Once X-Pack is installed, start securing Elasticsearch by configuring the built-in user passwords.
In a system using X-Pack Security and X-Pack Monitoring, these built-in X-Pack users are important:
Set the passwords for all X-Pack’s
setup-passwords command is the simplest method to set the built-in users
first-use passwords for the first time. To update a password subsequently, use
Kibana’s UI or the
Change Password API.
interactive argument sets the passwords for all built-in users. The
configuration shown in these articles assumes you set all passwords to
liferay. Of course, that’s not recommended for production systems.
Elastic’s setup-passwords command documentation describes additional options.
Since you’re securing Elasticsearch, remember the
elastic user’s password.
Enable transport layer security on each node.
The following instructions for enabling TLS use
liferay as the password
whenever one is needed. Use your own passwords for your installation.
Generate a node certificate for each node. You can, of course, use a Certificate Authority to obtain node certificates.
Create a certificate authority, using X-Pack’s
./bin/x-pack/certutil ca --pem --ca-dn CN=localhost
This generates a ZIP file. Unzip the contents somewhere safe.
Generate X.509 certificates and private keys using the CA from Step 1. For example:
./bin/x-pack/certutil cert --pem --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --dns localhost --ip 127.0.0.1 --name localhost
This generates another ZIP file. Extract the contents somewhere in the
on each node via its
Add the certificate, key and certificate authority paths to each node’s
xpack.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt xpack.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key xpack.ssl.certificate_authorities: ["/path/to/ca.crt"]
The example paths above assume you added the certificate to
Enable transport layer TLS with these settings in
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate
Enable TLS on the HTTP layer to encrypt client communication:
After X-Pack is installed and TLS is enabled, configure the security adapter in Liferay DXP.
If you have a Liferay Enterprise Search subscription,
the Liferay Enterprise Search Security app. Install the LPKG
file by copying it into the
Liferay Home/deploy folder. That’s all there is to
To configure the security adapter, navigate to Control Panel →
Configuration → System Settings. Find the Search category and click
on the X-Pack Security entry. You can enter the property values here, but
it’s more common to use a
Liferay Home/osgi/configs. For the security adapter, create a file
The exact contents of the file depend on your X-Pack setup. To configure the adapter according to the Elasticsearch setup documented here, populate the file like this:
sslKeyPath="/path/to/localhost.key" sslCertificatePath="/path/to/localhost.crt" certificateFormat="PEM" requiresAuthentication="true" username="elastic" password="liferay" sslCertificateAuthoritiesPaths="/path/to/ca.crt" transportSSLVerificationMode="certificate" transportSSLEnabled="true"
Note that the
password should match what you set during the X-Pack password
The certificate and key files referenced here are the same ones used on the Elasticsearch server. Copy them to the Liferay DXP server and update their paths in the configuration accordingly.
Enable authentication by setting authentication to
required and providing the
credentials for the Elasticsearch user. For SSL, enable transport SSL, set the
certificate verification mode and certificate format, and provide the path to
the certificate, key, and certificate authority. Of course, the exact values
depend on your X-Pack configuration.
Here’s the complete list of configuration options for the security app:
When you’re finished configuring security, restart Elasticsearch. These steps require a full cluster restart.