Configure security for Elastic Stack using a self-signed
certificate for testing purposes. IBM® Spectrum Symphony uses Elastic Stack for
IBM Spectrum Symphony Explorer reports
(available with IBM Spectrum Symphony
Advanced Edition on Linux® and Linux on POWER®).
Before you begin
- You must be a cluster administrator.
- You must ensure that the clock settings on the server and client are identical. Otherwise,
errors may occur.
Tip: To automatically enable
security for Elastic Stack, see
Enabling security with the security tool.
Use the security
tool generate secure server certificates to encrypt information, and
then configuring components to use those certificates for security.
The security tool provides both of these functions.
About this task
Follow these steps if you want to complete these tasks:
- Enable security for the first time (in other words, if you
disabled security during installation by setting
DISABLESSL=Y).
- Use your own self-signed certificate that will replace the default one generated when
security is enabled during installation.
When security is enabled for the Elastic Stack, a trust
relationship between the server and the client is established by sending a server certificate to the
client. The client validates the certificates that are signed by the self-signed Platform Computing
CA Root. This self-signed certificate can be used only for testing purposes. For your production
environment, use a properly chained certificate that is issued or signed by a trusted certificate
authority. By default the Elastic Stack uses the TLSv1.2 protocol.
Procedure
-
Stop the Elastic Stack services. For more information, see Stopping Elastic Stack services.
-
If you don't already have a server trust store file, generate the file:
- Go to the $EGO_TOP/wlp/usr/shared/resources/security
directory:
cd $EGO_TOP/wlp/usr/shared/resources/security
- Generate a server trust store file, for example,
serverTrustStore.jks:
-
Secure communication to the Elasticsearch services
(elk-elasticsearch, elk-elasticsearch-master, and
elk-elasticsearch-data). For this step, you require the
security certificate in .pem format (for example,
cacert.pem) that you downloaded in Enabling security for the cluster management console using a self-signed certificate:
-
Move
the server trust store file (for example, serverTrustStore.jks) and certificate
to a location that is shared by all nodes.
-
Enable security for the Elastic Stack services by setting the
orchestrator.ssl.http.enabled and
orchestrator.ssl.transport.enabled parameter to
true in the Elasticsearch configuration file. The
configuration file is located at
$EGO_CONFDIR/../../integration/elk/conf/elasticsearch/elasticsearch.yml.
-
Encrypt the password by using the securityUtilities command; for example:
-
Edit the Elasticsearch
configuration file according to the security keystore and certificate.
By default, the transport and HTTP communication layers are configured with the same
security keystore and certificate.
If you are using an encrypted password for any orchestrator
security plug-in password parameters, you must add double quotation
marks around it.
orchestrator.ssl.transport.enabled: true
orchestrator.ssl.transport.keystore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalKeyStore.jks
orchestrator.ssl.transport.truststore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalTrustStore.jks
orchestrator.ssl.transport.keystore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
orchestrator.ssl.transport.truststore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
orchestrator.ssl.transport.keystore.type: jks
orchestrator.ssl.transport.truststore.type: jks
orchestrator.ssl.transport.keystore.alias: srvalias
orchestrator.ssl.transport.truststore.alias: srvalias
orchestrator.ssl.transport.enabled.protocols:
- "TLSv1.2"
orchestrator.ssl.http.enabled: true
orchestrator.ssl.http.enabled.protocols:
- "TLSv1.2"
orchestrator.ssl.http.keystore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalKeyStore.jks
orchestrator.ssl.http.truststore.filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalTrustStore.jks
orchestrator.ssl.http.keystore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
orchestrator.ssl.http.truststore.password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
orchestrator.ssl.http.keystore.type: jks
orchestrator.ssl.http.truststore.type: jks
orchestrator.ssl.http.keystore.alias: srvalias
orchestrator.ssl.http.truststore.alias: srvalias
The truststore_alias is the alias name of a trusted certificate
entry in your server truststore, for example, the alias of your root certificate which signed your
server certificate.
-
Check the value of the CA_CERT_PATH parameter in the
$EGO_CONFDIR/../../integration/elk/conf/elk.conf file:
By default, this parameter's value is
$EGO_TOP/wlp/usr/shared/resources/security/cacert.pem.
-
Restart Elastic Stack services. For more information, see Starting Elastic Stack services.
- Update the Explorer access protocol so that you
can view Explorer reports in the cluster management console after enabling
security for the Elastic Stack:
- Open the $EGO_CONFDIR/../../explorer/config/config.json file for
editing.
- Locate the
"protocol":"http" line, and change it to
"protocol":"https".
For example:
{
"pa.net.port": 5000,
"pa.metadata": {
"datasource": "ds1",
"index": "model"
},
"pa.dashboard.default": "cluster_overview",
"pa.query.size.max": 10000,
"pa.query.timeout" : 300000,
"pa.logging": {
"logLevel": "debug",
"appName": "server",
"logDir": "logs",
"datasource": "ds1"
},
"pa.datasources": {
"ds1": {"name": "ES Instance1", "type": "elasticsearch", "hosts": [{"host" : "user.example.ibm.com", "port": 9200, "protocol":"https"}]}
},
"pa.allow.cross.domain": "false",
"pa.allow.limited.access": "true",
"pa.allow.access.ips": "9.21.52.21",
"elasticsearch.version" : "7.12.1"
}
- Save and close the file.
- Restart the Explorer service for the changes to take effect:
egosh service stop Explorer
egosh service start Explorer