SSL Setup
Enable SSL
To run the SearchBlox server for Windows/Linux on the SSL, follow the steps:
- Stop the SearchBlox server if it is running.
- Open the folder
C:\SearchBloxServer or /opt/searchblox
- Run the command:
java -server -jar start.jar --add-to-startd=https
- Start the SearchBlox server.
- Open your browser and enter the following URL: https://localhost:8443/searchblox/admin/main.jsp
The default port used for https is 8443 - If you need to change the port, provide the following lines
--module=https
jetty.ssl.port=8444
in/opt/searchblox/start.ini
for Linux
or
C:\SearchBlox Server\start.ini
for Windows. - If you need to remove http access i.e., enable only SSL access to SearchBlox link, then go to
<SEARCHBLOX_INSTALLATION_PATH>/start.ini
comment line number 155 as below
#--module=http
Important
- Stop the SearchBlox service before you make the SSL change.
- Please ensure you set JAVA_HOME variable before you run SSL Command.
- Restart the SearchBlox service after making any changes.
- Ensure that you have a valid certificate to run SearchBlox with SSL.
Note
You can see help references on how to enable SSL certificate for Elasticsearch here:
https://opendistro.github.io/for-elasticsearch-docs/old/0.9.0/docs/security/tls-configuration/
Disable SSL
- Go to
<SEARCHBLOX_INSTALLATION_PATH>/start.ini
and uncomment the following line at line number 155
--module=http
- Delete the file
<SEARCHBLOX_INSTALLATION_PATH>/start.d/https.ini
- Restart SearchBlox
- SearchBlox will be accessible only in http://localhost:8080/searchblox/admin/main.jsp
Creating and Importing External Certificate using Java Key Tool
Follow the steps to import external SSL Certificates (.pem or .certs):
Step : 1
Go to path:
For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/
Note: If a keystore file is already present, you can either rename it or delete by taking a backup of it.
Step: 2
Generate a Java keystore and key pair
we need to create a .jks file (Example: searchblox.jks) using the following command .
keytool -genkey -alias searchblox -keyalg RSA -keystore searchblox.jks -keysize 2048
Step: 3
Import a root or intermediate CA certificate to an existing Java keystore
If we have .pem/.cert (Example:searchblox.pem/searchblox.crt)
we need to import into searchblox.jks file which we have created in the previous step.
keytool -import -trustcacerts -alias searchblox -file searchblox.pem -keystore searchblox.jks
Step: 4
Converting the .JKS file into .P12 or .PKCS12 Format
In this step we need to convert the searchblox.jks into searchblox.p12/searchblox.pkcs12 format.
keytool -importkeystore -srckeystore searchblox.jks -destkeystore searchblox.p12 -deststoretype PKCS12
It will ask you to create a new password for PKCS12 file and ask for other required details(First name/last name is the CN (i.e must match FQDN that users will browse to)). Once you enter please type yes.
Step: 5
Run the following command to create keystore file using PKCS12 file.
keytool -importkeystore -srckeystore searchblox.p12 -srcstoretype PKCS12 -destkeystore keystore
Step: 6
Go to path:
For Windows:C:\SearchBloxServer\lib
For Linux: /opt/searchblox/lib/
Generate the OBF key by running the following command. This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml mentioned in the next step.
java -cp jetty-util-9.4.26.v20200117.jar org.eclipse.jetty.util.security.Password admin@1234
Example:
OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky
MD5:7ece99e593ff5dd200e2b9233d9ba654
Step: 7
Go to path
For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/
Update the OBF key ("OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky ") into jetty-ssl-context.xml file.
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="ExcludeCipherSuites">
Creating and Importing Self Signed Certificate using Java Key Tool:
To setup the SSL Self Signed Certificate with java keytool and install with SearchBlox, follow the steps:
Step: 1
Go to path:
For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/
Note: If a keystore file is already present, you can either rename it or delete by taking a backup of it.
Step: 2
Generating Self Signed PKCS12 file using java keytool.
keytool -genkeypair -alias searchblox -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore searchblox.p12 -validity 3650
It will ask you to create a new password for PKCS12 file and ask for other required details(First name/last name is the CN (i.e must match FQDN that users will browse to)). Once you enter please type yes.
Step: 3
Run the following command to create keystore file using PKCS12 file.
keytool -import -trustcacerts -alias searchblox -file searchblox.pem -keystore searchblox.jks
Step: 4
Go to path:
For Windows: C:\SearchBloxServer\lib
For Linux: /opt/searchblox/lib/
Generate the OBF key by running the following command. This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml mentioned in the next step.
java -cp jetty-util-9.4.26.v20200117.jar org.eclipse.jetty.util.security.Password admin@1234
Example:
OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky
MD5:7ece99e593ff5dd200e2b9233d9ba654
Step: 5
Go to path
For Windows: C:\SearchBloxServer\etc
For Linux: /opt/searchblox/etc/
Update the OBF key ("OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky ") into jetty-ssl-context.xml file.
-
Ensure
<SEARCHBLOX_INSTALLATION_PATH>/etc/jetty-ssl-context.xml
refers to the directory of the new keystore and the hashed password from the previous step. -
In the following snippet you can see that the path to the keystore is provided for parameters
KeyStorePath
andTrustStorePath
. The hash password is provided for parametersKeyStorePassword
andTrustStorePassword
.
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="ExcludeCipherSuites">
- Stop and Start SearchBlox service
- SearchBlox will now be able to use the SSL certificate and serve up the search results from the specified secure port.
- Open your browser and go to the URL: https://localhost:8443/searchblox/admin/main.jsp and confirm the ssl cert is now displayed when you click on the browsers lock icon.
Important
- When creating or exporting the JKS, be sure to specify format PKCS #12 and not JKS format. Jetty requires PKCS #12.
- If working with a SearchBlox cluster, specify all of the hostnames in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster.
Disable TLS
TLS can be disabled by updating the configuration within ../etc/jetty-ssl-context.xml
By default, only TLS v1.2 / TLS v1.3 is enabled.
If you need to disable TLSv1 and TLSv1.1 please follow the steps below:
1.) Edit the following file after stopping SearchBlox service:
/opt/searchblox/etc/jetty-ssl-context.xml
or
C:\SearchBloxServer\etc\jetty-ssl-context.xml
2.) Add or update the required protocols under the sslContextFactory tag.
<Call name="setExcludeProtocols">
<Arg>
<Array type="String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
</Array>
</Arg>
</Call>
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>.*NULL.*</Item>
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*3DES.*</Item>
<Item>.*DES.*</Item>
<Item>.*DSS.*</Item>
</Array>
</Arg>
</Call>
3.) Restart the SearchBlox service.
Cipher suites in SSL
Cipher suites can be included or excluded by editing the the file ../etc/jetty-ssl-context.xml
To exclude cipher suites:
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>TLS_DHE_RSA.*</Item>
<Item>TLS_ECDHE.*</Item>
</Array>
</Set>
To include cipher suites:
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>TLS_DHE_RSA.*</Item>
<Item>TLS_ECDHE.*</Item>
</Array>
</Set>
Updated about 4 years ago