Elasticsearch 6.1 is EOL as of June 13, 2019. If possible, install Elastic stack 6.5 products.
X-Pack is an Elastic extension for securing and monitoring Elasticsearch clusters. If you use Elasticsearch, you should secure it with X-Pack. The security features of X-Pack include authenticating access to the Elasticsearch cluster’s data and encrypting Elasticsearch’s internal and external communications. These are necessary security features for most production systems. A Liferay Enterprise Search subscription gets you access to both monitoring and security. Contact Liferay’s Sales department for more information.
Here’s an overview of using X-Pack to secure the data indexed in Elasticsearch:
-
Get an Enterprise Search subscription.
-
Install X-Pack into Elasticsearch and configure it to require authentication and encryption.
-
Download and install the Liferay Enterprise Search Security.
-
Configure the Liferay Enterprise Search Security app with the proper credentials and encryption information.
-
Restart Elasticsearch. These steps require a full cluster restart.
Following these instructions gives you a basic working installation of Elasticsearch communicating freely with Liferay DXP, but read Elastic’s documentation to learn about additional configuration options, features, and the architecture of X-Pack.
Installing X-Pack
-
To install X-Pack and automatically grant it the required permissions (recommended), run
bin/elasticsearch-plugin install x-pack --batch
on each cluster node. The
--batch
option bypasses installation prompts for granting permissions to X-Pack.You’ll see log output detailing the permissions granted, finishing with
Installed x-pack
:-> Downloading x-pack from elastic [=================================================] 100% @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: plugin requires additional permissions @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ * java.io.FilePermission \\.\pipe\* read,write * java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries * java.lang.RuntimePermission getClassLoader * java.lang.RuntimePermission setContextClassLoader * java.lang.RuntimePermission setFactory * java.net.SocketPermission * connect,accept,resolve * java.security.SecurityPermission createPolicy.JavaPolicy * java.security.SecurityPermission getPolicy * java.security.SecurityPermission putProviderProperty.BC * java.security.SecurityPermission setPolicy * java.util.PropertyPermission * read,write See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html for descriptions of what these permissions allow and the associated risks. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: plugin forks a native controller @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ This plugin launches a native controller that is not subject to the Java security manager nor to system call filters. Elasticsearch keystore is required by plugin [x-pack], creating... -> Installed x-pack
See more about the permissions X-Pack needs here.
-
Make sure Elasticsearch does not allow the automatic creation of indexes. If you’re unsure, check
elasticsearch.yml
for this property:action.auto_create_index: false
This property is
true
by default, so if you don’t see it inelasticsearch.yml
, there’s nothing to worry about. See Elastic’s documentation for more information on automatic index creation. -
Restart Elasticsearch.
Once X-Pack is installed, configure its built-in user passwords.
Setting Up X-Pack Users
In a system using X-Pack Security and X-Pack Monitoring, two of the built-in
X-Pack users are important: kibana
and elastic
.
Set the passwords for all X-Pack’s
built-in users.
The setup-passwords
command is the simplest method to set the built-in users’
first-use passwords for the first time. To update a password subsequently, use
Kibana’s UI or the
Change Password API.
The interactive
argument lets you set the passwords for all built-in users.
The configuraiton shown in these articles assumes you set all of the
passwords to liferay. Of course, that’s not recommended for production systems.
./bin/x-pack/setup-passwords interactive
See Elastic’s documentation on the setup-passwords command for additional options.
Since you’re securing Elasticsearch, make sure you keep track of the password
set for the elastic
user.
We recommend enabling transport layer security on each node.
Enabling Transport Layer Security
The following instructions for enabling TLS use liferay
as the password
whenever one is needed. Customize these as appropriate for your installation.
Generate Node Certificates
Generate a node certificate for each node. You can, of course, use a Certificate Authority toobtain node certificates.
-
Create a certificate authority, using X-Pack’s
certutil
command:./bin/x-pack/certutil ca --pem --ca-dn CN=localhost
This generates a ZIP file. Unzip the contents somewhere safe.
-
Generate X.509 certificates and private keys using the CA from Step 1. For example:
./bin/x-pack/certutil cert --pem --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --dns localhost --ip 127.0.0.1 --name localhost
This generates another ZIP file. Extract the contents somewhere in the
Elasticsearch Home/config
folder.
Enable TLS
Enable TLS
on each node via its elasticsearch.yml
.
-
Add the certificate, key and certificate authority paths to each node’s
elasticsearch.yml
:xpack.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt xpack.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key xpack.ssl.certificate_authorities: ["/path/to/ca.crt"]
The example paths above assume you added the certificate to
Elasticsearch Home/config/
. -
Enable transport layer TLS with these settings in
elasticsearch.yml
:xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate
-
Enable TLS on the HTTP layer to encrypt client communication:
xpack.security.http.ssl.enabled: true
After X-Pack is installed and TLS is enabled, configure the LES Security app in Liferay DXP.
Install and Configure the Liferay Enterprise Search Security app
If you have a Liferay Enterprise Search subscription,
download
the Liferay Enterprise Search Security app. Install the LPKG
file by copying it into the Liferay Home/deploy
folder. That’s all there is to
it.
To configure security, navigate to Control Panel
→ Configuration → System Settings. Find the Foundation category and
click on the X-Pack Security entry. You can enter the property values here, but
it’s more common to use a
configuration file
deployed to Liferay Home/osgi/configs
. Create a file
called
com.liferay.portal.search.elasticsearch6.xpack.security.internal.configuration.XPackSecurityConfiguration.config
The exact contents of the file depend on your X-Pack setup. To configure the adapter according to the Elasticsearch setup documented here, populate the file with these contents:
sslKeyPath="/path/to/localhost.key"
sslCertificatePath="/path/to/localhost.crt"
certificateFormat="PEM"
requiresAuthentication="true"
username="elastic"
password="GqhoaEUyTM@tp1*wQd~F"
sslCertificateAuthoritiesPaths="/path/to/ca.crt"
transportSSLVerificationMode="certificate"
transportSSLEnabled="true"
The certificate and key files referenced here are the same ones used on the Elasticsearch server. Copy them to the Liferay DXP server and update their paths in the configuration accordingly.
Enable authentication by setting authentication to required
and providing the
credentials for the Elasticsearch user. For SSL, enable transport SSL, set the
certificate verification mode and certificate format, and provide the path to
the certificate, key, and certificate authority. Of course, the exact values
will differ if you configured X-Pack differently.
Here’s the complete list of configuration options for the LES Security app:
sslKeyPath
sslCertificatePath
sslCertificateAuthoritiesPaths
certificateFormat
requiresAuthentication
username
password
transportSSLVerificationMode
transportSSLEnabled
sslKeystorePath
sslKeystorePassword
sslTruststorePath
sslTruststorePassword
When you’re finished configuring X-Pack Security, restart Elasticsearch. These steps require a full cluster restart.