Elasticsearch Authentication

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    • SonarQube 8.9.8 Data Center Ed running on RHEL 7.9
  • what are you trying to achieve
  • what have you tried so far to achieve this:
    I created a certificate on our internal CA
    • TLS, SHA256RSA
    • Public key encryption is RSA 2048
    • I downloaded the cert in both pfx and jks formats
      I uploaded the certs to 1 of the Search nodes in /apps/certs/ ( I created the certs folder )
      I extracted the certificate and key
    • openssl pkcs12 -in dev.pfx -clcerts -nokeys -out sonardevcert.crt
    • put in the password used when creating the cert
    • openssl pkcs12 -in dev.pfx -nocerts -out private.key
    • put in the password used when creating the cert
      Generate the keystore
    • openssl pkcs12 -export -in sonardevcert.crt -inkey private.key -out keystore.p12
      Generate the truststore
    • keytool -import -trustcacerts -keystore keystore.p12 -storepass mypass -noprompt -file sonardevcert.crt -alias sonardev

I put the following in sonar.properties

I restarted the search node. I see the following in the log in the search node.
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[Invalid keystore format];
Likely root cause: java.io.IOException: Invalid keystore format
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:670)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)

I’ve tried many different different ways and also regenerate the keys and certs using the jks instead of the pxf file. All with the same result.

Can anyone provide some assistance? Does anyone know what the proper keystore format is outside of just being pkcs12?

Thanks in advance for any assistance anyone could provide.

Hey John,

As this relates to cluster configuration on a DCE instance, you will probably receive better support by opening a ServiceDesk ticket with SonarSource Support.

Hi Colin. Thanks for your response. I opened a ServiceDesk ticket first, but the person assisting there doesn’t seem to understand the issue. Do you have any information/documentation you can share regarding setting up the authentication? We’ve been scouring the internet on this for a week now for additional information and there doesn’t seem to be much out there regarding this.