Software AG Products 10.5 | Configuring API Gateway | API Gateway Data Store | Securing Communication with API Gateway Data Store | Secure API Gateway Data Store | Securing API Gateway Data Store
 
Securing API Gateway Data Store
1. Shutdown API Gateway.
2. Open SAG_root/InternalDataStore/bin/enable_ssl.sh and comment the last line /plugins/search-guard-7/tools/sgadmin.sh and save the changes.
3. Copy sagconfig from SAG_root/IntegrationServer/instances/Instance_Name/packages/WmAPIGateway/config/resources/elasticsearch to SAG_root/InternalDataStore.
4. Execute SAG_root/InternalDataStore/bin/enable_ssl.sh.
5. Execute SAG_root/InternalDataStore/bin/shutdown.sh to shutdown API Gateway Data Store.
6. Open SAG_root/InternalDataStore/config/elasticsearch.yml. Remove all properties that start with searchguard, and add the following properties.
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.keystore_filepath: ../sagconfig/node-0-keystore.jks
searchguard.ssl.transport.keystore_alias: cn=node-0
searchguard.ssl.transport.keystore_password: a362fbcce236eb098973
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.transport.truststore_filepath: ../sagconfig/truststore.jks
searchguard.ssl.transport.truststore_alias: root-ca-chain
searchguard.ssl.transport.truststore_password: 2c0820e69e7dd5356576
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enable_openssl_if_available: true

searchguard.ssl.http.enabled: false
searchguard.ssl.http.keystore_type: JKS
searchguard.ssl.http.keystore_filepath: ../sagconfig/node-0-keystore.jks
searchguard.ssl.http.keystore_alias: cn=node-0
searchguard.ssl.http.keystore_password: a362fbcce236eb098973
searchguard.ssl.http.truststore_type: JKS
searchguard.ssl.http.truststore_filepath: ../sagconfig/truststore.jks
searchguard.ssl.http.truststore_alias: root-ca-chain
searchguard.ssl.http.truststore_password: 2c0820e69e7dd5356576
searchguard.ssl.http.clientauth_mode: OPTIONAL

searchguard.authcz.admin_dn:
- "CN=sgadmin"
7. Save the changes made to the file elasticsearch.yml.
8. Execute SAG_root/InternalDataStore/bin/startup.sh to start API Gateway Data Store.
9. Go to SAG_root/InternalDataStore/plugins/search-guard-7/tools and execute the following command:

sgadmin.sh -cd ../../../sagconfig/ -ks
../../../sagconfig/sgadmin-keystore.jks -kspass 49fc2492ebbcfa7cfc5e -ts
../../../sagconfig/truststore.jks -tspass 2c0820e69e7dd5356576 -nhnv -p 9340
-cn SAG_InternalDataStore
-p is the TCP port and -cn is the cluster name.
10. Execute SAG_root/InternalDataStore/bin/shutdown.sh. This is required only if the API Gateway is configured to start the API Gateway Data Store on startup which is the default configuration.
11. Alternatively, you can configure the Properties using the following Command Central template:
Use these commands to configure the properties.
sagcc exec templates composite import -i properties.yaml

sagcc exec templates composite apply sag-apigw-datastore-properties nodes=local
Sample properties configuration template:
alias: sag-apigw-datastore-properties
description: API Gateway Data Store Properties

layers:
runtime:
templates:
- apigw-datastore-properties

templates:
apigw-datastore-properties:
products:
CEL:
default:
configuration:
CEL:
CUSTOM-PROPERTIES:
CUSTOM-PROPERTIES-default: |
---
searchguard.ssl.transport.enforce_hostname_verification: false
path.logs: "C:\\sag\\cc\\InternalDataStore/newlogs"
path.repo:
- "C:\\sag\\cc\\InternalDataStore/archives"
searchguard.ssl.http.clientauth_mode: "OPTIONAL"
searchguard.check_snapshot_restore_write_privileges: true
cluster.initial_master_nodes:
- "nodename"
searchguard.ssl.transport.resolve_hostname: false
searchguard.restapi.roles_enabled:
- "SGS_ALL_ACCESS"
searchguard.enable_snapshot_restore_privilege: true
searchguard.ssl.transport.enable_openssl_if_available: true
searchguard.authcz.admin_dn:
- "CN=sgadmin"

provision:
default:
runtime: ${nodes}
Now all TCP connections are secured with two-way authentication and HTTPS is enabled with basic authentication for the credentials Administrator and manage (with no two-way authentication) with the out of the box self-signed certificates.