Supported products versions - webMethods Developer Portal 10.11 latest fix,10.15 fix3 & above
Introduction
In this tutorial, we are going to see how we can secure the elastic search shipped along with the Developer portal installation.
Pre-requisite
Install Developer Portal version 10.11 or higher.
Steps to follow
Create tmp folder
[sv@daeapiportal08rh Install]$ mkdir es
[sv@daeapiportal08rh Install]$ cd es/
Create an instance yaml file
Create a file with the following details
[sv@daeapiportal08rh es]$ vi instance.yml
instances:
- name: 'daeapiportal08rh'
dns: [ 'daeapiportal08rh.eur.ad.sag' ]
Generate CA and server certificates
Navigate to the elastic search folder (e.g : ES location <instlation_loc>/InternalDataStore/) run the following command
> Please refer the comment section below for generating a certificate for webMethods Developer Portal 10.15 fix3 & above
[sv@daeapiportal08rh InternalDataStore]$ bin/elasticsearch-certutil cert --keep-ca-key --pem --in ~/Install/es/instance.yml --out ~/Install/es/certs.zip
Unzip the certificates & copy to ES folder
Unzip the certificates using the following command
unzip certs.zip -d ./certs
Create a folder inside ES folder & copy the certificates to it
[sv@daeapiportal08rh config]$ mkdir certs
[sv@daeapiportal08rh config]$ cp ~/Install/es/certs/ca/* ~/Install/es/certs/daeapiportal08rh/* certs/
Configure elasticsearch.yml
Add the following lines to your elasticsearch.yml file and remove the duplicate entries
node.name: daeapiportal08rh.eur.ad.sag
network.host: daeapiportal08rh.eur.ad.sag
xpack.ml.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/daeapiportal08rh.key
xpack.security.http.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/daeapiportal08rh.key
xpack.security.transport.ssl.certificate: certs/daeapiportal08rh.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
discovery.seed_hosts: [ "daeapiportal08rh.eur.ad.sag" ]
cluster.initial_master_nodes: [ "daeapiportal08rh.eur.ad.sag" ]
Start & Set built-in user password
[sv@daeapiportal08rh bin]$ ./startup.sh
Run the following command once the ES is started, secure the password somewhere we will need it later.
./elasticsearch-setup-passwords auto -u "https://daeapiportal08rh.eur.ad.sag:9240"
Access _cat/nodes API via HTTPS
curl --cacert ~/Install/es/certs/ca/ca.crt -u elastic 'https://daeapiportal08rh.eur.ad.sag:9240/_cat/nodes?v'
Add the elastic search https url & Basic Auth details in Developer portal config file
Add the following details in the config(<installation_loc>/profiles/CTP/configuration/dpo_wrapper.conf) file
wrapper.java.additional.2000=-Dspring.elasticsearch.uris=https://daeapiportal08rh.eur.ad.sag:9240
wrapper.java.additional.2006=-Dspring.elasticsearch.username=elastic
wrapper.java.additional.2007=-Dspring.elasticsearch.password=m8XnkjtqoyOLVgnU9qU5
Save the file. Then, add the certificate to the Developer Portal JVM (<installation_loc>/jvm/jvm/lib/security/cacerts).
restart the CTP server(<installation_loc>/profiles/CTP/bin) .
Now you should able to access the Developer Portal UI without any issue.
Useful links | Relevant resources
Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog