## **Enable SSL**

To run the SearchBlox server for Windows/Linux on the SSL, follow the steps:

  1. Stop the SearchBlox server if it is running.

  2. Open the folder `C:\SearchBloxServer or /opt/searchblox`

  3. Run the command: `java -server -jar start.jar --add-to-startd=https`

  4. Start the SearchBlox server.

  5. Open your browser and enter the following URL: https://localhost:8443/searchblox/admin/main.jsp The default port used for https is 8443

  6. If you need to change the port, provide the following lines `--module=https` ` jetty.ssl.port=8444` in `/opt/searchblox/start.ini` for Linux or `C:\SearchBlox Server\start.ini` for Windows.

  7. If you need to remove http access i.e., enable only SSL access to SearchBlox link, then go to `<SEARCHBLOX_INSTALLATION_PATH>/start.ini` comment line number 155 as below `#--module=http`

Important

  • Stop the SearchBlox service before you make the SSL change.

  • Please ensure you set JAVA_HOME variable before you run SSL Command.

  • Restart the SearchBlox service after making any changes.

  • Ensure that you have a valid certificate to run SearchBlox with SSL.

Note

You can see help references on how to enable SSL certificate for Elasticsearch here: https://opendistro.github.io/for-elasticsearch-docs/old/0.9.0/docs/security/tls-configuration/

## **Disable SSL**

  1. Go to `<SEARCHBLOX_INSTALLATION_PATH>/start.ini` and uncomment the following line at line number 155 `--module=http`

  2. Delete the file `<SEARCHBLOX_INSTALLATION_PATH>/start.d/https.ini`

  3. Restart SearchBlox

  4. SearchBlox will be accessible only in http://localhost:8080/searchblox/admin/main.jsp

## **Creating and Importing External Certificate using Java Key Tool**

Follow the steps to import external SSL Certificates (.pem or .certs):

**Step : 1**

Go to path:

For Windows: `C:\SearchBloxServer\etc` For Linux: `/opt/searchblox/etc/`

**Note:** If a keystore file is already present, you can either rename it or delete by taking a backup of it.

**Step: 2**

Generate a Java keystore and key pair we need to create a .jks file (Example: searchblox.jks) using the following command .

`keytool -genkey -alias searchblox -keyalg RSA -keystore searchblox.jks -keysize 2048`

**Step: 3**

Import a root or intermediate CA certificate to an existing Java keystore If we have .pem/.cert (Example:searchblox.pem/searchblox.crt) we need to import into searchblox.jks file which we have created in the previous step.

`keytool -import -trustcacerts -alias searchblox -file searchblox.pem -keystore searchblox.jks`

**Step: 4**

Converting the .JKS file into .P12 or .PKCS12 Format In this step we need to convert the searchblox.jks into searchblox.p12/searchblox.pkcs12 format.

`keytool -importkeystore -srckeystore searchblox.jks -destkeystore searchblox.p12 -deststoretype PKCS12`

It will ask you to create a new password for PKCS12 file and ask for other required details(First name/last name is the CN (i.e must match FQDN that users will browse to)). Once you enter please type yes.

**Step: 5**

Run the following command to create keystore file using PKCS12 file.

`keytool -importkeystore -srckeystore searchblox.p12 -srcstoretype PKCS12 -destkeystore keystore`

**Step: 6**

Go to path:

For Windows:`C:\SearchBloxServer\lib` For Linux: `/opt/searchblox/lib/`

Generate the OBF key by running the following command. This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml mentioned in the next step.

`java -cp jetty-util-9.4.26.v20200117.jar org.eclipse.jetty.util.security.Password admin@1234`

Example: OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky MD5:7ece99e593ff5dd200e2b9233d9ba654

**Step: 7**

Go to path

For Windows: `C:\SearchBloxServer\etc` For Linux: `/opt/searchblox/etc/`

Update the OBF key ("OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky ") into jetty-ssl-context.xml file.



## **Creating and Importing Self Signed Certificate using Java Key Tool:**

To setup the SSL Self Signed Certificate with java keytool and install with SearchBlox, follow the steps:

**Step: 1**

Go to path:

For Windows: `C:\SearchBloxServer\etc` For Linux: `/opt/searchblox/etc/`

**Note:** If a keystore file is already present, you can either rename it or delete by taking a backup of it.

**Step: 2**

Generating Self Signed PKCS12 file using java keytool.

`keytool -genkeypair -alias searchblox -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore searchblox.p12 -validity 3650`

It will ask you to create a new password for PKCS12 file and ask for other required details(First name/last name is the CN (i.e must match FQDN that users will browse to)). Once you enter please type yes.

**Step: 3**

Run the following command to create keystore file using PKCS12 file.

`keytool -import -trustcacerts -alias searchblox -file searchblox.pem -keystore searchblox.jks`

**Step: 4**

Go to path:

For Windows: `C:\SearchBloxServer\lib` For Linux: `/opt/searchblox/lib/`

Generate the OBF key by running the following command. This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml mentioned in the next step.

`java -cp jetty-util-9.4.26.v20200117.jar org.eclipse.jetty.util.security.Password admin@1234`

Example: OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky MD5:7ece99e593ff5dd200e2b9233d9ba654

**Step: 5**

Go to path

For Windows: `C:\SearchBloxServer\etc` For Linux: `/opt/searchblox/etc/`

Update the OBF key ("OBF:1ing1j1s1kmy1jnb1nl91nip1jk71kjo1iz21iky ") into jetty-ssl-context.xml file.

  • Ensure `<SEARCHBLOX_INSTALLATION_PATH>/etc/jetty-ssl-context.xml` refers to the directory of the new keystore and the hashed password from the previous step.

  • In the following snippet you can see that the path to the keystore is provided for parameters `KeyStorePath` and `TrustStorePath`. The hash password is provided for parameters `KeyStorePassword` and `TrustStorePassword`.


  • Stop and Start SearchBlox service

  • SearchBlox will now be able to use the SSL certificate and serve up the search results from the specified secure port.

  • Open your browser and go to the URL: https://localhost:8443/searchblox/admin/main.jsp and confirm the ssl cert is now displayed when you click on the browsers lock icon.

Important

  1. When creating or exporting the JKS, be sure to specify format PKCS #12 and not JKS format. **Jetty requires PKCS #12.**

  2. If working with a SearchBlox cluster, specify all of the hostnames in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster.

## **Disable TLS**

TLS can be disabled by updating the configuration within ../etc/jetty-ssl-context.xml

By default, only TLS v1.2 / TLS v1.3 is enabled.

If you need to disable TLSv1 and TLSv1.1 please follow the steps below: 1.) Edit the following file after stopping SearchBlox service: /opt/searchblox/etc/jetty-ssl-context.xml or C:\SearchBloxServer\etc\jetty-ssl-context.xml

2.) Add or update the required protocols under the sslContextFactory tag.



3.) Restart the SearchBlox service.

## **Cipher suites in SSL**

Cipher suites can be included or excluded by editing the the file `../etc/jetty-ssl-context.xml`

To exclude cipher suites:



To include cipher suites: