X-Pack is an Elastic extension for securing and monitoring Elasticsearch clusters. If you use Elasticsearch, you should secure it with X-Pack. The security features of X-Pack include authenticating access to the Elasticsearch cluster’s data and encrypting Elasticsearch’s internal and external communications. These are necessary security features for most production systems. A Liferay Enterprise Search subscription gets you access to both monitoring and security. Contact Liferay’s Sales department for more information.
Here’s an overview of using X-Pack to secure the data indexed in Elasticsearch:
Get an Enterprise Search subscription.
Configure X-Pack to require authentication and encryption.
Download and install the Liferay Enterprise Search Security.
Configure the LES Secuirty app with the proper credentials and encryption information.
Restart Elasticsearch. These steps require a full cluster restart.
Following these instructions gives you a basic working installation of Elasticsearch communicating freely with Liferay DXP, but read Elastic’s documentation to learn about additional configuration options, features, and the architecture of X-Pack.
Setting Up X-Pack Users
In a system using X-Pack Security and X-Pack Monitoring, two of the built-in
X-Pack users are important:
Set the passwords for all X-Pack’s
setup-passwords command is the simplest method to set the built-in users’
first-use passwords for the first time. To update a password subsequently, use
Kibana’s UI or the
Change Password API.
interactive argument lets you set the passwords for all built-in users.
The configuraiton shown in these articles assumes you set all of the
passwords to liferay. Of course, that’s not recommended for production systems.
See Elastic’s documentation on the setup-passwords command for additional options.
Since you’re securing Elasticsearch, make sure you keep track of the password
set for the
We recommend enabling transport layer security on each node.
Enabling Transport Layer Security
The following instructions for enabling TLS use
liferay as the password
whenever one is needed. Customize these as appropriate for your installation.
Generate Node Certificates
Generate a node certificate for each node. You can, of course, use a Certificate Authority toobtain node certificates.
Create a certificate authority, using X-Pack’s
./bin/elasticsearch-certutil ca --pem --ca-dn CN=localhost
This generates a ZIP file. Unzip the contents somewhere safe.
Generate X.509 certificates and private keys using the CA from Step 1. For example:
./bin/elasticsearch-certutil cert --pem --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --dns localhost --ip 127.0.0.1 --name localhost
This generates another ZIP file. Extract the contents somewhere in the
on each node via its
Add the certificate, key and certificate authority paths to each node’s
xpack.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt xpack.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key xpack.ssl.certificate_authorities: ["/path/to/ca.crt"]
The example paths above assume you added the certificate to
Enable transport layer TLS with these settings in
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate
Enable TLS on the HTTP layer to encrypt client communication:
After X-Pack is installed and TLS is enabled, configure the LES Security app in Liferay DXP.
Install and Configure the Liferay Enterprise Search Security app
If you have a Liferay Enterprise Search subscription,
the Liferay Enterprise Search Security app. Install the LPKG
file by copying it into the
Liferay Home/deploy folder. That’s all there is to
To configure the secuirty app, navigate to Control Panel
→ Configuration → System Settings. Find the Foundation category and
click on the X-Pack Security entry. You can enter the property values here, but
it’s more common to use a
Liferay Home/osgi/configs. Create a file
The exact contents of the file depend on your X-Pack setup. To configure the adapter according to the Elasticsearch setup documented here, populate the file with these contents:
sslKeyPath="/path/to/localhost.key" sslCertificatePath="/path/to/config/localhost.crt" certificateFormat="PEM" requiresAuthentication="true" username="elastic" password="liferay" sslCertificateAuthoritiesPaths="/path/to/ca.crt" transportSSLVerificationMode="certificate" transportSSLEnabled="true"
The certificate and key files referenced here are the same ones used on the Elasticsearch server. Copy them to the Liferay DXP server and update their paths in the configuration accordingly.
Enable authentication by setting authentication to
required and providing the
credentials for the Elasticsearch user. For SSL, enable transport SSL, set the
certificate verification mode and certificate format, and provide the path to
the certificate, key, and certificate authority. Of course, the exact values
will differ if you configured X-Pack differently.
Here’s the complete list of configuration options:
When you’re finished configuring X-Pack Security, restart Elasticsearch. These steps require a full cluster restart.