API Gateway 10.5 | Configuring API Gateway | Configuration Properties | Configuration Types and Properties | Configuration Properties to Secure Elasticsearch
 
Configuration Properties to Secure Elasticsearch
The section lists the configuration properties to secure Elasticsearch. For additional details about the configuration properties, see https://docs.search-guard.com/.
Server :SAG_root/InternalDataStore/config/elasticsearch.yml
Item
Description
TRANSPORT ( 2-Way authentication is enabled by default)
searchguard.ssl.transport.keystore_type
Type of keystore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.transport.keystore_filepath
Location where the keystore is stored.
searchguard.ssl.transport.keystore_alias
Keystore entry name if there are more than one entries.
searchguard.ssl.transport.keystore_password
Password to access keystore.
searchguard.ssl.transport.truststore_type
Type of truststore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.transport.truststore_filepath
Location where the truststore is stored.
searchguard.ssl.transport.truststore_alias
Truststore entry name if there are more than one entries.
searchguard.ssl.transport.truststore_password
Password to access truststore.
searchguard.ssl.transport.enforce_hostname_verification
Specifies whether to verify host names specified in the certificate
Possible values: true, false
*false. The hostname specified in the certificate is not validated. This is the default setting and is used for any general purpose self-signed certificate.
*true. The hostname specified in the certificate is validated.
Default value: false
searchguard.ssl.transport.resolve_hostname
Applicable only if above property is true. If true, the hostname is resolved against the DNS server. Set this to false if it is general purpose self-signed certificate
Possible values: true, false
Default value: true
searchguard.ssl.transport.enable_openssl_if_available
Use if OpenSSL is available instead of JDK SSL
Possible values: true, false
Default value: true
HTTP
searchguard.ssl.http.enabled
Set this to true to enable the SSL for REST interface ( HTTP)
Possible values: true, false
Default value: true
searchguard.ssl.http.keystore_type
Type of keystore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.http.keystore_filepath
Location where the keystore is stored.
searchguard.ssl.http.keystore_alias
Keystore entry name if there are more than one entries.
searchguard.ssl.http.keystore_password
Password to access keystore.
searchguard.ssl.http.truststore_type
Type of truststore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.http.truststore_filepath
Location where the truststore is stored.
searchguard.ssl.http.truststore_alias
Truststore entry name if there are more than one entries.
searchguard.ssl.http.truststore_password
Password to access truststore.
searchguard.ssl.http.clientauth_mode
Option to enable 2-way authentication.
REQUIRE: Client requires the client certificate.
OPTIONAL: Client may require the client certificate.
NONE: Ignores client certificate even if it is available.
Possible values: REQUIRE, OPTIONAL, NONE.
Default value: OPTIONAL.
Search Guard Admin
searchguard.authcz.admin_dn
Search Guard maintains all the data in an index called searchguard. This is accessible only to users ( client certificate is passed in sdadmin command) configured here.
Miscellaneous
searchguard.cert.oid
All certificates used by the nodes on transport level should have the oid field set to a specific value. This oid value is checked by Search Guard to identify if an incoming request comes from a trusted node in the cluster. If yes, all actions are allowed. If no, privilege checks apply. Also, the oid is checked whenever a node wants to join the cluster.
'1.2.3.4.5.5'
Server :SAG_root/InternalDataStore/sagconfig Folder
This folder contains all the self-signed certificates and default Search Guard security configurations. The default configuration allows demouser client certificate as valid user for TCP communication, and enforces basic authentication for the credentials Administrator and manage.
hash.sh (SAG_root/InternalDataStore/plugins/search-guard-7/tools) tool shipped with Search Guard is used to hash the user passwords.
Client :SAG_root/IntegrationServer/instances/Instance_Name/packages/WmAPIGateway/config/resources/beans/gateway-datastore.xml.
Item
Description
searchguard.ssl.transport.enabled
Indicates whether the client should use secure transport
Possible values: true, false
Default value: true
All TRANSPORT properties, which are mentioned above, are applicable for the client as well.
Client :SAG_root/profiles/IS_Instance_Name/apigateway/dashboard/config/kibana.yml.
Item
Description
elasticsearch.username
Username to be used if basic authentication is enabled.
elasticsearch.ssl.verify
Disable all SSL checks including the hostname and certificate validation. Set this to true if it is general purpose self signed certificates
Possible values: true, false
Default value: true
elasticsearch.ssl.cert
Path of client certificate to be sent to Elastisearch. This is required if 2-way authentication is enabled.
elasticsearch.ssl.ca
If verify is true, this denotes the path to the CA certificate which is used to sign other certificates.
elasticsearch.password
Password to be used if basic authentication is enabled.