Securing Internal Data Store
1. Shutdown API Gateway.
2. Open SAG_root/InternalDataStore/bin/enable_ssl.sh and comment the last line /plugins/search-guard-2/tools/sgadmin.sh and save the changes.
3. Copy sagconfig from SAG_root/IntegrationServer/instances/Instance_Name/packages/WmAPIGateway/config/resources/elasticsearch to SAG_root/InternalDataStore.
4. Execute SAG_root/InternalDataStore/bin/enable_ssl.sh.
5. Execute SAG_root/InternalDataStore/bin/shutdown.sh to shutdown Internal Data Store.
6. Open SAG_root/InternalDataStore/config/elasticsearch.yml. Remove all properties that start with searchguard, and add the following properties.
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.keystore_filepath: ../sagconfig/node-0-keystore.jks
searchguard.ssl.transport.keystore_alias: cn=node-0
searchguard.ssl.transport.keystore_password: a362fbcce236eb098973
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.transport.truststore_filepath: ../sagconfig/truststore.jks
searchguard.ssl.transport.truststore_alias: root-ca-chain
searchguard.ssl.transport.truststore_password: 2c0820e69e7dd5356576
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enable_openssl_if_available: true
searchguard.ssl.http.enabled: false
searchguard.ssl.http.keystore_type: JKS
searchguard.ssl.http.keystore_filepath: ../sagconfig/node-0-keystore.jks
searchguard.ssl.http.keystore_alias: cn=node-0
searchguard.ssl.http.keystore_password: a362fbcce236eb098973
searchguard.ssl.http.truststore_type: JKS
searchguard.ssl.http.truststore_filepath: ../sagconfig/truststore.jks
searchguard.ssl.http.truststore_alias: root-ca-chain
searchguard.ssl.http.truststore_password: 2c0820e69e7dd5356576
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.authcz.admin_dn:
- "CN=sgadmin"
7. Save the changes made to the file elasticsearch.yml
8. Execute SAG_root/InternalDataStore/bin/startup.sh to start Internal Data Store.
9. Go to SAG_root/InternalDataStore/plugins/search-guard-2/tools and execute sgadmin.sh -cd ../../../sagconfig/ -ks ../../../sagconfig/sgadmin-keystore.jks -kspass 49fc2492ebbcfa7cfc5e -ts ../../../sagconfig/truststore.jks -tspass 2c0820e69e7dd5356576 -nhnv -p 9340 -cn SAG_InternalDataStore.
-p is the TCP port and -cn is the cluster name.)
10. Execute SAG_root/InternalDataStore/bin/shutdown.sh. This is required only if the API Gateway is configured to start the Internal Data Store on startup which is the default configuration.
Now all TCP connections are secured with two-way authentication and HTTPS is enabled with basic authentication for the credentials Administrator and manage (with no two-way authentication) with the out of the box self-signed certificates.