Enable SSL

To run the SearchBlox server for Windows/Linux on the SSL, follow the steps:

  1. Stop the SearchBlox server if it is running.
  2. Open the folder C:\SearchBloxServer or /opt/searchblox
  3. Run the command: java -server -jar start.jar --add-to-startd=https
  4. Start the SearchBlox server.
  5. Open your browser and enter the following URL: https://localhost:8443/searchblox/admin/main.jsp
    The default port used for https is 8443
  6. If you need to change the port, provide the following lines
    --module=https
    jetty.ssl.port=8444
    in /opt/searchblox/start.ini for Linux
    or
    C:\SearchBlox Server\start.ini for Windows.
  7. If you need to remove http access i.e., enable only SSL access to SearchBlox link, then go to <SEARCHBLOX_INSTALLATION_PATH>/start.ini comment line number 155 as below
    #--module=http

🚧

Important

  • Stop the SearchBlox service before you make the SSL change.
  • Please ensure you set JAVA_HOME variable before you run SSL Command.
  • Restart the SearchBlox service after making any changes.
  • Ensure that you have a valid certificate to run SearchBlox with SSL.

📘

Note

You can see help references on how to enable SSL certificate for Elasticsearch here:
https://opendistro.github.io/for-elasticsearch-docs/old/0.9.0/docs/security/tls-configuration/

Disable SSL

  1. Go to <SEARCHBLOX_INSTALLATION_PATH>/start.ini and uncomment the following line at line number 155
    --module=http
  2. Delete the file <SEARCHBLOX_INSTALLATION_PATH>/start.d/https.ini
  3. Restart SearchBlox
  4. SearchBlox will be accessible only in http://localhost:8080/searchblox/admin/main.jsp

Creating and Importing External Certificate using Java Key Tool

Follow the steps to import external SSL Certificates (.pem or .certs):

Step : 1

Go to path:

For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/

Note: If a keystore file is already present, you can either rename it or delete by taking a backup of it.

Step: 2

Generate a Java keystore and key pair
we need to create a .jks file (Example: searchblox.jks) using the following command .

keytool -genkey -alias searchblox -keyalg RSA -keystore searchblox.jks -keysize 2048

Step: 3

Import a root or intermediate CA certificate to an existing Java keystore
If we have .pem/.cert (Example:searchblox.pem/searchblox.crt)
we need to import into searchblox.jks file which we have created in the previous step.

keytool -import -trustcacerts -alias searchblox -file searchblox.pem -keystore searchblox.jks

Step: 4

Converting the .JKS file into .P12 or .PKCS12 Format
In this step we need to convert the searchblox.jks into searchblox.p12/searchblox.pkcs12 format.

keytool -importkeystore -srckeystore searchblox.jks -destkeystore searchblox.p12 -deststoretype PKCS12

It will ask you to create a new password for PKCS12 file and ask for other required details(First name/last name is the CN (i.e must match FQDN that users will browse to)). Once you enter please type yes.

Step: 5

Run the following command to create keystore file using PKCS12 file.

keytool -importkeystore -srckeystore searchblox.p12 -srcstoretype PKCS12 -destkeystore keystore

Step: 6

Go to path:

For Windows:C:\SearchBloxServer\lib
For Linux: /opt/searchblox/lib/

Generate the OBF key by running the following command. This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml mentioned in the next step.

java -cp jetty-util-9.4.26.v20200117.jar org.eclipse.jetty.util.security.Password admin@1234

Example:
OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky
MD5:7ece99e593ff5dd200e2b9233d9ba654

Step: 7

Go to path

For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/

Update the OBF key ("OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky ") into jetty-ssl-context.xml file.

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set>

  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set>

  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set>

  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set>

  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set>

  <Set name="EndpointIdentificationAlgorithm"></Set>

  <Set name="ExcludeCipherSuites">

Creating and Importing Self Signed Certificate using Java Key Tool:

To setup the SSL Self Signed Certificate with java keytool and install with SearchBlox, follow the steps:

Step: 1

Go to path:

For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/

Note: If a keystore file is already present, you can either rename it or delete by taking a backup of it.

Step: 2

Generating Self Signed PKCS12 file using java keytool.

keytool -genkeypair -alias searchblox -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore searchblox.p12 -validity 3650

It will ask you to create a new password for PKCS12 file and ask for other required details(First name/last name is the CN (i.e must match FQDN that users will browse to)). Once you enter please type yes.

Step: 3

Run the following command to create keystore file using PKCS12 file.

keytool -import -trustcacerts -alias searchblox -file searchblox.pem -keystore searchblox.jks

Step: 4

Go to path:

For Windows: C:\SearchBloxServer\lib
For Linux: /opt/searchblox/lib/

Generate the OBF key by running the following command. This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml mentioned in the next step.

java -cp jetty-util-9.4.26.v20200117.jar org.eclipse.jetty.util.security.Password admin@1234

Example:
OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky
MD5:7ece99e593ff5dd200e2b9233d9ba654

Step: 5

Go to path

For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/

Update the OBF key ("OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky ") into jetty-ssl-context.xml file.

  • Ensure <SEARCHBLOX_INSTALLATION_PATH>/etc/jetty-ssl-context.xml refers to the directory of the new keystore and the hashed password from the previous step.

  • In the following snippet you can see that the path to the keystore is provided for parameters KeyStorePath and TrustStorePath. The hash password is provided for parameters KeyStorePassword and TrustStorePassword.

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set>

  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set>

  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set>

  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set>

  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set>

  <Set name="EndpointIdentificationAlgorithm"></Set>

  <Set name="ExcludeCipherSuites">
  • Stop and Start SearchBlox service
  • SearchBlox will now be able to use the SSL certificate and serve up the search results from the specified secure port.
  • Open your browser and go to the URL: https://localhost:8443/searchblox/admin/main.jsp and confirm the ssl cert is now displayed when you click on the browsers lock icon.

🚧

Important

  1. When creating or exporting the JKS, be sure to specify format PKCS #12 and not JKS format. Jetty requires PKCS #12.
  2. If working with a SearchBlox cluster, specify all of the hostnames in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster.

Disable TLS

TLS can be disabled by updating the configuration within ../etc/jetty-ssl-context.xml

By default, only TLS v1.2 / TLS v1.3 is enabled.

If you need to disable TLSv1 and TLSv1.1 please follow the steps below:
1.) Edit the following file after stopping SearchBlox service:
/opt/searchblox/etc/jetty-ssl-context.xml
or
C:\SearchBloxServer\etc\jetty-ssl-context.xml

2.) Add or update the required protocols under the sslContextFactory tag.

<Call name="setExcludeProtocols">
    <Arg>
      <Array type="String">
       <Item>TLSv1</Item>
        <Item>TLSv1.1</Item>
      </Array>
    </Arg>
  </Call>
  <Call name="addExcludeCipherSuites">
  <Arg>
    <Array type="String">
      <Item>.*NULL.*</Item>
      <Item>.*RC4.*</Item>
      <Item>.*MD5.*</Item>
      <Item>.*3DES.*</Item>
      <Item>.*DES.*</Item>
      <Item>.*DSS.*</Item>
    </Array>
  </Arg>
</Call>

3.) Restart the SearchBlox service.

Cipher suites in SSL

Cipher suites can be included or excluded by editing the the file ../etc/jetty-ssl-context.xml

To exclude cipher suites:

<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>TLS_DHE_RSA.*</Item> 
<Item>TLS_ECDHE.*</Item> 
</Array>
</Set>

To include cipher suites:

<Set name="IncludeCipherSuites"> 
<Array type="String"> 
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>TLS_DHE_RSA.*</Item> 
<Item>TLS_ECDHE.*</Item> 
</Array> 
</Set>

What’s Next