X-Pack is an Elastic extension for securing and monitoring Elasticsearch clusters. If you use Elasticsearch, you should secure it with X-Pack. The security features of X-Pack include authenticating access to the Elasticsearch cluster’s data and encrypting Elasticsearch’s internal and external communications. These are necessary security features for most production systems. A Liferay Enterprise Search subscription gets you access to both monitoring and security. Contact Liferay’s Sales department for more information.
Here’s an overview of using X-Pack to secure the data indexed in Elasticsearch:
-
Get an Enterprise Search subscription.
-
Configure X-Pack to require authentication and encryption.
-
Download and install the Liferay Enterprise Search Security.
-
Configure the LES Secuirty app with the proper credentials and encryption information.
-
Restart Elasticsearch. These steps require a full cluster restart.
Following these instructions gives you a basic working installation of Elasticsearch communicating freely with Liferay DXP, but read Elastic’s documentation to learn about additional configuration options, features, and the architecture of X-Pack.
Setting Up X-Pack Users
In a system using X-Pack Security and X-Pack Monitoring, two of the built-in
X-Pack users are important: kibana
and elastic
.
Set the passwords for all X-Pack’s
built-in users.
The setup-passwords
command is the simplest method to set the built-in users’
first-use passwords for the first time. To update a password subsequently, use
Kibana’s UI or the
Change Password API.
The interactive
argument lets you set the passwords for all built-in users.
The configuraiton shown in these articles assumes you set all of the
passwords to liferay. Of course, that’s not recommended for production systems.
./bin/elasticsearch-setup-passwords interactive
See Elastic’s documentation on the setup-passwords command for additional options.
Since you’re securing Elasticsearch, make sure you keep track of the password
set for the elastic
user.
We recommend enabling transport layer security on each node.
Enabling Transport Layer Security
The following instructions for enabling TLS use liferay
as the password
whenever one is needed. Customize these as appropriate for your installation.
Generate Node Certificates
Generate a node certificate for each node. You can, of course, use a Certificate Authority toobtain node certificates.
-
Create a certificate authority, using X-Pack’s
certutil
command:./bin/elasticsearch-certutil ca --pem --ca-dn CN=localhost
This generates a ZIP file. Unzip the contents somewhere safe.
-
Generate X.509 certificates and private keys using the CA from Step 1. For example:
./bin/elasticsearch-certutil cert --pem --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --dns localhost --ip 127.0.0.1 --name localhost
This generates another ZIP file. Extract the contents somewhere in the
Elasticsearch Home/config
folder.
Enable TLS
Enable TLS
on each node via its elasticsearch.yml
.
-
Add the certificate, key and certificate authority paths to each node’s
elasticsearch.yml
:xpack.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt xpack.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key xpack.ssl.certificate_authorities: ["/path/to/ca.crt"]
The example paths above assume you added the certificate to
Elasticsearch Home/config/
. -
Enable transport layer TLS with these settings in
elasticsearch.yml
:xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate
-
Enable TLS on the HTTP layer to encrypt client communication:
xpack.security.http.ssl.enabled: true
After X-Pack is installed and TLS is enabled, configure the LES Security app in Liferay DXP.
Install and Configure the Liferay Enterprise Search Security app
If you have a Liferay Enterprise Search subscription,
download
the Liferay Enterprise Search Security app. Install the LPKG
file by copying it into the Liferay Home/deploy
folder. That’s all there is to
it.
To configure the secuirty app, navigate to Control Panel
→ Configuration → System Settings. Find the Foundation category and
click on the X-Pack Security entry. You can enter the property values here, but
it’s more common to use a
configuration file
deployed to Liferay Home/osgi/configs
. Create a file
called
com.liferay.portal.search.elasticsearch6.xpack.security.internal.configuration.XPackSecurityConfiguration.config
The exact contents of the file depend on your X-Pack setup. To configure the adapter according to the Elasticsearch setup documented here, populate the file with these contents:
sslKeyPath="/path/to/localhost.key"
sslCertificatePath="/path/to/config/localhost.crt"
certificateFormat="PEM"
requiresAuthentication="true"
username="elastic"
password="liferay"
sslCertificateAuthoritiesPaths="/path/to/ca.crt"
transportSSLVerificationMode="certificate"
transportSSLEnabled="true"
The certificate and key files referenced here are the same ones used on the Elasticsearch server. Copy them to the Liferay DXP server and update their paths in the configuration accordingly.
Enable authentication by setting authentication to required
and providing the
credentials for the Elasticsearch user. For SSL, enable transport SSL, set the
certificate verification mode and certificate format, and provide the path to
the certificate, key, and certificate authority. Of course, the exact values
will differ if you configured X-Pack differently.
Here’s the complete list of configuration options:
sslKeyPath
sslCertificatePath
sslCertificateAuthoritiesPaths
certificateFormat
requiresAuthentication
username
password
transportSSLVerificationMode
transportSSLEnabled
sslKeystorePath
sslKeystorePassword
sslTruststorePath
sslTruststorePassword
When you’re finished configuring X-Pack Security, restart Elasticsearch. These steps require a full cluster restart.