-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shutdown Kibana on usages of PKCS12 truststore/keystore config #192627
Shutdown Kibana on usages of PKCS12 truststore/keystore config #192627
Conversation
Pinging @elastic/kibana-security (Team:Security) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you for the detailed testing instructions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! Left a couple of nits!
const logger = loggingSystemMock.create().get(); | ||
|
||
try { | ||
checkFipsConfig(config, logger); | ||
checkFipsConfig(securityConfig, {}, {}, logger); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: what do you think about adding this on the next line?
fail('FIPS config check did not throw')
(ditto for other try catches like this)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
++ added in latest commit
if (isFipsConfigEnabled !== isNodeRunningWithFipsEnabled) { | ||
logger.error( | ||
`Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to ${isFipsConfigEnabled} and the configured Node.js environment has FIPS ${ | ||
isNodeRunningWithFipsEnabled ? 'enabled' : 'disabled' | ||
}` | ||
); | ||
|
||
process.exit(78); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I know process.exit
is pre-existing, but I thought we could leverage the "shutdown" listener by throwing a CriticalError
like this that allows providing a message and an exit code.
Happy to stick with the current approach, my primary thought was just to give Core the chance to run the shutdown lifecycle and might make testing a little bit easier 🤷🏻
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the CriticalError
approach, thanks for showing us this, @jloleysens!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
++ added in latest commit - thank you for the guidance!!! It is way cleaner 🚀
/ci |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @kc13greiner |
Retested with latest changes. LGTM! |
Starting backport for target branches: 8.16, 8.x |
Starting backport for target branches: 8.16, 8.x |
…ic#192627) ## Summary Closes elastic#169741 PKCS12 truststores/keystores are not FIPS compliant and should not be used when running if FIPS mode. Users will be notified when they try to start KB in FIPS mode and are using the flagged settings and KB will exit. ## Testing You will need to generate a PKCS12 container (*.p12) file and have it stored somewhere that your local KB can access. To generate a PKCS12 to use: - `openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt` - `openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt` - Set password to `test` Put the `.p12` file in your `config` directory (not required, but you can copy and paste these commands easier) Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use an 8.16.0-snapshot from the .es/cache directory by running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz and cd into the new directory's bin folder to run ./elasticsearch In a new terminal window, navigate to your the top level of your elasticsearch folder and run: `curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"` This will enable the trial license for ES. Ensure you have Docker running locally. From any command line, run: ``` docker run --rm -it \ -v "$(pwd)"/config/keyStore.p12:/keyStore.p12:ro \ -e XPACK_SECURITY_FIPSMODE_ENABLED='true' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PASSWORD='test' \ -e ELASTICSEARCH_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_KEYSTORE_PASSWORD='test' \ -e SERVER_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_TRUSTSTORE_PASSWORD='test' \ -e SERVER_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_KEYSTORE_PASSWORD='test' \ -p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-92aeabf477867dc1768f9048b159f01f2ab1fcc3 ``` This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs. In your logs, you will see an error letting users know that PKCS12 settings are not allowed in FIPS It should look like: <img width="1767" alt="Screenshot 2024-09-11 at 1 57 22 PM" src="https://github.com/user-attachments/assets/c32c03b6-98b9-476d-8624-8cc1a535e23f"> ## Release note When running in FIPS mode, Kibana will forbid usage of PKCS12 configuration options --------- Co-authored-by: Jean-Louis Leysens <[email protected]> (cherry picked from commit a002a1b)
…ic#192627) ## Summary Closes elastic#169741 PKCS12 truststores/keystores are not FIPS compliant and should not be used when running if FIPS mode. Users will be notified when they try to start KB in FIPS mode and are using the flagged settings and KB will exit. ## Testing You will need to generate a PKCS12 container (*.p12) file and have it stored somewhere that your local KB can access. To generate a PKCS12 to use: - `openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt` - `openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt` - Set password to `test` Put the `.p12` file in your `config` directory (not required, but you can copy and paste these commands easier) Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use an 8.16.0-snapshot from the .es/cache directory by running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz and cd into the new directory's bin folder to run ./elasticsearch In a new terminal window, navigate to your the top level of your elasticsearch folder and run: `curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"` This will enable the trial license for ES. Ensure you have Docker running locally. From any command line, run: ``` docker run --rm -it \ -v "$(pwd)"/config/keyStore.p12:/keyStore.p12:ro \ -e XPACK_SECURITY_FIPSMODE_ENABLED='true' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PASSWORD='test' \ -e ELASTICSEARCH_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_KEYSTORE_PASSWORD='test' \ -e SERVER_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_TRUSTSTORE_PASSWORD='test' \ -e SERVER_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_KEYSTORE_PASSWORD='test' \ -p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-92aeabf477867dc1768f9048b159f01f2ab1fcc3 ``` This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs. In your logs, you will see an error letting users know that PKCS12 settings are not allowed in FIPS It should look like: <img width="1767" alt="Screenshot 2024-09-11 at 1 57 22 PM" src="https://github.com/user-attachments/assets/c32c03b6-98b9-476d-8624-8cc1a535e23f"> ## Release note When running in FIPS mode, Kibana will forbid usage of PKCS12 configuration options --------- Co-authored-by: Jean-Louis Leysens <[email protected]> (cherry picked from commit a002a1b)
…ic#192627) ## Summary Closes elastic#169741 PKCS12 truststores/keystores are not FIPS compliant and should not be used when running if FIPS mode. Users will be notified when they try to start KB in FIPS mode and are using the flagged settings and KB will exit. ## Testing You will need to generate a PKCS12 container (*.p12) file and have it stored somewhere that your local KB can access. To generate a PKCS12 to use: - `openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt` - `openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt` - Set password to `test` Put the `.p12` file in your `config` directory (not required, but you can copy and paste these commands easier) Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use an 8.16.0-snapshot from the .es/cache directory by running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz and cd into the new directory's bin folder to run ./elasticsearch In a new terminal window, navigate to your the top level of your elasticsearch folder and run: `curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"` This will enable the trial license for ES. Ensure you have Docker running locally. From any command line, run: ``` docker run --rm -it \ -v "$(pwd)"/config/keyStore.p12:/keyStore.p12:ro \ -e XPACK_SECURITY_FIPSMODE_ENABLED='true' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PASSWORD='test' \ -e ELASTICSEARCH_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_KEYSTORE_PASSWORD='test' \ -e SERVER_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_TRUSTSTORE_PASSWORD='test' \ -e SERVER_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_KEYSTORE_PASSWORD='test' \ -p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-92aeabf477867dc1768f9048b159f01f2ab1fcc3 ``` This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs. In your logs, you will see an error letting users know that PKCS12 settings are not allowed in FIPS It should look like: <img width="1767" alt="Screenshot 2024-09-11 at 1 57 22 PM" src="https://github.com/user-attachments/assets/c32c03b6-98b9-476d-8624-8cc1a535e23f"> ## Release note When running in FIPS mode, Kibana will forbid usage of PKCS12 configuration options --------- Co-authored-by: Jean-Louis Leysens <[email protected]> (cherry picked from commit a002a1b)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…ic#192627) ## Summary Closes elastic#169741 PKCS12 truststores/keystores are not FIPS compliant and should not be used when running if FIPS mode. Users will be notified when they try to start KB in FIPS mode and are using the flagged settings and KB will exit. ## Testing You will need to generate a PKCS12 container (*.p12) file and have it stored somewhere that your local KB can access. To generate a PKCS12 to use: - `openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt` - `openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt` - Set password to `test` Put the `.p12` file in your `config` directory (not required, but you can copy and paste these commands easier) Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use an 8.16.0-snapshot from the .es/cache directory by running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz and cd into the new directory's bin folder to run ./elasticsearch In a new terminal window, navigate to your the top level of your elasticsearch folder and run: `curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"` This will enable the trial license for ES. Ensure you have Docker running locally. From any command line, run: ``` docker run --rm -it \ -v "$(pwd)"/config/keyStore.p12:/keyStore.p12:ro \ -e XPACK_SECURITY_FIPSMODE_ENABLED='true' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_TRUSTSTORE_PASSWORD='test' \ -e ELASTICSEARCH_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e ELASTICSEARCH_SSL_KEYSTORE_PASSWORD='test' \ -e SERVER_SSL_TRUSTSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_TRUSTSTORE_PASSWORD='test' \ -e SERVER_SSL_KEYSTORE_PATH='/keyStore.p12' \ -e SERVER_SSL_KEYSTORE_PASSWORD='test' \ -p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-92aeabf477867dc1768f9048b159f01f2ab1fcc3 ``` This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs. In your logs, you will see an error letting users know that PKCS12 settings are not allowed in FIPS It should look like: <img width="1767" alt="Screenshot 2024-09-11 at 1 57 22 PM" src="https://github.com/user-attachments/assets/c32c03b6-98b9-476d-8624-8cc1a535e23f"> ## Release note When running in FIPS mode, Kibana will forbid usage of PKCS12 configuration options --------- Co-authored-by: Jean-Louis Leysens <[email protected]> (cherry picked from commit a002a1b)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…192627) (#200818) # Backport This will backport the following commits from `main` to `8.x`: - [Shutdown Kibana on usages of PKCS12 truststore/keystore config (#192627)](#192627) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kurt","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-27T13:21:12Z","message":"Shutdown Kibana on usages of PKCS12 truststore/keystore config (#192627)\n\n## Summary\r\n\r\nCloses #169741 \r\n\r\nPKCS12 truststores/keystores are not FIPS compliant and should not be\r\nused when running if FIPS mode.\r\n\r\nUsers will be notified when they try to start KB in FIPS mode and are\r\nusing the flagged settings and KB will exit.\r\n\r\n## Testing\r\nYou will need to generate a PKCS12 container (*.p12) file and have it\r\nstored somewhere that your local KB can access.\r\n\r\nTo generate a PKCS12 to use:\r\n\r\n- `openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out\r\nmyCertificate.crt`\r\n- `openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in\r\nmyCertificate.crt`\r\n - Set password to `test`\r\n\r\nPut the `.p12` file in your `config` directory (not required, but you\r\ncan copy and paste these commands easier)\r\n\r\nStart an ES instance in a method of your choosing, but not using yarn es\r\nsnapshot. I like to use an 8.16.0-snapshot from the .es/cache directory\r\nby running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz\r\nand cd into the new directory's bin folder to run ./elasticsearch\r\n\r\nIn a new terminal window, navigate to your the top level of your\r\nelasticsearch folder and run:\r\n`curl -X POST --cacert config/certs/http_ca.crt -u\r\nelastic:YOUR_PASSWORD_HERE\r\n\"https://localhost:9200/_license/start_trial?acknowledge=true&pretty\"`\r\n\r\nThis will enable the trial license for ES.\r\n\r\nEnsure you have Docker running locally.\r\n\r\nFrom any command line, run:\r\n```\r\ndocker run --rm -it \\\r\n-v \"$(pwd)\"/config/keyStore.p12:/keyStore.p12:ro \\\r\n-e XPACK_SECURITY_FIPSMODE_ENABLED='true' \\\r\n-e ELASTICSEARCH_SSL_TRUSTSTORE_PATH='/keyStore.p12' \\\r\n-e ELASTICSEARCH_SSL_TRUSTSTORE_PASSWORD='test' \\\r\n-e ELASTICSEARCH_SSL_KEYSTORE_PATH='/keyStore.p12' \\\r\n-e ELASTICSEARCH_SSL_KEYSTORE_PASSWORD='test' \\\r\n-e SERVER_SSL_TRUSTSTORE_PATH='/keyStore.p12' \\\r\n-e SERVER_SSL_TRUSTSTORE_PASSWORD='test' \\\r\n-e SERVER_SSL_KEYSTORE_PATH='/keyStore.p12' \\\r\n-e SERVER_SSL_KEYSTORE_PASSWORD='test' \\\r\n-p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-92aeabf477867dc1768f9048b159f01f2ab1fcc3\r\n```\r\nThis will start Kibana into Interactive Setup mode, copy and paste the\r\ntoken from the ES startup logs.\r\n\r\nIn your logs, you will see an error letting users know that PKCS12\r\nsettings are not allowed in FIPS\r\n\r\nIt should look like:\r\n<img width=\"1767\" alt=\"Screenshot 2024-09-11 at 1 57 22 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/c32c03b6-98b9-476d-8624-8cc1a535e23f\">\r\n\r\n## Release note\r\nWhen running in FIPS mode, Kibana will forbid usage of PKCS12\r\nconfiguration options\r\n\r\n---------\r\n\r\nCo-authored-by: Jean-Louis Leysens <[email protected]>","sha":"a002a1b142ea61665206253aca6c85b5d83866a2","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","v9.0.0","release_note:feature","v8.16.0","backport:version","v8.17.0"],"title":"Shutdown Kibana on usages of PKCS12 truststore/keystore config","number":192627,"url":"https://github.com/elastic/kibana/pull/192627","mergeCommit":{"message":"Shutdown Kibana on usages of PKCS12 truststore/keystore config (#192627)\n\n## Summary\r\n\r\nCloses #169741 \r\n\r\nPKCS12 truststores/keystores are not FIPS compliant and should not be\r\nused when running if FIPS mode.\r\n\r\nUsers will be notified when they try to start KB in FIPS mode and are\r\nusing the flagged settings and KB will exit.\r\n\r\n## Testing\r\nYou will need to generate a PKCS12 container (*.p12) file and have it\r\nstored somewhere that your local KB can access.\r\n\r\nTo generate a PKCS12 to use:\r\n\r\n- `openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out\r\nmyCertificate.crt`\r\n- `openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in\r\nmyCertificate.crt`\r\n - Set password to `test`\r\n\r\nPut the `.p12` file in your `config` directory (not required, but you\r\ncan copy and paste these commands easier)\r\n\r\nStart an ES instance in a method of your choosing, but not using yarn es\r\nsnapshot. I like to use an 8.16.0-snapshot from the .es/cache directory\r\nby running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz\r\nand cd into the new directory's bin folder to run ./elasticsearch\r\n\r\nIn a new terminal window, navigate to your the top level of your\r\nelasticsearch folder and run:\r\n`curl -X POST --cacert config/certs/http_ca.crt -u\r\nelastic:YOUR_PASSWORD_HERE\r\n\"https://localhost:9200/_license/start_trial?acknowledge=true&pretty\"`\r\n\r\nThis will enable the trial license for ES.\r\n\r\nEnsure you have Docker running locally.\r\n\r\nFrom any command line, run:\r\n```\r\ndocker run --rm -it \\\r\n-v \"$(pwd)\"/config/keyStore.p12:/keyStore.p12:ro \\\r\n-e XPACK_SECURITY_FIPSMODE_ENABLED='true' \\\r\n-e ELASTICSEARCH_SSL_TRUSTSTORE_PATH='/keyStore.p12' \\\r\n-e ELASTICSEARCH_SSL_TRUSTSTORE_PASSWORD='test' \\\r\n-e ELASTICSEARCH_SSL_KEYSTORE_PATH='/keyStore.p12' \\\r\n-e ELASTICSEARCH_SSL_KEYSTORE_PASSWORD='test' \\\r\n-e SERVER_SSL_TRUSTSTORE_PATH='/keyStore.p12' \\\r\n-e SERVER_SSL_TRUSTSTORE_PASSWORD='test' \\\r\n-e SERVER_SSL_KEYSTORE_PATH='/keyStore.p12' \\\r\n-e SERVER_SSL_KEYSTORE_PASSWORD='test' \\\r\n-p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-92aeabf477867dc1768f9048b159f01f2ab1fcc3\r\n```\r\nThis will start Kibana into Interactive Setup mode, copy and paste the\r\ntoken from the ES startup logs.\r\n\r\nIn your logs, you will see an error letting users know that PKCS12\r\nsettings are not allowed in FIPS\r\n\r\nIt should look like:\r\n<img width=\"1767\" alt=\"Screenshot 2024-09-11 at 1 57 22 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/c32c03b6-98b9-476d-8624-8cc1a535e23f\">\r\n\r\n## Release note\r\nWhen running in FIPS mode, Kibana will forbid usage of PKCS12\r\nconfiguration options\r\n\r\n---------\r\n\r\nCo-authored-by: Jean-Louis Leysens <[email protected]>","sha":"a002a1b142ea61665206253aca6c85b5d83866a2"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192627","number":192627,"mergeCommit":{"message":"Shutdown Kibana on usages of PKCS12 truststore/keystore config (#192627)\n\n## Summary\r\n\r\nCloses #169741 \r\n\r\nPKCS12 truststores/keystores are not FIPS compliant and should not be\r\nused when running if FIPS mode.\r\n\r\nUsers will be notified when they try to start KB in FIPS mode and are\r\nusing the flagged settings and KB will exit.\r\n\r\n## Testing\r\nYou will need to generate a PKCS12 container (*.p12) file and have it\r\nstored somewhere that your local KB can access.\r\n\r\nTo generate a PKCS12 to use:\r\n\r\n- `openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out\r\nmyCertificate.crt`\r\n- `openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in\r\nmyCertificate.crt`\r\n - Set password to `test`\r\n\r\nPut the `.p12` file in your `config` directory (not required, but you\r\ncan copy and paste these commands easier)\r\n\r\nStart an ES instance in a method of your choosing, but not using yarn es\r\nsnapshot. I like to use an 8.16.0-snapshot from the .es/cache directory\r\nby running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz\r\nand cd into the new directory's bin folder to run ./elasticsearch\r\n\r\nIn a new terminal window, navigate to your the top level of your\r\nelasticsearch folder and run:\r\n`curl -X POST --cacert config/certs/http_ca.crt -u\r\nelastic:YOUR_PASSWORD_HERE\r\n\"https://localhost:9200/_license/start_trial?acknowledge=true&pretty\"`\r\n\r\nThis will enable the trial license for ES.\r\n\r\nEnsure you have Docker running locally.\r\n\r\nFrom any command line, run:\r\n```\r\ndocker run --rm -it \\\r\n-v \"$(pwd)\"/config/keyStore.p12:/keyStore.p12:ro \\\r\n-e XPACK_SECURITY_FIPSMODE_ENABLED='true' \\\r\n-e ELASTICSEARCH_SSL_TRUSTSTORE_PATH='/keyStore.p12' \\\r\n-e ELASTICSEARCH_SSL_TRUSTSTORE_PASSWORD='test' \\\r\n-e ELASTICSEARCH_SSL_KEYSTORE_PATH='/keyStore.p12' \\\r\n-e ELASTICSEARCH_SSL_KEYSTORE_PASSWORD='test' \\\r\n-e SERVER_SSL_TRUSTSTORE_PATH='/keyStore.p12' \\\r\n-e SERVER_SSL_TRUSTSTORE_PASSWORD='test' \\\r\n-e SERVER_SSL_KEYSTORE_PATH='/keyStore.p12' \\\r\n-e SERVER_SSL_KEYSTORE_PASSWORD='test' \\\r\n-p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-92aeabf477867dc1768f9048b159f01f2ab1fcc3\r\n```\r\nThis will start Kibana into Interactive Setup mode, copy and paste the\r\ntoken from the ES startup logs.\r\n\r\nIn your logs, you will see an error letting users know that PKCS12\r\nsettings are not allowed in FIPS\r\n\r\nIt should look like:\r\n<img width=\"1767\" alt=\"Screenshot 2024-09-11 at 1 57 22 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/c32c03b6-98b9-476d-8624-8cc1a535e23f\">\r\n\r\n## Release note\r\nWhen running in FIPS mode, Kibana will forbid usage of PKCS12\r\nconfiguration options\r\n\r\n---------\r\n\r\nCo-authored-by: Jean-Louis Leysens <[email protected]>","sha":"a002a1b142ea61665206253aca6c85b5d83866a2"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Kurt <[email protected]>
Summary
Closes #169741
PKCS12 truststores/keystores are not FIPS compliant and should not be used when running if FIPS mode.
Users will be notified when they try to start KB in FIPS mode and are using the flagged settings and KB will exit.
Testing
You will need to generate a PKCS12 container (*.p12) file and have it stored somewhere that your local KB can access.
To generate a PKCS12 to use:
openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt
openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt
test
Put the
.p12
file in yourconfig
directory (not required, but you can copy and paste these commands easier)Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use an 8.16.0-snapshot from the .es/cache directory by running tar -xzvf elasticsearch-8.16.0-SNAPSHOT-darwin-aarch64.tar.gz and cd into the new directory's bin folder to run ./elasticsearch
In a new terminal window, navigate to your the top level of your elasticsearch folder and run:
curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"
This will enable the trial license for ES.
Ensure you have Docker running locally.
From any command line, run:
This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs.
In your logs, you will see an error letting users know that PKCS12 settings are not allowed in FIPS
It should look like:
Release note
When running in FIPS mode, Kibana will forbid usage of PKCS12 configuration options