webMethods Developer portal, elastic search with SSL

Supported products versions - webMethods Developer Portal 10.11 latest fix,10.15 fix3 & above


In this tutorial, we are going to see how we can secure the elastic search shipped along with the Developer portal installation.


Install Developer Portal version 10.11 or higher.

Steps to follow

Create tmp folder

[sv@daeapiportal08rh Install]$ mkdir es
[sv@daeapiportal08rh Install]$ cd es/

Create an instance yaml file

Create a file with the following details
[sv@daeapiportal08rh es]$ vi instance.yml

  - name: 'daeapiportal08rh'
    dns: [ 'daeapiportal08rh.eur.ad.sag' ]


Generate CA and server certificates

Navigate to the elastic search folder (e.g : ES location <instlation_loc>/InternalDataStore/) run the following command

> Please refer the comment section below for generating a certificate for webMethods Developer Portal 10.15 fix3 & above

[sv@daeapiportal08rh InternalDataStore]$ bin/elasticsearch-certutil cert --keep-ca-key --pem --in ~/Install/es/instance.yml --out ~/Install/es/certs.zip

Unzip the certificates & copy to ES folder

Unzip the certificates using the following command

unzip certs.zip -d ./certs

Create a folder inside ES folder & copy the certificates to it

[sv@daeapiportal08rh config]$ mkdir certs
[sv@daeapiportal08rh config]$ cp ~/Install/es/certs/ca/* ~/Install/es/certs/daeapiportal08rh/* certs/

Configure elasticsearch.yml

Add the following lines to your elasticsearch.yml file and remove the duplicate entries

node.name: daeapiportal08rh.eur.ad.sag
network.host: daeapiportal08rh.eur.ad.sag
xpack.ml.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/daeapiportal08rh.key
xpack.security.http.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/daeapiportal08rh.key
xpack.security.transport.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
discovery.seed_hosts: [ "daeapiportal08rh.eur.ad.sag" ]
cluster.initial_master_nodes: [ "daeapiportal08rh.eur.ad.sag" ]

Start & Set built-in user password

[sv@daeapiportal08rh bin]$ ./startup.sh

Run the following command once the ES is started, secure the password somewhere we will need it later.
./elasticsearch-setup-passwords auto -u "https://daeapiportal08rh.eur.ad.sag:9240"

Access _cat/nodes API via HTTPS

curl --cacert ~/Install/es/certs/ca/ca.crt -u elastic 'https://daeapiportal08rh.eur.ad.sag:9240/_cat/nodes?v'

Add the elastic search https url & Basic Auth details in Developer portal config file

Add the following details in the config(<installation_loc>/profiles/CTP/configuration/dpo_wrapper.conf) file


Save the file. Then, add the certificate to the Developer Portal JVM (<installation_loc>/jvm/jvm/lib/security/cacerts).

restart the CTP server(<installation_loc>/profiles/CTP/bin) .

Now you should able to access the Developer Portal UI without any issue.

Useful links | Relevant resources

Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog



thanks for the article, it got me what I needed.

Just one issue.

–keep-ca-key wasn’t supported on 10.15 / Elasticsearch 8.2.3
I ran:
elasticsearch-certutil ca --out ~/install/es/elastic-stack-ca.p12
elasticsearch-certutil cert --ca ~/install/es/elastic-stack-ca.p12 --pem --in ~/install/es/instance.yml --out ~/install/es/certs.zip
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -nodes -out ~/install/es/ca.key -nocerts
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -clcerts -nokeys -out ~/install/es/ca.crt

Which got me the certificates in the formats I needed.