(CSA) Support Tip: Elastic Search certificates configuration

After changing the CSA Admin node and MPP default (self-signed) certificates with new CA Signed ones, the Elastic Search and Search Service will not work properly anymore. 

This can have consequences on the engine and publishing side, going even to subscriptions stalling in pending state.

Configuration of certificates has to be done on both Elastic Search and HP Search service, for communication between all parties. As follows:

Communication between CSA and Search Service

  • \jboss-as\standalone\deployments\csa.war\WEB-INF\classes\csa.properties  - No change here for certificates part. Just check all is correct.

 csa.provider.es.exists=true

csa.provider.es.idmURL=https://<idm - ip>:<port>/idm-service

csa.provider.es.authUser=consumer

csa.provider.es.authPassword=ENC(/8r4Q4VYEClzPVt9LALO7A==)

csa.provider.es.authOrganization=CSA_CONSUMER

csa.provider.msvc.hostname=< search service hostname1>

csa.provider.msvc.port=<search service port> e.g 9000

csa.provider.msvc.rest.protocol=https

 

  • \csa-search-service\app.json:

 "ccue-basic-server": {

    "host": "search service hostname 1",

    "port": 9000,

                :

         "pfx": ".keystore",        

// copy in the [csa-search-service] folder , the same keystore as the one located in MPP’s \portal\conf (same as configured in mpp.json) and reference it here

    "passphrase": "ENC(QzfvMl8KaEOhvJvmecJEaQ\u003d\u003d)",

    "requestCert": false,

    "rejectUnauthorized": true,

    "TLSVersions": "1,1.1,1.2"

  }

 "msvc-basic-search": {

:

    "idmURL": "https://<csa hostname>:8444/idm-service",

    "idmUser": "idmTransportUser",

    "idmPassword": "ENC(irRqMad8zSIKwHw7RSKZ7A\u003d\u003d)",

    "pfx": ".keystore",       

//  same keystore referenced as above

    "passphrase": "ENC(QzfvMl8KaEOhvJvmecJEaQ\u003d\u003d)",

    "ca": "C:/Program Files/HPE/CSA/jboss-as/standalone/configuration/jboss.crt",                                                    

// put here the same certificates referenced in mpp.json (root, intermediate and client certificate). 

// E.g. For a chain of certificates with roor, 1 intermediate and the client certificates, entry should look like this:

 //  "ca": " <path_to_root.cer>, <path_to_interm.cer>, <path_to_host.cer>"

    "strictSSL": true,

    "rejectUnauthorized": false,

    "TLSVersions": "1,1.1,1.2",

    :

    }

  }

 

To check this communication is working:

  • Check the log entry in out.log

“ Listening on EJS46 : 9000 “

  • No errors in csa-msvc.log

 

Communication between Search Service and Elastic Search

The communication between search service and elastic search is a two-way SSL. The certificates should be trusted by each other.

 \csa-search-service\app.json:

"msvc-basic-search": {

:

    "pfx": ".keystore", 

//  configuration covered in previous step

    "passphrase": "ENC(QzfvMl8KaEOhvJvmecJEaQ\u003d\u003d)",

                :

    "strictSSL": true,

    "rejectUnauthorized": false,

    "TLSVersions": "1,1.1,1.2",

    :

    }

  }

 

  • \elasticsearch-1.6.1\config\elasticsearch .yml

go to the part where the REST layer configuration is starting ( this is the only part that is important in a standalone environment)

# Enable or disable rest layer security (https)

searchguard.ssl.transport.http.enabled: true

# JKS or PKCS12

searchguard.ssl.transport.http.keystore_type: JKS

# Absolute path to the keystore file (this stores the server certificates)

searchguard.ssl.transport.http.keystore_filepath: C:\Program Files\HPE\CSA/elasticsearch-1.6.1/config/CSAKS.jks 

// when ES is on the same machine with the other modules, then it is the same certificate issued for CSA, but stored in a keystore of JKS format

# Keystore password

searchguard.ssl.transport.http.keystore_password: changeit

# Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is false

searchguard.ssl.transport.http.enforce_clientauth: true

# JKS or PKCS12

searchguard.ssl.transport.http.truststore_type: JKS

# Absolute path to the truststore file (this stores the client certificates)

searchguard.ssl.transport.http.truststore_filepath: C:\Program Files\HPE\CSA/elasticsearch-1.6.1/config/CSATS.jks 

// import the same certificate in this truststore (since ElasticSearch and Search Service are on the same machine)

# Truststore password

searchguard.ssl.transport.http.truststore_password: changeit

 

To check configuration is working: 

hpesearchservice.out.log should contain lines like these below: 

 -> HEAD https://<elastic search hostname>:9201/?hello=elasticsearch!

  <- 200