1. Liferay Help Center
  2. Liferay DXP 7.1 Deployment Guide
  3. Installing a Search Engine

Documentation

Installing X-Pack Security (6.1)

Once X-Pack is installed, start securing Elasticsearch by configuring the built-in user passwords.

Setting Up X-Pack Users

In a system using X-Pack Security and X-Pack Monitoring, these built-in X-Pack users are important:

  • kibana
  • elastic

Set the passwords for all X-Pack’s built-in users. The setup-passwords command is the simplest method to set the built-in users first-use passwords for the first time. To update a password subsequently, use Kibana’s UI or the Change Password API.

The interactive argument sets the passwords for all built-in users. The configuration shown in these articles assumes you set all passwords to liferay. Of course, that’s not recommended for production systems.

./bin/x-pack/setup-passwords interactive

Elastic’s setup-passwords command documentation describes additional options.

Since you’re securing Elasticsearch, remember the elastic user’s password.

Enable transport layer security on each node.

Enabling Transport Layer Security

The following instructions for enabling TLS use liferay as the password whenever one is needed. Use your own passwords for your installation.

Generate Node Certificates

Generate a node certificate for each node. You can, of course, use a Certificate Authority to obtain node certificates.

  1. Create a certificate authority, using X-Pack’s certutil command:

    ./bin/x-pack/certutil ca --pem --ca-dn CN=localhost

    This generates a ZIP file. Unzip the contents somewhere safe.

  2. Generate X.509 certificates and private keys using the CA from Step 1. For example:

    ./bin/x-pack/certutil cert --pem --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --dns localhost --ip 127.0.0.1 --name localhost

    This generates another ZIP file. Extract the contents somewhere in the Elasticsearch Home/config folder.

Enable TLS

Enable TLS on each node via its elasticsearch.yml.

  1. Add the certificate, key and certificate authority paths to each node’s elasticsearch.yml:

    xpack.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt
xpack.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key
xpack.ssl.certificate_authorities: ["/path/to/ca.crt"]

    The example paths above assume you added the certificate to Elasticsearch Home/config/.

  2. Enable transport layer TLS with these settings in elasticsearch.yml:

    xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate

  3. Enable TLS on the HTTP layer to encrypt client communication:

    xpack.security.http.ssl.enabled: true

After X-Pack is installed and TLS is enabled, configure the security adapter in Liferay DXP.

Install and Configure the Liferay Enterprise Search Security app

If you have a Liferay Enterprise Search subscription, download the Liferay Enterprise Search Security app. Install the LPKG file by copying it into the Liferay Home/deploy folder. That’s all there is to it.

To configure the security adapter, navigate to Control PanelConfigurationSystem Settings. Find the Search category and click on the X-Pack Security entry. You can enter the property values here, but it’s more common to use a configuration file deployed to Liferay Home/osgi/configs. For the security adapter, create a file called

com.liferay.portal.search.elasticsearch6.xpack.security.internal.configuration.XPackSecurityConfiguration.config

The exact contents of the file depend on your X-Pack setup. To configure the adapter according to the Elasticsearch setup documented here, populate the file like this:

sslKeyPath="/path/to/localhost.key"
sslCertificatePath="/path/to/localhost.crt"
certificateFormat="PEM"
requiresAuthentication="true"
username="elastic"
password="liferay"
sslCertificateAuthoritiesPaths="/path/to/ca.crt"
transportSSLVerificationMode="certificate"
transportSSLEnabled="true"

Note that the password should match what you set during the X-Pack password setup above.

The certificate and key files referenced here are the same ones used on the Elasticsearch server. Copy them to the Liferay DXP server and update their paths in the configuration accordingly.

Enable authentication by setting authentication to required and providing the credentials for the Elasticsearch user. For SSL, enable transport SSL, set the certificate verification mode and certificate format, and provide the path to the certificate, key, and certificate authority. Of course, the exact values depend on your X-Pack configuration.

Here’s the complete list of configuration options for the security app:

  • sslKeyPath
  • sslCertificatePath
  • sslCertificateAuthoritiesPaths
  • certificateFormat
  • requiresAuthentication
  • username
  • password
  • transportSSLVerificationMode
  • transportSSLEnabled
  • sslKeystorePath
  • sslKeystorePassword
  • sslTruststorePath
  • sslTruststorePassword

When you’re finished configuring security, restart Elasticsearch. These steps require a full cluster restart.

« Installing X-PackInstalling X-Pack Monitoring (6.1) »
Was this article helpful?
0 out of 0 found this helpful