Die BPC Version 4.0 wird nicht mehr gewartet.

Sollten Sie diese BPC Version nutzen, empfehlen wir Ihnen eine Migration auf eine aktuelle Version. Die Dokumentation zur neusten BPC Version finden Sie hier. Sollten Sie Fragen haben, wenden Sie sich bitte an unseren Support.

Elasticsearch per HTTPS

In der Voreinstellung wird HTTP zur Kommunikation mit Elasticsearch verwendet. In den folgenden Schritten wird exemplarisch gezeigt, wie dies auf HTTPS umgestellt werden kann. Dabei kommen selbst signierte Zertifikate zum Einsatz und dies bezieht sich auf die Elasticsearch-Version 7.10.2.

Elasticsearch verwendet standardmäßig den Port 9200 für die HTTP/HTTPS-Kommunikation.
Für die interne Kommunikation zwischen den Nodes in einem Elasticsearch-Cluster wird der Transport Layer genutzt, der den Port 9300 verwendet. Das sind also zwei unterschiedliche Punkte, die beachtet werden müssen.

Info

Zur Erstellung der Zertifikate werden Tools verwendet, die im Elasticsearch-Installationsverzeichnis zu finden sind. Die Zertifikate müssen für bestimmte Hostnamen ausgestellt sein, damit diese zum Einsatz gebracht werden können.

Vorbereitung

Im Beispiel läuft Elasticsearch auf dem Host, der per node1.asator.net erreichbar ist und die IP-Adresse 192.168.1.172 hat. Dazu wurde die /etc/hosts um folgenden Eintrag erweitert:

/etc/hosts
# Host addresses
...
192.168.1.172   node1.asator.net

Verwendete Verzeichnisse dieses Beispiels:

Elasticsearch

/home/of/devel/virtimo/installs/bpc4xx/elasticsearch

Karaf

/home/of/devel/virtimo/installs/bpc4xx/karaf

Temporär

/tmp

Erstellung der Zertifikate

Diese Dokumentation ist mit den Ausgaben des verwendeten Elasticsearch Tools. Da doch einige Nachfragen durch das Tool stattfinden und die im ersten Moment nicht ganz klar sein könnten. Und es in einer anderen Elasticsearch Version als die 7.10.2 anders ablaufen könnte.

  1. Ausgangspunkt: Elasticsearch-Verzeichnis:

    > cd /home/of/devel/virtimo/installs/bpc4xx/elasticsearch
  2. Eine 'Certificate Authority' erzeugen:

    Diese Datei wird dann in den folgenden Schritten verwendet.

    elastic-stack-ca.p12
    > ./bin/elasticsearch-certutil ca
    This tool assists you in the generation of X.509 certificates and certificate
    signing requests for use with SSL/TLS in the Elastic stack.
    
    The 'ca' mode generates a new 'certificate authority'
    This will create a new X.509 certificate and private key that can be used
    to sign certificate when running in 'cert' mode.
    
    Use the 'ca-dn' option if you wish to configure the 'distinguished name'
    of the certificate authority
    
    By default the 'ca' mode produces a single PKCS#12 output file which holds:
        * The CA certificate
        * The CA's private key
    
    If you elect to generate PEM format certificates (the -pem option), then the output will
    be a zip file containing individual files for the CA certificate and private key
    
    Please enter the desired output file [elastic-stack-ca.p12]: <einfach return drücken>
    Enter password for elastic-stack-ca.p12 : <einfach return drücken, wir setzen kein Passwort>
  3. Zertifikat für den Transport Layer erstellen:

    elastic-certificates.p12
    ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
    This tool assists you in the generation of X.509 certificates and certificate
    signing requests for use with SSL/TLS in the Elastic stack.
    
    The 'cert' mode generates X.509 certificate and private keys.
        * By default, this generates a single certificate and key for use
           on a single instance.
        * The '-multiple' option will prompt you to enter details for multiple
           instances and will generate a certificate and key for each one
        * The '-in' option allows for the certificate generation to be automated by describing
           the details of each instance in a YAML file
    
        * An instance is any piece of the Elastic Stack that requires an SSL certificate.
          Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
          may all require a certificate and private key.
        * The minimum required value for each instance is a name. This can simply be the
          hostname, which will be used as the Common Name of the certificate. A full
          distinguished name may also be used.
        * A filename value may be required for each instance. This is necessary when the
          name would result in an invalid file or directory name. The name provided here
          is used as the directory name (within the zip) and the prefix for the key and
          certificate files. The filename is required if you are prompted and the name
          is not displayed in the prompt.
        * IP addresses and DNS names are optional. Multiple values can be specified as a
          comma separated string. If no IP addresses or DNS names are provided, you may
          disable hostname verification in your SSL configuration.
    
        * All certificates generated by this tool will be signed by a certificate authority (CA).
        * The tool can automatically generate a new CA for you, or you can provide your own with the
             -ca or -ca-cert command line options.
    
    By default the 'cert' mode produces a single PKCS#12 output file which holds:
        * The instance certificate
        * The private key for the instance certificate
        * The CA certificate
    
    If you specify any of the following options:
        * -pem (PEM formatted output)
        * -keep-ca-key (retain generated CA key)
        * -multiple (generate multiple certificates)
        * -in (generate certificates from an input file)
    then the output will be be a zip file containing individual certificate/key files
    
    Enter password for CA (elastic-stack-ca.p12) : <einfach return, da wir keins gesetzt haben>
    Please enter the desired output file [elastic-certificates.p12]: <einfach return drücken>
    Enter password for elastic-certificates.p12 : <einfach return drücken, wir setzen kein Passwort>
    
    Certificates written to /home/of/devel/virtimo/installs/bpc4xx/elasticsearch-7.10.2/elastic-certificates.p12
    
    This file should be properly secured as it contains the private key for
    your instance.
    
    This file is a self contained file and can be copied and used 'as is'
    For each Elastic product that you wish to configure, you should copy
    this '.p12' file to the relevant configuration directory
    and then follow the SSL configuration instructions in the product guide.
    
    For client applications, you may only need to copy the CA certificate and
    configure the client to trust this certificate.

    Der gerade erstellte Private Key muss im <elasticsearch>/config Ordner liegen.

    mv elastic-certificates.p12 config
  4. Zertifikate für HTTPS erstellen:

    ./bin/elasticsearch-certutil http
    elasticsearch-ssl-http.zip
    ## Elasticsearch HTTP Certificate Utility
    
    The 'http' command guides you through the process of generating certificates
    for use on the HTTP (Rest) interface for Elasticsearch.
    
    This tool will ask you a number of questions in order to generate the right
    set of files for your needs.
    
    ## Do you wish to generate a Certificate Signing Request (CSR)?
    
    A CSR is used when you want your certificate to be created by an existing
    Certificate Authority (CA) that you do not control (that is, you don't have
    access to the keys for that CA).
    
    If you are in a corporate environment with a central security team, then you
    may have an existing Corporate CA that can generate your certificate for you.
    Infrastructure within your organisation may already be configured to trust this
    CA, so it may be easier for clients to connect to Elasticsearch if you use a
    CSR and send that request to the team that controls your CA.
    
    If you choose not to generate a CSR, this tool will generate a new certificate
    for you. That certificate will be signed by a CA under your control. This is a
    quick and easy way to secure your cluster with TLS, but you will need to
    configure all your clients to trust that custom CA.
    
    Generate a CSR? [y/N]n
    
    ## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
    
    If you have an existing CA certificate and key, then you can use that CA to
    sign your new http certificate. This allows you to use the same CA across
    multiple Elasticsearch clusters which can make it easier to configure clients,
    and may be easier for you to manage.
    
    If you do not have an existing CA, one will be generated for you.
    
    Use an existing CA? [y/N]y
    
    ## What is the path to your CA?
    
    Please enter the full pathname to the Certificate Authority that you wish to
    use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
    (.jks) or PEM (.crt, .key, .pem) format.
    CA Path: /home/of/devel/virtimo/installs/bpc4xx/elasticsearch/elastic-stack-ca.p12
    Reading a PKCS12 keystore requires a password.
    It is possible for the keystore's password to be blank,
    in which case you can simply press <ENTER> at the prompt
    Password for elastic-stack-ca.p12:
    
    ## How long should your certificates be valid?
    
    Every certificate has an expiry date. When the expiry date is reached clients
    will stop trusting your certificate and TLS connections will fail.
    
    Best practice suggests that you should either:
    (a) set this to a short duration (90 - 120 days) and have automatic processes
    to generate a new certificate before the old one expires, or
    (b) set it to a longer duration (3 - 5 years) and then perform a manual update
    a few months before it expires.
    
    You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
    
    For how long should your certificate be valid? [5y] 20y
    
    ## Do you wish to generate one certificate per node?
    
    If you have multiple nodes in your cluster, then you may choose to generate a
    separate certificate for each of these nodes. Each certificate will have its
    own private key, and will be issued for a specific hostname or IP address.
    
    Alternatively, you may wish to generate a single certificate that is valid
    across all the hostnames or addresses in your cluster.
    
    If all of your nodes will be accessed through a single domain
    (e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
    simpler to generate one certificate with a wildcard hostname (*.es.example.com)
    and use that across all of your nodes.
    
    However, if you do not have a common domain name, and you expect to add
    additional nodes to your cluster in the future, then you should generate a
    certificate per node so that you can more easily generate new certificates when
    you provision new nodes.
    
    Generate a certificate per node? [y/N]n
    
    ## Which hostnames will be used to connect to your nodes?
    
    These hostnames will be added as "DNS" names in the "Subject Alternative Name"
    (SAN) field in your certificate.
    
    You should list every hostname and variant that people will use to connect to
    your cluster over http.
    Do not list IP addresses here, you will be asked to enter them later.
    
    If you wish to use a wildcard certificate (for example *.es.example.com) you
    can enter that here.
    
    Enter all the hostnames that you need, one per line.
    When you are done, press <ENTER> once more to move on to the next step.
    
    node1.asator.net
    
    You entered the following hostnames.
    
     - node1.asator.net
    
    Is this correct [Y/n]Y
    
    ## Which IP addresses will be used to connect to your nodes?
    
    If your clients will ever connect to your nodes by numeric IP address, then you
    can list these as valid IP "Subject Alternative Name" (SAN) fields in your
    certificate.
    
    If you do not have fixed IP addresses, or not wish to support direct IP access
    to your cluster then you can just press <ENTER> to skip this step.
    
    Enter all the IP addresses that you need, one per line.
    When you are done, press <ENTER> once more to move on to the next step.
    
    
    You did not enter any IP addresses.
    
    Is this correct [Y/n]Y
    
    ## Other certificate options
    
    The generated certificate will have the following additional configuration
    values. These values have been selected based on a combination of the
    information you have provided above and secure defaults. You should not need to
    change these values unless you have specific requirements.
    
    Key Name: node1.asator.net
    Subject DN: CN=node1, DC=asator, DC=net
    Key Size: 2048
    
    Do you wish to change any of these options? [y/N]N
    
    ## What password do you want for your private key(s)?
    
    Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
    This type of keystore is always password protected, but it is possible to use a
    blank password.
    
    If you wish to use a blank password, simply press <enter> at the prompt below.
    Provide a password for the "http.p12" file:  [<ENTER> for none]
    
    ## Where should we save the generated files?
    
    A number of files will be generated including your private key(s),
    public certificate(s), and sample configuration options for Elastic Stack products.
    
    These files will be included in a single zip archive.
    
    What filename should be used for the output zip file? [/home/of/devel/virtimo/installs/bpc4xx/elasticsearch-7.10.2/elasticsearch-ssl-http.zip]
    
    Zip file written to /home/of/devel/virtimo/installs/bpc4xx/elasticsearch-7.10.2/elasticsearch-ssl-http.zip
  5. Die elasticsearch-ssl-http.zip nach /tmp entpacken und danach löschen:

    unzip elasticsearch-ssl-http.zip -d /tmp
    rm elasticsearch-ssl-http.zip
  6. Auch das HTTP Zertifikat muss im <elasticsearch>/config Ordner liegen:

    mv /tmp/elasticsearch/http.p12 config

Für weitere Informationen (die Doku für die 7.10.2 ist leider nicht mehr vorhanden):

Elasticsearch-Konfiguration anpassen

  1. Stellen Sie sicher, dass durch die obige Zertifikatserstellung im <elasticsearch>/config-Verzeichnis diese beiden Dateien vorhanden sind:

    • elastic-certificates.p12

    • http.p12

  2. Erweitern Sie die Elasticsearch-Konfigurationsdatei <elasticsearch>/config/elasticsearch.yml (am Ende der Datei einfügen).

    Für den Transport Layer:

    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.client_authentication: required
    xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

    Für die HTTP-Kommunikation:

    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.verification_mode: certificate
    xpack.security.http.ssl.keystore.path: http.p12

    Für unser Elasticsearch-Plugin es-bpc-plugin:

    es-bpc-plugin.trust_certificates: true

    Evtl. für den Testbetrieb:

    discovery.type: single-node
    network.host: 0.0.0.0

BPC/Karaf anpassen

  1. Den Elasticsearch Public Key in den Virtimo Truststore importieren

    1. Sie befinden sich im entsprechenden Karaf-Verzeichnis:

      cd /home/of/devel/virtimo/installs/bpc4xx/karaf/etc/virtimo/ssl
    2. Den Elasticsearch Public Key importieren und vertrauen

      keytool -import \
        -file /tmp/kibana/elasticsearch-ca.pem \
        -alias elasticsearch \
        -keystore virtimo_truststore.jks \
        -storepass virtimo \
        -storetype jks
  2. Zugriff auf Elasticsearch auf HTTPS umstellen

    1. Dazu folgende Einstellungen in der Konfigurationsdatei <karaf>/etc/de.virtimo.bpc.core.cfg anpassen:

      Einstellung Alt Neu

      de.virtimo.bpc.core.es.scheme

      http

      https

      de.virtimo.bpc.core.es.host

      localhost

      node1.asator.net


Keywords: