tar -zxvf elasticsearch-6.4.3.tar.gz -C /usr/local/  mv elasticsearch-6.4.3/ elasticsearch  

[root@cluster1_host1 elasticsearch]# groupadd es  [root@cluster1_host1 elasticsearch]# useradd es -g es  [root@cluster1_host1 elasticsearch]# passwd es  

chown -R es:es /usr/local/elasticsearch/  

scp -r /usr/local/elasticsearch/ [email protected]:/usr/local/  

* soft nofile 65536  * hard nofile 65536  * soft nproc 65536  * hard nproc 65536  

vm.max_map_count=262144  

[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'  ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name  10.87.18.32           27          12   6    0.59    0.25     0.10 mdi       *      cluster1_host2  10.87.18.33           24          13   7    0.31    0.16     0.07 mdi       -      cluster1_host1  10.87.18.31           28          13   6    0.41    0.24     0.11 mdi       -      cluster1_host1  

https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.4.3-25.5/search-guard-6-6.4.3-25.5.zip  

https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.7/search-guard-tlstool-1.7.tar.gz  

curl -Ss -XPUT 'http://cluster1_host3:9200/_cluster/settings?pretty'   -H 'Content-Type: application/json' -d'  {    "persistent": {      "cluster.routing.allocation.enable": "none"    }  }  '  

[es@cluster1_host1 bin]$ ./elasticsearch-plugin install -b file:///es/search-guard-6-6.4.3-25.5.zip  -> Downloading file:///es/search-guard-6-6.4.3-25.5.zip  

tar -zxvf search-guard-tlstool-1.7.tar.gz -C /usr/local/search-guard-tlstool/  

[es@cluster1_host1 config]$ cp example.yml tlsconfig.yml  [es@cluster1_host1 config]$ ll  total 24  -rw-r--r--. 1 es es 4731 Jun  5  2019 example.yml  -rw-r--r--. 1 es es 5634 Jun  5  2019 template.yml  -rw-r--r--. 1 es es 4731 Feb 29 02:43 tlsconfig.yml  [es@cluster1_host1 config]$ pwd  /usr/local/search-guard-tlstool/config  [es@cluster1_host1 config]$  

[es@cluster1_host1 config]$ cat tlsconfig.yml  ###  ### Self-generated certificate authority  ###  #  # If you want to create a new certificate authority, you must specify its parameters here.  # You can skip this section if you only want to create CSRs  #  ca:     root:        # The distinguished name of this CA. You must specify a distinguished name.        dn: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com          # The size of the generated key in bits        keysize: 2048          # The validity of the generated certificate in days from now        validityDays: 3650          # Password for private key        #   Possible values:        #   - auto: automatically generated password, returned in config output;        #   - none: unencrypted private key;        #   - other values: other values are used directly as password        pkPassword: teststt          # The name of the generated files can be changed here        file: root-ca.pem       # If you want to use an intermediate certificate as signing certificate,     # please specify its parameters here. This is optional. If you remove this section,     # the root certificate will be used for signing.     intermediate:        # The distinguished name of this CA. You must specify a distinguished name.        dn: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com          # The size of the generated key in bits        keysize: 2048          # The validity of the generated certificate in days from now        validityDays: 3650          pkPassword: teststt          # If you have a certificate revocation list, you can specify its distribution points here        crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl    ###  ### Default values and global settings  ###  defaults:          # The validity of the generated certificate in days from now        validityDays: 3650          # Password for private key        #   Possible values:        #   - auto: automatically generated password, returned in config output;        #   - none: unencrypted private key;        #   - other values: other values are used directly as password        pkPassword: teststt          # Specifies to recognize legitimate nodes by the distinguished names        # of the certificates. This can be a list of DNs, which can contain wildcards.        # Furthermore, it is possible to specify regular expressions by        # enclosing the DN in //.        # Specification of this is optional. The tool will always include        # the DNs of the nodes specified in the nodes section.        #nodesDn:        #- "CN=*.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com"        # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'        # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'        # - 'CN=elk-devcluster*'        # - '/CN=.*regex/'          # If you want to use OIDs to mark legitimate node certificates,        # the OID can be included in the certificates by specifying the following        # attribute          # nodeOid: "1.2.3.4.5.5"          # The length of auto generated passwords        generatedPasswordLength: 12          # Set this to true in order to generate config and certificates for        # the HTTP interface of nodes        httpsEnabled: true          # Set this to true in order to re-use the node transport certificates        # for the HTTP interfaces. Only recognized if httpsEnabled is true          # reuseTransportCertificatesForHttp: false          # Set this to true to enable hostname verification        #verifyHostnames: false          # Set this to true to resolve hostnames        #resolveHostnames: false      ###  ### Nodes  ###  #  # Specify the nodes of your ES cluster here  #  nodes:    - name: cluster1_host1      dn: CN=cluster1_host1,OU=Ops,O=Example Com, Inc.,DC=example,DC=com      dns: cluster1_host1      ip: 10.87.18.31    - name: cluster1_host2      dn: CN=cluster1_host2,OU=Ops,O=Example Com, Inc.,DC=example,DC=com      dns: cluster1_host2      ip: 10.87.18.32    - name: cluster1_host3      dn: CN=cluster1_host3,OU=Ops,O=Example Com, Inc.,DC=example,DC=com      dns: cluster1_host3      ip: 10.87.18.33  ###  ### Clients  ###  #  # Specify the clients that shall access your ES cluster with certificate authentication here  #  # At least one client must be an admin user (i.e., a super-user). Admin users can  # be specified with the attribute admin: true  #  clients:    - name: spock      dn: CN=spock.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com    - name: kirk      dn: CN=kirk.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com      admin: true  

[root@cluster1_host1 data]# scp -r /usr/local/search-guard-tlstool/ [email protected]:/usr/local/  

[es@cluster1_host1 config]$ cd /usr/local/elasticsearch/config  [es@cluster1_host1 config]$ mkdir out  

[es@cluster1_host1 tools]$ ./sgtlstool.sh -c /usr/local/search-guard-tlstool/config/tlsconfig.yml -ca -crt -t /usr/local/elasticsearch/config/out/  Root certificate and signing certificate have been sucessfully created.    Created 6 node certificates.  Created 2 client certificates.  

[es@cluster1_host1 out]$ cd /usr/local/elasticsearch/config/out/  [es@cluster1_host1 out]$ ll  total 96  -rw-rw-r--. 1 es es  294 Feb 29 02:59 client-certificates.readme  -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host1_elasticsearch_config_snippet.yml  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key  -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host1.key  -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem  -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml  -rw-rw-r--. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key  -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host2.key  -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem  -rw-rw-r--. 1 es es 1388 Feb 29 02:59 cluster1_host3_elasticsearch_config_snippet.yml  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key  -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 cluster1_host3.key  -rw-rw-r--. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 kirk.key  -rw-rw-r--. 1 es es 3144 Feb 29 02:59 kirk.pem  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 root-ca.key  -rw-rw-r--. 1 es es 1371 Feb 29 02:59 root-ca.pem  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 signing-ca.key  -rw-rw-r--. 1 es es 1558 Feb 29 02:59 signing-ca.pem  -rw-rw-r--. 1 es es 1801 Feb 29 02:59 spock.key  -rw-rw-r--. 1 es es 3144 Feb 29 02:59 spock.pem  

[es@cluster1_host1 out]$ /usr/local/search-guard-tlstool/tools/sgtlsdiag.sh -ca /usr/local/elasticsearch/config/out/root-ca.pem -crt /usr/local/elasticsearch/config/out/cluster1_host1.pem    ========================================================================  /usr/local/elasticsearch/config/out/cluster1_host1.pem  ------------------------------------------------------------------------  Certificate 1  ------------------------------------------------------------------------              SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05               MD5 FPR: 1565fb2741046769feb128d2e98e3923  Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com, Inc.,DC=example,DC=com         Serial Number: 1582963131135   Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com            Not Before: Sat Feb 29 02:58:53 EST 2020             Not After: Tue Feb 26 02:58:53 EST 2030             Key Usage: digitalSignature nonRepudiation keyEncipherment   Signature Algorithm: SHA256WITHRSA               Version: 3    Extended Key Usage: id_kp_serverAuth id_kp_clientAuth    Basic Constraints: -1                  SAN:                    dNSName: cluster1_host1                    iPAddress: 10.87.18.31    ------------------------------------------------------------------------  Certificate 2  ------------------------------------------------------------------------              SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b               MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307  Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com         Serial Number: 2   Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com            Not Before: Sat Feb 29 02:58:53 EST 2020             Not After: Tue Feb 26 02:58:53 EST 2030             Key Usage: digitalSignature keyCertSign cRLSign   Signature Algorithm: SHA256WITHRSA               Version: 3    Extended Key Usage: null    Basic Constraints: 0                  SAN: (none)  ------------------------------------------------------------------------  Trust anchor:  DC=com,DC=example,O=Example Com, Inc.,OU=CA,CN=root.ca.example.com  

[es@cluster1_host1 out]$ pwd  /usr/local/elasticsearch/config/out  [es@cluster1_host1 out]$ ll  total 96  -rwxrwxr-x. 1 es es  294 Feb 29 02:59 client-certificates.readme  -rwxrwxr-x. 1 es es 1388 Feb 29 03:30 cluster1_host1_elasticsearch_config_snippet.yml  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1_http.key  -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1_http.pem  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host1.key  -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host1.pem  -rwxrwxr-x. 1 es es 1388 Feb 29 02:59 cluster1_host2_elasticsearch_config_snippet.yml  -rwxrwxr-x. 1 es es 1789 Feb 29 02:59 cluster1_host2_http.key  -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2_http.pem  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host2.key  -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host2.pem  -rwxrwxr-x. 1 es es 1388 Feb 29 03:26 cluster1_host3_elasticsearch_config_snippet.yml  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3_http.key  -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3_http.pem  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 cluster1_host3.key  -rwxrwxr-x. 1 es es 3201 Feb 29 02:59 cluster1_host3.pem  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 kirk.key  -rwxrwxr-x. 1 es es 3144 Feb 29 02:59 kirk.pem  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 root-ca.key  -rwxrwxr-x. 1 es es 1371 Feb 29 02:59 root-ca.pem  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 signing-ca.key  -rwxrwxr-x. 1 es es 1558 Feb 29 02:59 signing-ca.pem  -rwxrwxr-x. 1 es es 1801 Feb 29 02:59 spock.key  -rwxrwxr-x. 1 es es 3144 Feb 29 02:59 spock.pem  

[es@cluster1_host1 config]$ ll  total 36  -rw-rw----. 1 es es  207 Feb 28 01:15 elasticsearch.keystore  -rw-rw----. 1 es es 3895 Feb 29 03:33 elasticsearch.yml  -rw-rw----. 1 es es 2937 Feb 28 03:33 elasticsearch.yml.bak  -rw-rw----. 1 es es 2937 Feb 28 01:10 jvm.options  -rw-rw----. 1 es es 6380 Oct 30  2018 log4j2.properties  drwxrwxr-x. 2 es es 4096 Feb 29 03:30 out  -rw-rw----. 1 es es  473 Oct 30  2018 role_mapping.yml  -rw-rw----. 1 es es  197 Oct 30  2018 roles.yml  -rw-rw----. 1 es es    0 Oct 30  2018 users  -rw-rw----. 1 es es    0 Oct 30  2018 users_roles  [es@cluster1_host1 config]$ pwd  /usr/local/elasticsearch/config  

searchguard.ssl.transport.pemcert_filepath: out/cluster1_host1.pem  searchguard.ssl.transport.pemkey_filepath: out/cluster1_host1.key  searchguard.ssl.transport.pemkey_password: teststt  searchguard.ssl.transport.pemtrustedcas_filepath: out/root-ca.pem  searchguard.ssl.transport.enforce_hostname_verification: false  searchguard.ssl.transport.resolve_hostname: false  searchguard.ssl.http.enabled: false  searchguard.ssl.http.pemcert_filepath: out/cluster1_host1_http.pem  searchguard.ssl.http.pemkey_filepath: out/cluster1_host1_http.key  searchguard.ssl.http.pemkey_password: teststt  searchguard.ssl.http.pemtrustedcas_filepath: out/root-ca.pem  searchguard.nodes_dn:  - CN=cluster1_host1,OU=Ops,O=Example Com, Inc.,DC=example,DC=com  - CN=cluster1_host2,OU=Ops,O=Example Com, Inc.,DC=example,DC=com  - CN=cluster1_host3,OU=Ops,O=Example Com, Inc.,DC=example,DC=com  searchguard.authcz.admin_dn:  - CN=kirk.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com  

[es@cluster1_host1 tools]$ ./sgtlsdiag.sh -es /usr/local/elasticsearch/config/elasticsearch.yml  Reading node config file /usr/local/elasticsearch/config/elasticsearch.yml    ========================================================================  /usr/local/elasticsearch/config/out/cluster1_host1.pem  ------------------------------------------------------------------------  Certificate 1  ------------------------------------------------------------------------              SHA1 FPR: 70b8e292357beec0e55b1b98c257aa5d2a391f05               MD5 FPR: 1565fb2741046769feb128d2e98e3923  Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com, Inc.,DC=example,DC=com         Serial Number: 1582963131135   Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com            Not Before: Sat Feb 29 02:58:53 EST 2020             Not After: Tue Feb 26 02:58:53 EST 2030             Key Usage: digitalSignature nonRepudiation keyEncipherment   Signature Algorithm: SHA256WITHRSA               Version: 3    Extended Key Usage: id_kp_serverAuth id_kp_clientAuth    Basic Constraints: -1                  SAN:                    dNSName: cluster1_host1                    iPAddress: 10.87.18.31    ------------------------------------------------------------------------  Certificate 2  ------------------------------------------------------------------------              SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b               MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307  Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com         Serial Number: 2   Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com            Not Before: Sat Feb 29 02:58:53 EST 2020             Not After: Tue Feb 26 02:58:53 EST 2030             Key Usage: digitalSignature keyCertSign cRLSign   Signature Algorithm: SHA256WITHRSA               Version: 3    Extended Key Usage: null    Basic Constraints: 0                  SAN: (none)  ------------------------------------------------------------------------  Trust anchor:  DC=com,DC=example,O=Example Com, Inc.,OU=CA,CN=root.ca.example.com    ========================================================================  /usr/local/elasticsearch/config/out/cluster1_host1_http.pem  ------------------------------------------------------------------------  Certificate 1  ------------------------------------------------------------------------              SHA1 FPR: 998fdf16628aeb9da3d9ef741f8d87318f44bf87               MD5 FPR: bfb40c178312f63af1bf5d83cd7a1021  Subject DN [RFC2253]: CN=cluster1_host1,OU=Ops,O=Example Com, Inc.,DC=example,DC=com         Serial Number: 1582963131136   Issuer DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com            Not Before: Sat Feb 29 02:58:55 EST 2020             Not After: Tue Feb 26 02:58:55 EST 2030             Key Usage: digitalSignature nonRepudiation keyEncipherment   Signature Algorithm: SHA256WITHRSA               Version: 3    Extended Key Usage: id_kp_serverAuth id_kp_clientAuth    Basic Constraints: -1                  SAN:                    dNSName: cluster1_host1                    iPAddress: 10.87.18.31    ------------------------------------------------------------------------  Certificate 2  ------------------------------------------------------------------------              SHA1 FPR: 450118f5bce0ddbb0210550620da4323c15c697b               MD5 FPR: 091f69596ca7e6b3c74f3ac200e87307  Subject DN [RFC2253]: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com         Serial Number: 2   Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com            Not Before: Sat Feb 29 02:58:53 EST 2020             Not After: Tue Feb 26 02:58:53 EST 2030             Key Usage: digitalSignature keyCertSign cRLSign   Signature Algorithm: SHA256WITHRSA               Version: 3    Extended Key Usage: null    Basic Constraints: 0                  SAN: (none)  ------------------------------------------------------------------------  Trust anchor:  DC=com,DC=example,O=Example Com, Inc.,OU=CA,CN=root.ca.example.com    ========================================================================  /usr/local/elasticsearch/config/out/root-ca.pem  ------------------------------------------------------------------------  Certificate 1  ------------------------------------------------------------------------              SHA1 FPR: b66494fa2c05423e64ada2403e09ca6c76ae3936               MD5 FPR: 5f0834f0acf6dc8f7fa061eb7be0675a  Subject DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com         Serial Number: 1   Issuer DN [RFC2253]: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com            Not Before: Sat Feb 29 02:58:52 EST 2020             Not After: Tue Feb 26 02:58:52 EST 2030             Key Usage: digitalSignature keyCertSign cRLSign   Signature Algorithm: SHA256WITHRSA               Version: 3    Extended Key Usage: null    Basic Constraints: 2147483647                  SAN: (none)  

[root@cluster1_host1 data]# scp -r /usr/local/elasticsearch/config/out/ [email protected]:/usr/local/elasticsearch/config/  

[es@cluster1_host1 search-guard-6]$ pwd  /usr/local/elasticsearch/plugins/search-guard-6  [es@cluster1_host1 search-guard-6]$  [es@cluster1_host1 search-guard-6]$  [es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -esa -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt  Search Guard Admin v6  Will connect to cluster1_host1:9300 ... done  Elasticsearch Version: 6.4.3  Search Guard Version: 6.4.3-25.5  Connected as CN=kirk.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com  Persistent and transient shard allocation enabled  

Unauthorized[root@cluster1_host1 ~]# curl '10.87.18.31:9200/_cat/nodes?v'    Unauthorized[root@cluster1_host1 ~]#  

http://10.87.18.31:9200/_searchguard/health  

[root@cluster1_host1 ~]# curl -u admin:admin '10.87.18.31:9200/_cat/indices?v'  health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size  green  open   searchguard XOWOuXN0SJi_69Yz3BPtmw   1   2          0            6     88.6kb         38.4kb  [root@cluster1_host1 ~]#  

[2020-02-29T03:54:12,266][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [cluster1_host1] uncaught exception in thread [main]  org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have additional setting [http.type] in plugin [search-guard-6], already added in plugin [x-pack-security]  

xpack.security.enabled: false  

[2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config has insecure file permissions (should be 0700)  [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] Directory /usr/local/elasticsearch/config/out has insecure file permissions (should be 0700)  [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.pem has insecure file permissions (should be 0600)  [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/root-ca.key has insecure file permissions (should be 0600)  [2020-02-29T03:49:24,286][WARN ][c.f.s.SearchGuardPlugin  ] File /usr/local/elasticsearch/config/out/signing-ca.pem has insecure file permissions (should be 0600)  

chmod 0600 /usr/local/elasticsearch/config/out/*  chmod 0700 /usr/local/elasticsearch/config/  

[root@cluster1_host1 config]# curl '10.87.18.31:9200/_cat/nodes?v'  Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin[root@cluster1_host1 config]  

[es@cluster1_host1 search-guard-6]$ pwd  /usr/local/elasticsearch/plugins/search-guard-6  

[es@cluster1_host1 search-guard-6]$ ./tools/sgadmin.sh -cd ./sgconfig/ -icl -nhnv -cert ../../config/out/kirk.pem -key ../../config/out/kirk.key -cacert ../../config/out/root-ca.pem -h cluster1_host1 -keypass teststt  Search Guard Admin v6  Will connect to cluster1_host1:9300 ... done  Elasticsearch Version: 6.4.3  Search Guard Version: 6.4.3-25.5  Connected as CN=kirk.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com  Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...  Clustername: my-application  Clusterstate: YELLOW  Number of nodes: 3  Number of data nodes: 3  searchguard index already exists, so we do not need to create one.  INFO: searchguard index state is YELLOW, it seems you miss some replicas  Populate config from /usr/local/elasticsearch/plugins/search-guard-6/sgconfig  Will update 'sg/config' with ./sgconfig/sg_config.yml     SUCC: Configuration for 'config' created or updated  Will update 'sg/roles' with ./sgconfig/sg_roles.yml     SUCC: Configuration for 'roles' created or updated  Will update 'sg/rolesmapping' with ./sgconfig/sg_roles_mapping.yml     SUCC: Configuration for 'rolesmapping' created or updated  Will update 'sg/internalusers' with ./sgconfig/sg_internal_users.yml     SUCC: Configuration for 'internalusers' created or updated  Will update 'sg/actiongroups' with ./sgconfig/sg_action_groups.yml     SUCC: Configuration for 'actiongroups' created or updated  Done with success  [es@cluster1_host1 search-guard-6]$ pwd