Enabling security for the Elastic Stack using an external certificate

Configure security for the Elastic Stack using a properly chained certificate from a trusted certificate authority (CA). IBM® Spectrum Symphony uses Elastic Stack for IBM Spectrum Symphony Explorer reports (available with IBM Spectrum Symphony Advanced Edition on Linux® and Linux on POWER®).

Before you begin

  • You must be a cluster administrator.
  • You must ensure that the clock settings on the server and client are identical. Otherwise, errors may occur.

About this task

Follow these steps if you want to complete these tasks:
  • Enable security for the first time (in other words, if you disabled security during installation by setting DISABLESSL=Y).
  • Use a properly chained certificate from a trusted CA that replaces the default self-signed certificate when security is enabled during installation.

When security is enabled for the Elastic Stack, a trust relationship between the server and the client is established by sending a server certificate to the client. The client validates the certificates that are signed by a trusted CA. For your production environment, ensure that you use a properly chained certificate that is issued or signed by a trusted CA. By default the Elastic Stack uses the TLSv1.2 protocol.

Procedure

  1. Stop Elastic Stack services. For more information, see Stopping Elastic Stack services.
  2. Generate the server trust store file by running:
    keytool -importcert -noprompt -alias srvalias -file cacert.pem_location -keystore serverTrustStore.jks -storepass storepass
    where cacert.pem_location is the path to the cacert.pem file that you saved previously, and storepass specifies the keystore password; for example: Liberty.
  3. Secure communication to the Elasticsearch services (elk-elasticsearch, elk-elasticsearch-master, and elk-elasticsearch-data). For this step, you require a security certificate in .pem format (for example, cert.pem):
    1. Move the security keystore and certificate to a location that is shared by all nodes.
    2. Enable security for the Elastic Stack services by setting the orchestrator.security.auth.enable and orchestrator.ssl.transport.enabled parameter to true in the Elasticsearch configuration file. The configuration file is located at $EGO_CONFDIR/../../integration/elk/conf/elasticsearch/elasticsearch.yml.

      To disable security, see Disabling security for the Elastic Stack.

    3. Encrypt the password using the securityUtilities command. For more information, see Liberty profile: securityUtility command.
    4. Edit the Elasticsearch configuration file according to the security keystore and certificate. By default, the transport and HTTP communication layers are configured with the same security keystore and certificate. To use an external certificate, modify the configuration file as follows:
      If you are using an encrypted password for any orchestrator security plug-in password parameters, you must add double quotation marks around it.
      
      orchestrator.ssl.transport.enabled: true
      orchestrator.ssl.transport.keystore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalKeyStore.jks
      orchestrator.ssl.transport.truststore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalTrustStore.jks
      orchestrator.ssl.transport.keystore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
      orchestrator.ssl.transport.truststore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
      orchestrator.ssl.transport.keystore.type: jks
      orchestrator.ssl.transport.truststore.type: jks
      orchestrator.ssl.transport.keystore.alias: srvalias
      orchestrator.ssl.transport.truststore.alias: srvalias
      orchestrator.ssl.transport.enabled.protocols:
         - "TLSv1.2"
      orchestrator.ssl.http.enabled: true
      orchestrator.ssl.http.enabled.protocols:
        - "TLSv1.2"
      orchestrator.ssl.http.keystore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalKeyStore.jks
      orchestrator.ssl.http.truststore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalTrustStore.jks
      orchestrator.ssl.http.keystore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
      orchestrator.ssl.http.truststore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
      orchestrator.ssl.http.keystore.type: jks
      orchestrator.ssl.http.truststore.type: jks
      orchestrator.ssl.http.keystore.alias: srvalias
      orchestrator.ssl.http.truststore.alias: srvalias
    5. Check the value of the CA_CERT_PATH parameter in the $EGO_CONFDIR/../../integration/elk/conf/elk.conf file:

      By default, this parameter's value is $EGO_TOP/wlp/usr/shared/resources/security/cacert.pem.

  4. Restart the Elastic Stack services. For more information, see Starting Elastic Stack services.
  5. Update the Explorer access protocol so that you can view Explorer reports in the cluster management console after enabling security for the Elastic Stack:
    1. Open the $EGO_CONFDIR/../../explorer/config/config.json file for editing.
    2. Locate the "protocol":"http" line, and change it to "protocol":"https".
      For example:
      
      {
          "pa.net.port": 5000,
          "pa.metadata": {
              "datasource": "ds1",
              "index": "model"
          },
          "pa.dashboard.default": "cluster_overview",
          "pa.query.size.max": 10000,
          "pa.query.timeout" : 300000,
          "pa.logging": {
              "logLevel": "debug",
              "appName": "server",
              "logDir": "logs",
              "datasource": "ds1"
          },
          "pa.datasources": {
      "ds1": {"name": "ES Instance1", "type": "elasticsearch", "hosts": [{"host" : "user.example.ibm.com", "port": 9200, "protocol":"https"}]}
          },
          "pa.allow.cross.domain": "false",
          "pa.allow.limited.access": "true",
          "pa.allow.access.ips": "9.21.52.21",
          "elasticsearch.version" : "7.12.1"
      }
      
    3. Save and close the file.
    4. Restart the Explorer service for the changes to take effect:
      egosh service stop Explorer
      egosh service start Explorer