webMethods Developer portal, elastic search with SSL

Knowledge base
, ,
1

Supported products versions - webMethods Developer Portal 10.11 fix21 & above,10.15 fix3 & above

Introduction

In this tutorial, we are going to see how we can secure the elastic search shipped along with the Developer portal installation.

Pre-requisite

Install Developer Portal version 10.11 or higher.

Steps to follow

Create tmp folder

[sv@daeapiportal08rh Install]$ mkdir es
[sv@daeapiportal08rh Install]$ cd es/

Create an instance yaml file

Create a file with the following details
[sv@daeapiportal08rh es]$ vi instance.yml

instances:
  - name: 'daeapiportal08rh'
    dns: [ 'daeapiportal08rh.eur.ad.sag' ]

image

Generate CA and server certificates

Navigate to the elastic search folder (e.g : ES location <instlation_loc>/InternalDataStore/) run the following command

> Please refer the comment section below for generating a certificate for webMethods Developer Portal 10.15 fix3 & above

[sv@daeapiportal08rh InternalDataStore]$ bin/elasticsearch-certutil cert --keep-ca-key --pem --in ~/Install/es/instance.yml --out ~/Install/es/certs.zip

Unzip the certificates & copy to ES folder

Unzip the certificates using the following command

unzip certs.zip -d ./certs

image
image640×167 4.72 KB

Create a folder inside ES folder & copy the certificates to it

[sv@daeapiportal08rh config]$ mkdir certs
[sv@daeapiportal08rh config]$ cp ~/Install/es/certs/ca/* ~/Install/es/certs/daeapiportal08rh/* certs/

Configure elasticsearch.yml

Add the following lines to your elasticsearch.yml file and remove the duplicate entries

The network.host needs to be changed to the hostname

node.name: daeapiportal08rh.eur.ad.sag
network.host: daeapiportal08rh.eur.ad.sag
xpack.ml.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/daeapiportal08rh.key
xpack.security.http.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/daeapiportal08rh.key
xpack.security.transport.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
discovery.seed_hosts: [ "daeapiportal08rh.eur.ad.sag" ]
cluster.initial_master_nodes: [ "daeapiportal08rh.eur.ad.sag" ]

image
image701×495 30 KB

Start & Set built-in user password

[sv@daeapiportal08rh bin]$ ./startup.sh

Run the following command once the ES is started, secure the password somewhere we will need it later.
./elasticsearch-setup-passwords auto -u "https://daeapiportal08rh.eur.ad.sag:9240"

image
image1545×547 21.5 KB

Access _cat/nodes API via HTTPS

curl --cacert ~/Install/es/certs/ca/ca.crt -u elastic 'https://daeapiportal08rh.eur.ad.sag:9240/_cat/nodes?v'
image

Add the elastic search https url & Basic Auth details in Developer portal config file

Add the following details in the config(<installation_loc>/profiles/CTP/configuration/dpo_wrapper.conf) file

Developer Potal 10.11

wrapper.java.additional.2000=-Dspring.elasticsearch.rest.uris=https://daeapiportal08rh.eur.ad.sag:9240
wrapper.java.additional.2006=-Dspring.elasticsearch.rest.username=elastic
wrapper.java.additional.2007=-Dspring.elasticsearch.rest.password=nx21CrpWs4PG9yGKmxEo

Developer Potal 10.15

wrapper.java.additional.2000=-Dspring.elasticsearch.uris=https://daeapiportal08rh.eur.ad.sag:9240
wrapper.java.additional.2006=-Dspring.elasticsearch.username=elastic
wrapper.java.additional.2007=-Dspring.elasticsearch.password=m8XnkjtqoyOLVgnU9qU5

image
image1376×375 20.4 KB

Save the file. Then, add the certificate to the Developer Portal JVM (<installation_loc>/jvm/jvm/lib/security/cacerts).
Eg:
cd C:\SAG_Portal\jvm\jvm
keytool -import -alias -aliasName -file …..\InternalDataStore\config\certs\ca.crt -keystore lib\security\cacerts

restart the CTP server(<installation_loc>/profiles/CTP/bin) .

Now you should able to access the Developer Portal UI without any issue.

Useful links | Relevant resources

Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog

5 Likes
2

Hi,

thanks for the article, it got me what I needed.

Just one issue.

–keep-ca-key wasn’t supported on 10.15 / Elasticsearch 8.2.3
I ran:
elasticsearch-certutil ca --out ~/install/es/elastic-stack-ca.p12
then:
elasticsearch-certutil cert --ca ~/install/es/elastic-stack-ca.p12 --pem --in ~/install/es/instance.yml --out ~/install/es/certs.zip
then:
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -nodes -out ~/install/es/ca.key -nocerts
finally:
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -clcerts -nokeys -out ~/install/es/ca.crt

Which got me the certificates in the formats I needed.

4 Likes
3

Hi,
It is possible to cofigure ES 7.13.0 (API Data Store 10.11) with XPack without exposing private key, keystore and truststore password.
Below setup was successfully tested with API Data Store 10.11 Fix 3, it uses the same SSL certificate for ES transport port and ES HTTP port - SSL hostname verification is disabled (same as in the article):

  • generate your own ES server certificate (signed by CA or selfsigned) that is stored in JKS keystore - see example https://documentation.softwareag.com/webmethods/api_gateway/yai10-11/10-11_API_Gateway_webhelp/index.html#page/yai-webhelp%2Fta-create_truststore_self_signed_certificates.html%23
    – set the same password for keystore and key
  • you should have
    – JKS keystore containing ES server private/public key pair - either signed by CA or selfsigned
    – JKS truststore containing root CA of the ES server certificate or public key of the selfsigned certificate
    optional - exported public key of the ES server certificate in PEM format - this certificate is not needed for the ES setup but it is needed for Kibana
  • add following properties to elasticsearch.yml
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.client_authentication: required
    xpack.security.transport.ssl.keystore.path: <path to keystore>
    xpack.security.transport.ssl.truststore.path: <path to truststore>
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: <path to keystore>
  • store keystore and truststore password to ES secure keystore
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
  • start ES
4

“add the certificate to the Developer Portal JVM (<installation_loc>/jvm/jvm/lib/security/cacerts”

how to add it this certificate to carcerts ?

5

We used ‘keytool explorer’ UI for that.

You can try the below command:
keytool -import -trustcacerts -alias <alias_name> -file -keystore

Eg: keytool -import -trustcacerts -alias mdecert -file C:\temp\mdeCert.cer -keystore cacerts

6

In my case its showing command prompt enter keystore password.
I don’t know that password

image
image1146×154 11 KB

dou you having same thing ?

7

Can you please try ‘changeit’?

8

Oh yes, that works.

Thanks you Shuda Velan

9

It is also possible to create a custom location for the cacerts by setting:
dpo_wrapper.conf (<inst_dir>/profiles/CTP/configuration) as follows.
wrapper.java.additional.XXXX=-Djavax.net.ssl.trustStore=/path/to/custom/cacerts

This prevents a java update to overwrite the cacerts File with the custom ssl certificates.
Caution: this also requires to manually update the custom cacerts to get current certificates.