webMethods Developer portal, elastic search with SSL

Supported products versions - webMethods Developer Portal 10.11 fix21 & above,10.15 fix3 & above


In this tutorial, we are going to see how we can secure the elastic search shipped along with the Developer portal installation.


Install Developer Portal version 10.11 or higher.

Steps to follow

Create tmp folder

[sv@daeapiportal08rh Install]$ mkdir es
[sv@daeapiportal08rh Install]$ cd es/

Create an instance yaml file

Create a file with the following details
[sv@daeapiportal08rh es]$ vi instance.yml

  - name: 'daeapiportal08rh'
    dns: [ 'daeapiportal08rh.eur.ad.sag' ]


Generate CA and server certificates

Navigate to the elastic search folder (e.g : ES location <instlation_loc>/InternalDataStore/) run the following command

> Please refer the comment section below for generating a certificate for webMethods Developer Portal 10.15 fix3 & above

[sv@daeapiportal08rh InternalDataStore]$ bin/elasticsearch-certutil cert --keep-ca-key --pem --in ~/Install/es/instance.yml --out ~/Install/es/certs.zip

Unzip the certificates & copy to ES folder

Unzip the certificates using the following command

unzip certs.zip -d ./certs

Create a folder inside ES folder & copy the certificates to it

[sv@daeapiportal08rh config]$ mkdir certs
[sv@daeapiportal08rh config]$ cp ~/Install/es/certs/ca/* ~/Install/es/certs/daeapiportal08rh/* certs/

Configure elasticsearch.yml

Add the following lines to your elasticsearch.yml file and remove the duplicate entries

The network.host needs to be changed to the hostname

node.name: daeapiportal08rh.eur.ad.sag
network.host: daeapiportal08rh.eur.ad.sag
xpack.ml.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/daeapiportal08rh.key
xpack.security.http.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/daeapiportal08rh.key
xpack.security.transport.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
discovery.seed_hosts: [ "daeapiportal08rh.eur.ad.sag" ]
cluster.initial_master_nodes: [ "daeapiportal08rh.eur.ad.sag" ]

Start & Set built-in user password

[sv@daeapiportal08rh bin]$ ./startup.sh

Run the following command once the ES is started, secure the password somewhere we will need it later.
./elasticsearch-setup-passwords auto -u "https://daeapiportal08rh.eur.ad.sag:9240"

Access _cat/nodes API via HTTPS

curl --cacert ~/Install/es/certs/ca/ca.crt -u elastic 'https://daeapiportal08rh.eur.ad.sag:9240/_cat/nodes?v'

Add the elastic search https url & Basic Auth details in Developer portal config file

Add the following details in the config(<installation_loc>/profiles/CTP/configuration/dpo_wrapper.conf) file

Developer Potal 10.11


Developer Potal 10.15


Save the file. Then, add the certificate to the Developer Portal JVM (<installation_loc>/jvm/jvm/lib/security/cacerts).

restart the CTP server(<installation_loc>/profiles/CTP/bin) .

Now you should able to access the Developer Portal UI without any issue.

Useful links | Relevant resources

Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog



thanks for the article, it got me what I needed.

Just one issue.

–keep-ca-key wasn’t supported on 10.15 / Elasticsearch 8.2.3
I ran:
elasticsearch-certutil ca --out ~/install/es/elastic-stack-ca.p12
elasticsearch-certutil cert --ca ~/install/es/elastic-stack-ca.p12 --pem --in ~/install/es/instance.yml --out ~/install/es/certs.zip
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -nodes -out ~/install/es/ca.key -nocerts
openssl pkcs12 -in ~/install/es/elastic-stack-ca.p12 -clcerts -nokeys -out ~/install/es/ca.crt

Which got me the certificates in the formats I needed.


It is possible to cofigure ES 7.13.0 (API Data Store 10.11) with XPack without exposing private key, keystore and truststore password.
Below setup was successfully tested with API Data Store 10.11 Fix 3, it uses the same SSL certificate for ES transport port and ES HTTP port - SSL hostname verification is disabled (same as in the article):

  • generate your own ES server certificate (signed by CA or selfsigned) that is stored in JKS keystore - see example https://documentation.softwareag.com/webmethods/api_gateway/yai10-11/10-11_API_Gateway_webhelp/index.html#page/yai-webhelp%2Fta-create_truststore_self_signed_certificates.html%23
    – set the same password for keystore and key
  • you should have
    – JKS keystore containing ES server private/public key pair - either signed by CA or selfsigned
    – JKS truststore containing root CA of the ES server certificate or public key of the selfsigned certificate
    optional - exported public key of the ES server certificate in PEM format - this certificate is not needed for the ES setup but it is needed for Kibana
  • add following properties to elasticsearch.yml
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.client_authentication: required
    xpack.security.transport.ssl.keystore.path: <path to keystore>
    xpack.security.transport.ssl.truststore.path: <path to truststore>
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: <path to keystore>
  • store keystore and truststore password to ES secure keystore
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
  • start ES

“add the certificate to the Developer Portal JVM (<installation_loc>/jvm/jvm/lib/security/cacerts”

how to add it this certificate to carcerts ?

We used ‘keytool explorer’ UI for that.

You can try the below command:
keytool -import -trustcacerts -alias <alias_name> -file -keystore

Eg: keytool -import -trustcacerts -alias mdecert -file C:\temp\mdeCert.cer -keystore cacerts

In my case its showing command prompt enter keystore password.
I don’t know that password

dou you having same thing ?

Can you please try ‘changeit’?

Oh yes, that works.

Thanks you Shuda Velan

It is also possible to create a custom location for the cacerts by setting:
dpo_wrapper.conf (<inst_dir>/profiles/CTP/configuration) as follows.

This prevents a java update to overwrite the cacerts File with the custom ssl certificates.
Caution: this also requires to manually update the custom cacerts to get current certificates.