SearchBlox SSL Configuration
SearchBlox server runs on SSL by default using a Self Signed Certificate.
Importing External SSL Certificate using Java Key Tool
Follow the steps to import external SSL Certificates (.pem or .certs):
Step 1
Go to path:
For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/
If a keystore file is already present, you can either rename it or delete by taking a backup of it.
Step 2
Generate a Java keystore and key pair
we need to create a .jks file (Example: searchblox.jks) using the following command .
keytool -genkey -alias searchblox -keyalg RSA -keystore searchblox.jks -keysize 2048
If you need to import your certificate and private key instead of generating one, you will need to run the following commands:
openssl pkcs12 -export -in <certificate>.pem -inkey private.key -name servername -out filename.p12
keytool -importkeystore -deststorepass PASSWORD -destkeystore searchblox.jks -srckeystore filename.p12 -srcstoretype PKCS12
Step 3
Import a root or intermediate CA certificate to an existing Java keystore
If we have .pem/.cert (Example:searchblox.pem/searchblox.crt)
we need to import into searchblox.jks file which we have created in the previous step.
keytool -import -trustcacerts -alias searchblox -file searchblox.pem -keystore searchblox.jks
Step 4
Converting the .JKS file into .P12 or .PKCS12 Format
In this step we need to convert the searchblox.jks into searchblox.p12/searchblox.pkcs12 format.
keytool -importkeystore -srckeystore searchblox.jks -destkeystore searchblox.p12 -deststoretype PKCS12
It will ask you to create a new password for PKCS12 file and ask for other required details(First name/last name is the CN (i.e must match FQDN that users will browse to)). Once you enter please type yes.
Step 5
Run the following command to create keystore file using PKCS12 file.
keytool -importkeystore -srckeystore searchblox.p12 -srcstoretype PKCS12 -destkeystore keystore
Step 6
Go to path:
For Windows:C:\SearchBloxServer\lib
For Linux: /opt/searchblox/lib/
Generate the OBF key by running the following command. This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml mentioned in the next step.
java -cp jetty-util-9.4.26.v20200117.jar admin@1234
Step 7
Go to path
For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/
Update the OBF key ("OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky ") into jetty-ssl-context.xml file.
Update the OBF key values for "KeyStorePassword" and "KeyManagerPassword".
For "TrustStorePassword" add the default parameter and the OBF value you generated above as shown in the XML reference below:
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="ExcludeCipherSuites">
Step 8
Stop and Start SearchBlox service
Open your browser and go to the URL: https://localhost:8443/searchblox/admin/main.jsp and confirm the valid SSL cert is now displayed when you click on the browsers lock icon.
- When creating or exporting the JKS, be sure to specify format PKCS #12 and not JKS format. Jetty requires PKCS #12.
- If working with a SearchBlox cluster, specify all of the hostnames in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster.
Disable TLS
TLS can be disabled by updating the configuration within ../etc/jetty-ssl-context.xml
By default, only TLS v1.2 / TLS v1.3 is enabled.
If you need to disable TLSv1 and TLSv1.1 please follow the steps below:
1.) Edit the following file after stopping SearchBlox service:
2.) Add or update the required protocols under the sslContextFactory tag.
<Call name="setExcludeProtocols">
<Array type="String">
<Call name="addExcludeCipherSuites">
<Array type="String">
3.) Restart the SearchBlox service.
Cipher suites in SSL
Cipher suites can be included or excluded by editing the the file ../etc/jetty-ssl-context.xml
To exclude cipher suites:
<Set name="ExcludeCipherSuites">
<Array type="String">
To include cipher suites:
<Set name="IncludeCipherSuites">
<Array type="String">
Disable SSL
- Go to
and uncomment the following line at line number 155
- Delete the file
- Restart SearchBlox
- SearchBlox will be accessible only at http://localhost:8080/searchblox/admin/main.jsp
Updated over 2 years ago