webMethods Developer portal, elastic search with SSL

Supported products versions - webMethods Developer Portal 10.11 latest fix,10.15 fix3 & above

Introduction

In this tutorial, we are going to see how we can secure the elastic search shipped along with the Developer portal installation.

Pre-requisite

Install Developer Portal version 10.11 or higher.

Steps to follow

Create tmp folder

[sv@daeapiportal08rh Install]$ mkdir es
[sv@daeapiportal08rh Install]$ cd es/

Create an instance yaml file

Create a file with the following details
[sv@daeapiportal08rh es]$ vi instance.yml

instances:
  - name: 'daeapiportal08rh'
    dns: [ 'daeapiportal08rh.eur.ad.sag' ]

image

Generate CA and server certificates

Navigate to the elastic search folder (e.g : ES location <instlation_loc>/InternalDataStore/) run the following command

> Please refer the comment section below for generating a certificate for webMethods Developer Portal 10.15 fix3 & above

[sv@daeapiportal08rh InternalDataStore]$ bin/elasticsearch-certutil cert --keep-ca-key --pem --in ~/Install/es/instance.yml --out ~/Install/es/certs.zip

Unzip the certificates & copy to ES folder

Unzip the certificates using the following command

unzip certs.zip -d ./certs
image

Create a folder inside ES folder & copy the certificates to it

[sv@daeapiportal08rh config]$ mkdir certs
[sv@daeapiportal08rh config]$ cp ~/Install/es/certs/ca/* ~/Install/es/certs/daeapiportal08rh/* certs/

Configure elasticsearch.yml

Add the following lines to your elasticsearch.yml file and remove the duplicate entries

node.name: daeapiportal08rh.eur.ad.sag
network.host: daeapiportal08rh.eur.ad.sag
xpack.ml.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/daeapiportal08rh.key
xpack.security.http.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/daeapiportal08rh.key
xpack.security.transport.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
discovery.seed_hosts: [ "daeapiportal08rh.eur.ad.sag" ]
cluster.initial_master_nodes: [ "daeapiportal08rh.eur.ad.sag" ]

Start & Set built-in user password

[sv@daeapiportal08rh bin]$ ./startup.sh

Run the following command once the ES is started, secure the password somewhere we will need it later.
./elasticsearch-setup-passwords auto -u "https://daeapiportal08rh.eur.ad.sag:9240"

Access _cat/nodes API via HTTPS

curl --cacert ~/Install/es/certs/ca/ca.crt -u elastic 'https://daeapiportal08rh.eur.ad.sag:9240/_cat/nodes?v'

Add the elastic search https url & Basic Auth details in Developer portal config file

Add the following details in the config(<installation_loc>/profiles/CTP/configuration/dpo_wrapper.conf) file

wrapper.java.additional.2000=-Dspring.elasticsearch.uris=https://daeapiportal08rh.eur.ad.sag:9240
wrapper.java.additional.2006=-Dspring.elasticsearch.username=elastic
wrapper.java.additional.2007=-Dspring.elasticsearch.password=m8XnkjtqoyOLVgnU9qU5

Save the file. Then, add the certificate to the Developer Portal JVM (<installation_loc>/jvm/jvm/lib/security/cacerts).

restart the CTP server(<installation_loc>/profiles/CTP/bin) .

Now you should able to access the Developer Portal UI without any issue.

Useful links | Relevant resources

Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog

3 Likes

Hi,

thanks for the article, it got me what I needed.

Just one issue.

–keep-ca-key wasn’t supported on 10.15 / Elasticsearch 8.2.3
I ran:
elasticsearch-certutil ca --out ~/install/es/elastic-stack-ca.p12
then:
elasticsearch-certutil cert --ca ~/install/es/elastic-stack-ca.p12 --pem --in ~/install/es/instance.yml --out ~/install/es/certs.zip
then:
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -nodes -out ~/install/es/ca.key -nocerts
finally:
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -clcerts -nokeys -out ~/install/es/ca.crt

Which got me the certificates in the formats I needed.

2 Likes