Skip to main content
Mitratech Success Center

Client Support Center

Need help? Click a product group below to select your application and get access to knowledge articles, webinars, training content, and release notes or to contact our support team.

Authorized users - log in to create a ticket, view tickets status and check your success plan details.

 

Enabling Elasticsearch Xpack Security (TCE 6.3)

Integration of xPack 

  1. Put ​xpack.security.enabled: true​ inside ​elasticsearch.yml.
  2. If not have valid SSL certificate(.p12)
    1. Go at ​elasticsearch-7.10.2/bin and open command prompt.
    2. Generate CA certificate by running ​elasticsearch-certutil ca​ command and move according to instruction on command prompt.
    3. Run ​elasticsearch-certutil cert --ca <CA cert.p12>​ ​command and move according to instruction on command prompt.
      • If you want to set hostname run elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname>" ​command​. ​We will get a certificate file as the output.
  3. If you have a valid .p12 certificate then you can skip step 2.
  4. Put generated certificates at ​elasticsearch-7.10.2/config/certs.
  5. Put generated certificates at <TeamConnect server folder location>/config/certs
    • Wherever you want the certs to live on the TeamConnect Web Application Server is where you should create this path
      • ie: /opt/mitratech/config/certs on TeamConnect Web App Server
  6. Run elasticsearch.bat file.
  7. Open Command prompt and run the ​elasticsearch-setup-passwords interactive command inside ​elasticsearch-7.10.2/​bin folder and move according to instruction on command prompt. 
  8. Add following properties in ​elasticsearch.yml
    1. xpack.security.transport.ssl.enabled: true
    2. xpack.security.transport.ssl.verification_mode: certificate
    3. xpack.security.transport.ssl.keystore.path: certs/<cert.p12> (generated in step 2.3)
    4. xpack.security.transport.ssl.truststore.path: certs/<cert.p12> (generated in step 2.3)
    5. xpack.security.http.ssl.enabled: true (xpack setting)
    6. xpack.security.http.ssl.keystore.path: certs/<cert.p12> (generated in step 2.3)
    7. xpack.security.http.ssl.truststore.path: certs/<cert.p12> (generated in step 2.3)
    8. xpack.security.http.ssl.client_authentication: optional
    9. discovery.type: single-node
      • (If generated certificate using ​elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> ​command, If not you can skip this property)
  9. At the time of certificate creation If given any password then run the following commands inside ​elasticsearch-7.10.2/bin folder ​(If not given any password you can skip this step)​
    1. elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
    2. elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
    3. elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    4. elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
  10. In step 2.3, If you generated certificate using ​elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> ​then do the following changes in elasticsearch.yml:
    1. http.host:<hostname>(should be same as using in command)
    2. transport.host:<hostname>(should be same as using in command)
  11. Restart the elasticsearch.bat
  12. Update the teamconnect.properties settings as follows :
    1. elasticsearch.protocol=https (protocol of Elasticsearch server)
    2. elasticsearch.encryption.enabled.xpack=YES
    3. elasticsearch.client.keystore.password=​BFEPCKKLCBMCKNFIJFGEBHFN (This is the password of keystore given while generating the certificate in step 2.3, password is ​encrypted with encrypt.jar​, ​Example password from section above is "password”.​ If not given any password you can leave it as blank)
    4. elasticsearch.client.truststore.password=BFEPCKKLCBMCKNFIJFGEBHFN (This is the password of truststore given while generating the certificate in step 2.3, password is ​encrypted with encrypt.jar​, ​Example password from section above is "password”.​ If not given any password you can leave it as blank)
    5. elasticsearch.keystore.path=<cert.p12> (where <cert.p12> is the certificate name of your client certificate. For example, "config/certs/​elastic-certificates.p12​")
    6. elasticsearch.truststore.path=<cert.p12> (where <cert.p12> is the certificate name of your client certificate. For example, "config/certs/​elastic-certificates.p12​")
    7. elasticsearch.xpack.ssl.username=elastic ​(Use the same username given while enabling password protection using ​elasticsearch-setup-passwords interactive ​command in step 6​. By default username is elastic)
    8. elasticsearch.xpack.ssl.password=BFEPCKKLCBMCKNFIJFGEBHFN ​(Use the same password given while enabling password protection using elasticsearch-setup-passwords interactive ​command in step 6​. password encrypted with encrypt.jar. Example password from section above is "password").
    9. elasticsearch.bypass.host.setting=NO (In step 2.3, While generating the certificate if you ran ​command then set it NO, If you ran ​elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> ​command the​elasticsearch-certutil cert --ca <CA cert.p12>n​ ​set it Yes). j) elasticsearch.hostname=<hostname>(In step 2.c, If you generated the certificate using ​elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> ​command, hostname should be same as given in command). 

 Note : All password should be encrypted using ​encrypt.jar 
 
 

  • Was this article helpful?