Details

      Description

      Auth/SSL steps

      go to es_home in terminal

      FOR PEM:

       generate "ca.zip" - certificate authority a private key & ssl certificate
       $ bin/elasticsearch-certutil ca -pem
      unzip ca.zip
      generate "truststore.jks" - import the CA certificate into the truststore
       $ keytool -import -alias ca -file ca/ca.crt -keystore truststore.jks
       > asks user to create a password for the truststore (use "liferay")
      generate "cert.zip" - private key & ssl certificate used for the server & client
       $ bin/elasticsearch-certutil cert -ca-cert ca/ca.crt -ca-key ca/ca.key -name localhost -pem
      unzip cert.zip
      
      WITHOUT CLIENT SSL AUTH - add the server/client certificate to the truststore
       $ keytool -importcert -alias localhost -file localhost/localhost.crt -keystore truststore.jks 
       > asks for password (enter "liferay")
      WITH CLIENT SSL AUTH - add the server/client certificate and key to the truststore
       convert pem files to pkcs12 keystore
       $ openssl pkcs12 -export -in localhost/localhost.crt -inkey localhost/localhost.key -name localhost -out converted.p12
      import pkcs12 keystore into truststore
       $ keytool -importkeystore -deststorepass liferay -destkeystore truststore.jks -srckeystore converted.p12 -srcstoretype pkcs12
      in elasticsearch.yml, set 
       xpack.security.http.ssl.client_authentication: required
      
      move localhost folder inside es_home/config/certs dir
       move ca folder inside es_home/config/certs dir
      in elasticsearch.yml, set 
       xpack.security.http.ssl.key: /path/to/es_home/config/certs/localhost/localhost.key 
       xpack.security.http.ssl.certificate: /path/to/es_home/config/certs/localhost/localhost.crt 
       xpack.security.http.ssl.certificate_authorities: [ "/path/to/es_home/config/certs/ca/ca.crt" ]
      in com.liferay.portal.search.elasticsearch7.configuration.ElasticsearchConfiguration.config, set
       truststoreType = "jks"
       truststorePath="/path/to/es_home/truststore.jks"
      

       

      FOR PKCS12:

       generate "localhost.p12" CA with private key & ssl certificate for the server & client
       $ bin/elasticsearch-certutil cert -name localhost
       > enter password "liferay"
      
      move localhost.p12 to es_home/config/certs
      
      in elasticsearch.yml, set 
       xpack.security.http.ssl.keystore.path: certs/localhost.p12 
       xpack.security.http.ssl.keystore.password: liferay
       xpack.security.http.ssl.truststore.path: certs/localhost.p12 
       xpack.security.http.ssl.truststore.password: liferay
       optional, if CLIENT SSL AUTH wanted, set
       xpack.security.http.ssl.client_authentication: required
      
      in com.liferay.portal.search.elasticsearch7.configuration.ElasticsearchConfiguration.config, set
       truststoreType = "pkcs12"
       truststorePath = "/path/to/es_home/config/certs/localhost.p12"
      

      in elasticsearch.yml, set

      xpack.security.enabled: true

      start up elastic

      set credentials/passwords:

       $ bin/elasticsearch-setup-passwords interactive
       > use "liferay" for all passwords
      

      stop elastic

      in elasticsearch.yml, set
      xpack.security.http.ssl.enabled: true

      start elastic

      in com.liferay.portal.search.elasticsearch7.configuration.ElasticsearchConfiguration.config, set

       networkHostAddresses = [ "https://localhost:9200" ]
       authenticationEnabled = B"true"
       username = "elastic"
       password = "liferay"
       httpSSLEnabled = B"true"
       truststorePassword = "liferay"
      

      start portal

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                brian.chan Brian Chan
                Reporter:
                annie.wu Annie Wu
                Recent user:
                Tibor Lipusz
                Participants of an Issue:
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  46 weeks, 1 day ago

                  Packages

                  Version Package
                  Master