How do I Secure API Data Store Communication using HTTPS with X-Pack?

Edit online

You can use X-Pack to secure API Data Store to communicate securely over HTTPS. This section explains the steps required to configure X-Pack for webMethods API Gateway.

Before you begin

Ensure that you have installed an updated version of Java in your system and configure the path of the environment variable.

To secure API Data Store communication using X-Pack

  1. Shut down webMethods API Gateway.
  2. Open the elasticsearch.yml file from the SAG_Install_Dir\profiles\IS_instance_name\apigateway\config folder.
  3. Set the property xpack.security.enabled to true.
  4. Save the changes.
  5. Perform the instructions given in the following sections in https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html.
    1. Enable Elasticsearch security features.
    2. Generate the certificate authority.
    3. Encrypt internode communication with TLS.
    4. Set passwords for built-in users.
    5. Configure Kibana to connect to Elasticsearch with a password.
    6. Set up basic security for the Elastic stack plus secured HTTPS traffic.
    7. Encrypt HTTP client communication for Elasticsearch.
    8. Encrypt HTTP client communication for Kibana.

API Data Store now runs on a HTTPS port and requires basic authentication to access.

Configure Kibana to connect to API Data Store

  1. Create a new user to access Kibana.
  2. Assign the roles Superuser, Kibana_admin to the new userid and set the password. For more details about how to create a user, see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-user.htmlThe following image shows an example to create a new Kibana user with roles and password.
    New kibana user
  3. Open the uiconfiguration.properties file from the SAG_Install_Dir\profiles\IS_instance_name\apigateway\config folder. Set the property apigw.kibana.autostart to false and save the changes.
  4. Open the kibana.yml file from the SAG_Install_Dir\profiles\IS_instance_name\apigateway\dashboard\config folder and set the following.
    • elasticsearch.username : Elasticsearch username
    • elasticsearch.password : Elasticesearch Password
      Example:
      • elasticsearch.username : "apigatewayuser2"
      • elasticsearch.password : “Password"

Update Keystore and Trustore

  1. Export the Elasticsearch certificate from the keystore
    1. Open the command prompt from the location SAG_Install_Dir\InternalDataStore\elasticsearch-ssl-http\elasticsearch folder.
    2. Run the following command to export the certificate from the keystore and place it in the required location. : 
    3. keytool -export -keystore http.p12 -alias http -rfc -file certificate.cer
    4. Enter the password for the keystore
      Export Keystore
      The certificate is exported and saved with the name you provide.
  2. Import the certificate into the truststore
    1. Open the command prompt from the location SAG_Install_Dir\InternalDataStore\elasticsearch-ssl-http\elasticsearch folder.
    2. Run the following command to import the generated certificate into the truststore : 
      keytool -import -alias http -file certificate.cer -storetype JKS -keystore truststore.jks
    3. Enter the password for the Keystore setup in step
      Importing Keystore
      The exported certificate is saved in the specified location.

Update API Gateway configurations to connect to API Data Store

  1. Open the config.properties file from the SAG_Install_Dir\IntegrationServer\instances\instance_name\packages\WmAPIGateway\config\resources\elasticsearch folder.
  2. Remove the # symbol from the following properties and provide the corresponding values for the properties and save the file.
    Table 1.
    Property Value to be set
    pg.gateway.elasticsearch.http.username Elasticsearch username
    pg.gateway.elasticsearch.http.password Elasticesearch password
    pg.gateway.elasticsearch.https.truststore.filepath SAG_Install_Dir​/InternalDataStore/sagconfig/truststore.jks
    pg.gateway.elasticsearch.https.truststore.password password of trust store
    pg.gateway.elasticsearch.https.enabled true
  3. Start API Data Store.
  4. Veify if API Data Store is up and running, start the Kibana server by running the kibana.bat file located at SAG_Install_Dir\profiles\IS_default\apigateway\dashboard\bin.
  5. Start API Gateway.

You can now log on to API gateway and access the Analytics page without any challenge.