{"id":11151,"date":"2024-09-17T12:52:37","date_gmt":"2024-09-17T17:52:37","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=11151"},"modified":"2024-09-17T12:52:38","modified_gmt":"2024-09-17T17:52:38","slug":"opensearch-2-x-cacerts-permission-error","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=11151","title":{"rendered":"OpenSearch 2.x CACerts Permission Error"},"content":{"rendered":"\n<p>In my dev OpenSearch 2.x environment, I get a strange error indicating that the application cannot read the cacerts file &#8212; except the file is world readable, selinux is disabled, and there&#8217;s nothing actually preventing access from the OS level. <\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n&#x5B;2024-09-17T12:48:52,666]&#x5B;ERROR]&#x5B;c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] &#x5B;linux1569.mgmt.windstream.net] Error creating JWT authenticator. JWT authentication will not work\ncom.amazon.dlic.util.SettingsBasedSSLConfigurator$SSLConfigException: Error loading trust store from \/opt\/elk\/opensearch\/jdk\/lib\/security\/cacerts\n        at com.amazon.dlic.util.SettingsBasedSSLConfigurator.initFromKeyStore(SettingsBasedSSLConfigurator.java:338) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.util.SettingsBasedSSLConfigurator.configureWithSettings(SettingsBasedSSLConfigurator.java:196) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.util.SettingsBasedSSLConfigurator.buildSSLContext(SettingsBasedSSLConfigurator.java:117) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.util.SettingsBasedSSLConfigurator.buildSSLConfig(SettingsBasedSSLConfigurator.java:131) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator.getSSLConfig(HTTPJwtKeyByOpenIdConnectAuthenticator.java:65) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator.initKeyProvider(HTTPJwtKeyByOpenIdConnectAuthenticator.java:47) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.&lt;init&gt;(AbstractHTTPJwtAuthenticator.java:89) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator.&lt;init&gt;(HTTPJwtKeyByOpenIdConnectAuthenticator.java:26) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at java.base\/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~&#x5B;?:?]\n        at java.base\/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~&#x5B;?:?]\n        at java.base\/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~&#x5B;?:?]\n        at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.securityconf.DynamicConfigModelV7.lambda$newInstance$1(DynamicConfigModelV7.java:432) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at java.base\/java.security.AccessController.doPrivileged(AccessController.java:319) &#x5B;?:?]\n        at org.opensearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:430) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:329) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.securityconf.DynamicConfigModelV7.&lt;init&gt;(DynamicConfigModelV7.java:102) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:288) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:570) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.configuration.ConfigurationRepository.notifyConfigurationListeners(ConfigurationRepository.java:559) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:554) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.configuration.ConfigurationRepository.loadConfigurationWithLock(ConfigurationRepository.java:538) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:531) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.configuration.ConfigurationRepository.initalizeClusterConfiguration(ConfigurationRepository.java:284) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.configuration.ConfigurationRepository.lambda$initOnNodeStart$10(ConfigurationRepository.java:439) &#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at java.base\/java.lang.Thread.run(Thread.java:1583) &#x5B;?:?]\nCaused by: java.security.AccessControlException: access denied (&quot;java.io.FilePermission&quot; &quot;\/opt\/elk\/opensearch\/jdk\/lib\/security\/cacerts&quot; &quot;read&quot;)\n        at java.base\/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488) ~&#x5B;?:?]\n        at java.base\/java.security.AccessController.checkPermission(AccessController.java:1071) ~&#x5B;?:?]\n        at java.base\/java.lang.SecurityManager.checkPermission(SecurityManager.java:411) ~&#x5B;?:?]\n        at java.base\/java.lang.SecurityManager.checkRead(SecurityManager.java:742) ~&#x5B;?:?]\n        at java.base\/sun.nio.fs.UnixPath.checkRead(UnixPath.java:789) ~&#x5B;?:?]\n        at java.base\/sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49) ~&#x5B;?:?]\n        at java.base\/sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:171) ~&#x5B;?:?]\n        at java.base\/sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99) ~&#x5B;?:?]\n        at java.base\/java.nio.file.spi.FileSystemProvider.readAttributesIfExists(FileSystemProvider.java:1270) ~&#x5B;?:?]\n        at java.base\/sun.nio.fs.UnixFileSystemProvider.readAttributesIfExists(UnixFileSystemProvider.java:191) ~&#x5B;?:?]\n        at java.base\/java.nio.file.Files.isDirectory(Files.java:2319) ~&#x5B;?:?]\n        at org.opensearch.security.support.PemKeyReader.checkPath(PemKeyReader.java:214) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.support.PemKeyReader.resolve(PemKeyReader.java:290) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at org.opensearch.security.support.PemKeyReader.resolve(PemKeyReader.java:276) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        at com.amazon.dlic.util.SettingsBasedSSLConfigurator.initFromKeyStore(SettingsBasedSSLConfigurator.java:327) ~&#x5B;opensearch-security-2.15.0.0.jar:2.15.0.0]\n        ... 25 more\n\n<\/pre><\/div>\n\n\n<p>Looks like Java has its own security mechanism &#8212; the java.policy needed to be updated to allow read access to cacerts (why!?!?!?)<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\nvi \/opt\/elk\/opensearch\/jdk\/conf\/security\/java.policy\n\n# Add this grant:\n\n    permission java.io.FilePermission &quot;\/opt\/elk\/opensearch\/jdk\/lib\/security\/cacerts&quot;, &quot;read&quot;;\n\n\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"<p>In my dev OpenSearch 2.x environment, I get a strange error indicating that the application cannot read the cacerts file &#8212; except the file is world readable, selinux is disabled, and there&#8217;s nothing actually preventing access from the OS level. Looks like Java has its own security mechanism &#8212; the java.policy needed to be updated &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1744],"tags":[578,1592,1740],"class_list":["post-11151","post","type-post","status-publish","format-standard","hentry","category-opensearch","tag-java","tag-jvm","tag-opensearch"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11151"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11151\/revisions"}],"predecessor-version":[{"id":11152,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11151\/revisions\/11152"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}