
            "foreground": "false",
            "config": {
               "ignore_system_properties": "true"
            },
            "network": {
               "host": "HOST_IP",
               "bind_host": "0.0.0.0",
               "publish_host": "HOST_IP"
            }
         }

Java code:

TransportClient client = TransportClient.builder()
    .addPlugin(ShieldPlugin.class)
    .settings(Settings.builder()
        .put("cluster.name", ClusterName)
        .put("shield.user", "USER:PASSWORD")
        .build())
    .build()
    .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(HOST), 9300));

I've tried as stated on Can't connect to ElasticSearch server using Java API to sync my Java API java version and my server and currently i'm using:

Java API:

C:\Program Files\Java\jdk1.8.0_92

Server:

"version": "1.8.0_91",
"vm_name": "OpenJDK 64-Bit Server VM",

I don't know if it has any problem using ...0_91 and 0_92 but doesn't seem to make any difference because the java API works weel on my localhost server.

If you need more information feel free to ask. Thanks in advance!

UPDATE:

Changes I did in elasticsearch.yml

shield.ssl.keystore.path:          /usr/share/elasticsearch/bin/shield/elastic.jks
shield.ssl.keystore.password:      password
shield.ssl.keystore.key_password:  password

shield.transport.ssl: true
shield.http.ssl: true
shield.https.ssl: true

network.host: HOST_IP
network.publish_host: HOST_IP
shield.ssl.hostname_verification.resolve_name: false

Result of https://HOST:9200/_cluster/health?pretty=true

{
   "cluster_name": "elasticsearch",
   "status": "yellow",
   "timed_out": false,
   "number_of_nodes": 1,
   "number_of_data_nodes": 1,
   "active_primary_shards": 5,
   "active_shards": 5,
   "relocating_shards": 0,
   "initializing_shards": 0,
   "unassigned_shards": 5,
   "delayed_unassigned_shards": 0,
   "number_of_pending_tasks": 0,
   "number_of_in_flight_fetch": 0,
   "task_max_waiting_in_queue_millis": 0,
   "active_shards_percent_as_number": 50
}

UPDATE2:

I've tried activate SSL according to official documentation and I got the following errors:

2082 [elasticsearch[Steel Serpent][transport_client_worker][T#1]{New I/O worker #1}] DEBUG org.elasticsearch.shield.transport.netty  - [Steel Serpent] SSL/TLS handshake failed, closing channel: null
java.nio.channels.ClosedChannelException
    at org.jboss.netty.handler.ssl.SslHandler.channelDisconnected(SslHandler.java:575)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireChannelDisconnected(Channels.java:396)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.close(AbstractNioWorker.java:360)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:93)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Temporary Solution

After that try I did as Vladislav Kysliy suggested and disabled SSL and it worked but I'm looking for a real solution and not a temporary one.

Improve this question
6
  • Could you describe what value is set to ClusterName? Commented Jul 8, 2016 at 9:49
  • I'm using the default value as said in documentation: "elasticsearch" but I've also tried with the cluster id but got the same results. Commented Jul 8, 2016 at 10:14
  • You know i've set up new instance elasticsearch with shield plugin and used your code, it works very well. Do you have any code after line with TransportClient? Commented Jul 8, 2016 at 12:36
  • No, i get the errors after this code. Could be any problem with my installation or with elasticsearch.yml no? Or maybe i'm not running the Java API properly. Commented Jul 8, 2016 at 13:15
  • It can be. did you change default config? could you add output of "localhost:9200/_cluster/health?pretty=true" ? Commented Jul 8, 2016 at 13:31

1 Answer 1

Reset to default
0

As i can see you enabled SSL encryption. But your java code didn't activate SSL. According official documentation you should use something like this:

TransportClient client = TransportClient.builder()
.addPlugin(ShieldPlugin.class)
.settings(Settings.builder()
    .put("cluster.name", "myClusterName")
    .put("shield.user", "transport_client_user:changeme")
    .put("shield.ssl.keystore.path", "/path/to/client.jks") (1)
    .put("shield.ssl.keystore.password", "password")
    .put("shield.transport.ssl", "true")
    ...
    .build())

Moreover i would test my code without any encryption and add some new features(e.g SSL) to config and code step by step.

UPD: To be honest remotely fixing ssl issues will be tricky. This errors often appeared when client sends an invalid SSL certificate. Probably you need to disable client auth

Because of you use SSL + Shield the main idea is check your functionality step-by-step: disable SSL - check in Java -API client, enable SSL - check again.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I've tried this but still get errors like: [elasticsearch[Powerpax][transport_client_worker][T#1]{New I/O worker #1}] DEBUG org.elasticsearch.netty.handler.ssl.SslHandler - SSLEngine.closeInbound() raised an exception after a handshake failure. javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
No, I've used my company certificate that they already had for the website.
@Emanuel i've updated my answer and don't be shy add exceptions into your question. it would be helpful for other persons who will try to help. thanks!
I did what you've said and I indexed with my Java API disabling SSL and it worked. However I can't stay with SSL disabled 'cause our website doesn't accept HTTP responses from elastic, for now I'll stay with this solution but I'll update my question with all that I've tried with your help and hope that someone has a solution for the problem. thanks :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.