Enabling Elasticsearch Xpack Security (TCE 7.2)
Integration of xPack
- Put xpack.security.enabled: true inside elasticsearch.yml.
- If not have valid SSL certificate(.p12)
- Go at elasticsearch-8.6.2/bin and open command prompt.
- Generate CA certificate by running elasticsearch-certutil ca command and move according to instruction on command prompt.
- Run elasticsearch-certutil cert --ca <CA cert.p12> command and move according to instruction on command prompt.
- If you want to set hostname run elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname>" command. We will get a certificate file as the output.
- If you have a valid .p12 certificate then you can skip step 2.
- Put generated certificates at elasticsearch-8.6.2/config/certs.
- Put generated certificates at <TeamConnect server folder location>/config/certs
- Wherever you want the certs to live on the TeamConnect Web Application Server is where you should create this path
- ie: /opt/mitratech/config/certs on TeamConnect Web App Server
- Wherever you want the certs to live on the TeamConnect Web Application Server is where you should create this path
- Run elasticsearch.bat file.
- Open Command prompt and run the elasticsearch-setup-passwords interactive command inside elasticsearch-8.6.2/bin folder and move according to instruction on command prompt.
- Add following properties in elasticsearch.yml
- xpack.security.transport.ssl.enabled: true
- xpack.security.transport.ssl.verification_mode: certificate
- xpack.security.transport.ssl.keystore.path: certs/<cert.p12> (generated in step 2.3)
- xpack.security.transport.ssl.truststore.path: certs/<cert.p12> (generated in step 2.3)
- xpack.security.http.ssl.enabled: true (xpack setting)
- xpack.security.http.ssl.keystore.path: certs/<cert.p12> (generated in step 2.3)
- xpack.security.http.ssl.truststore.path: certs/<cert.p12> (generated in step 2.3)
- xpack.security.http.ssl.client_authentication: optional
- (If generated certificate using elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> command, If not you can skip this property)
- At the time of certificate creation If given any password then run the following commands inside elasticsearch-8.6.2/bin folder (If not given any password you can skip this step)
- elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
- elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
- elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
- elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
- In step 2.3, If you generated certificate using elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> then do the following changes in elasticsearch.yml:
- http.host:<hostname>(should be same as using in command)
- transport.host:<hostname>(should be same as using in command)
- Restart the elasticsearch.bat
- Update the teamconnect.properties settings as follows :
- elasticsearch.protocol=https (protocol of Elasticsearch server)
- elasticsearch.encryption.enabled.xpack=YES
- elasticsearch.client.keystore.password=BFEPCKKLCBMCKNFIJFGEBHFN (This is the password of keystore given while generating the certificate in step 2.3, password is encrypted with encrypt.jar, Example password from section above is "password”. If not given any password you can leave it as blank)
- elasticsearch.client.truststore.password=BFEPCKKLCBMCKNFIJFGEBHFN (This is the password of truststore given while generating the certificate in step 2.3, password is encrypted with encrypt.jar, Example password from section above is "password”. If not given any password you can leave it as blank)
- elasticsearch.keystore.path=<cert.p12> (where <cert.p12> is the certificate name of your client certificate. For example, "config/certs/elastic-certificates.p12")
- elasticsearch.truststore.path=<cert.p12> (where <cert.p12> is the certificate name of your client certificate. For example, "config/certs/elastic-certificates.p12")
- elasticsearch.xpack.ssl.username=elastic (Use the same username given while enabling password protection using elasticsearch-setup-passwords interactive command in step 6. By default username is elastic)
- elasticsearch.xpack.ssl.password=BFEPCKKLCBMCKNFIJFGEBHFN (Use the same password given while enabling password protection using elasticsearch-setup-passwords interactive command in step 6. password encrypted with encrypt.jar. Example password from section above is "password").
- elasticsearch.bypass.host.setting=NO (In step 2.3, While generating the certificate if you ran command then set it NO, If you ran elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> command theelasticsearch-certutil cert --ca <CA cert.p12>n set it Yes). j) elasticsearch.hostname=<hostname>(In step 2.c, If you generated the certificate using elasticsearch-certutil cert --ca <CA cert.p12> -name "CN=<hostname>,OU=Consulting Team,DC=<hostname> command, hostname should be same as given in command).
Note : All password should be encrypted using encrypt.jar