Uploaded image for project: 'PUBLIC - Liferay Documentation'
  1. PUBLIC - Liferay Documentation
  2. LRDOCS-8667

Securing Elasticsearch updates and clarification

    Details

      Description

      1.) In https://learn.liferay.com/dxp/7.x/en/using-search/installing-and-upgrading-a-search-engine/elasticsearch/securing-elasticsearch.html#configure-x-pack-security-on-liferay

      Here it may not be obvious for the reader which DXP version this section refers to. We just say that

      The Elasticsearch connector bundled with Liferay 7.3 includes X-Pack Security support.

      but nothing indicates that the rest of the steps are not needed on 7.3 since there is no XPackSecurity config.

      Update text to indicate this is for DXP 7.2 only.

      2.) In https://learn.liferay.com/dxp/7.x/en/using-search/installing-and-upgrading-a-search-engine/elasticsearch/connecting-to-elasticsearch.html#configuring-the-connector

      Here we say

      Here's an example that includes security properties:

      The problem is that the security steps there are covering PEM format certs, while on DXP 7.3 you can use PKCS #12 or other types listed here: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore. So currently we don't provide all required steps to set-up security in DXP 7.3.

      We should add steps for PKCS #12 format cert generation too or we could use only PKCS#12 format for both DXP 7.2 and 7.3 in the DXP configs. (Actually, if we decide to go with this path, it might may also make sense to use PKCS #12 in the elasticsearch.yml configs too so everywhere we deal with certs and Elasticsearch.)

      1. Create self-signed certificate for the client (Liferay DXP) - PKCS #12
        ./bin/elasticsearch-certutil cert --ca-cert config/certs/ca.crt --ca-pass liferay --name "CN=example.com,OU=Example,DC=example,DC=com" --dns localhost,<your-DNS> --ip <IP-address1>,<IP-address2> --ca-key config/certs/ca.key
        

        ==> elastic-certificates.p12

      2. Example XPackSecurityConfig for DXP 7.2 with PKCS #12:
        sslKeystorePath="/PATH/TO/elastic-certificates.p12"
        sslKeystorePassword="liferay"
        sslTruststorePath="/PATH/TO/elastic-certificates.p12"
        sslTruststorePassword="liferay"
        certificateFormat="PKCS#12"
        requiresAuthentication=B"true"
        username="elastic"
        password="liferay"
        transportSSLVerificationMode="certificate"
        transportSSLEnabled=B"true"
        

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jr.houn JR Houn
              Reporter:
              tibor.lipusz Tibor Lipusz
              Subject Matter Expert:
              Tibor Lipusz
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support

                    Packages

                    Version Package
                    7.2.x
                    7.3.x