Integrate Software AG Products Using Digital Event Services : API Gateway Configuration Guide : Configuration Properties : Configuration Types and Properties : Configuration Properties to Secure Elasticsearch
Configuration Properties to Secure Elasticsearch
The section lists the configuration properties to secure Elasticsearch.
Server :SAG_Root/EventDataStore/config/elasticsearch.yml
Item
Description
TRANSPORT ( 2-Way authentication is enabled by default)
searchguard.ssl.transport.
keystore_type
Type of keystore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.transport.
keystore_filepath
Location where the keystore is stored
searchguard.ssl.transport.
keystore_alias
Keystore entry name if there are more than one entries
searchguard.ssl.transport.
keystore_password
Password to access keystore
searchguard.ssl.transport.
truststore_type
Type of truststore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.transport.
truststore_filepath
Location where the truststore is stored
searchguard.ssl.transport.
truststore_alias
Truststore entry name if there are more than one entries
searchguard.ssl.transport.
truststore_password
Password to access truststore
searchguard.ssl.transport.
enforce_hostname_verification
If true, the hostname mentioned in the certificate is validated. Set this to false if it is general purpose self-signed certificate.
Possible values: true, false
Default value: true
searchguard.ssl.transport.
resolve_hostname
Applicable only if above property is true. If true, the hostname is resolved against the DNS server. Set this to false if it is general purpose self-signed certificate.
Possible values: true, false
Default value: true
searchguard.ssl.transport.enable_
openssl_if_available
Use if OpenSSL is available instead of JDK SSL
Possible values: true, false
Default value: true
HTTP
searchguard.ssl.http.enabled
Set this to true to enable the SSL for REST interface ( HTTP)
Possible values: true, false
Default value: true
searchguard.ssl.http.
keystore_type
Type of keystore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.http.
keystore_filepath
Location where the keystore is stored
searchguard.ssl.http.
keystore_alias
Keystore entry name if there are more than one entries
searchguard.ssl.http.
keystore_password
Password to access keystore
searchguard.ssl.http.
truststore_type
Type of truststore
Possible values: JKS, PKCS12
Default value: JKS
searchguard.ssl.http.
truststore_filepath
Location where the truststore is stored
searchguard.ssl.http.
truststore_alias
Truststore entry name if there are more than one entries
searchguard.ssl.http.
truststore_password
Password to access truststore
searchguard.ssl.http.
clientauth_mode
Option to enable 2-way authentication.
REQUIRE: Client requires the client certificate.
OPTIONAL: Client may require the client certificate..
NONE: Ignores client certificate even if it is available.
Possible values: REQUIRE, OPTIONAL, NONE
Default value: OPTIONAL
Search Guard Admin
searchguard.authcz.admin_dn
Search Guard maintains all the data in an index called searchguard. This is accessible only to users ( client certificate is passed in sdadmin command) configured here.
Miscellaneous
searchguard.cert.oid
All certificates used by the nodes on transport level should have the oid field set to a specific value. This oid value is checked by Search Guard to identify if an incoming request comes from a trusted node in the cluster. If yes, all actions are allowed. If no, privilege checks apply. Also, the oid is checked whenever a node wants to join the cluster.
'1.2.3.4.5.5'
Server :SAG_Root/EventDataStore/sagconfig Folder
This folder contains all the self-signed certificates and default Search Guard security configurations. The default configuration allows demouser client certificate as valid user for TCP communication, and enforces basic authentication for the credentials Administrator and manage.
hash.bat/sh (SAG_Root/EventDataStore/plugins/search-guard-2/tools) tool shipped with Search Guard is used to hash the user passwords.
Client :SAG_Root/IntegrationServer/instances/Instance_Name/packages/WmAPIGateway/config/resources/beans/gateway-datastore.xml
Item
Description
searchguard.ssl.transport.enabled
Indicates whether the client should use secure transport
Possible values: true, false
Default value: true
All TRANSPORT properties, which are mentioned above, are applicable for the client as well.
Client :SAG_Root/profiles/IS_Instance_Name/apigateway/dashboard/config/kibana.ymlprofiles/IS_Instance_Name/apigateway/dashboard/config/kibana.yml
Item
Description
elasticsearch.username
Username to be used if basic authentication is enabled
elasticsearch.ssl.verify
Disable all SSL checks including the hostname and certificate validation. Set this to true if it is general purpose self signed certificates.
Possible values: true, false
Default value: true
elasticsearch.ssl.cert
Path of client certificate to be sent to Elastisearch. This is required if 2-way authentication is enabled.
elasticsearch.ssl.ca
If verify is true, this denotes the path to the CA certificate which is used to sign other certificates.
elasticsearch.password
Password to be used if basic authentication is enabled.
Copyright © 2017 Software AG, Darmstadt, Germany.

Product LogoContact Support   |   Community   |   Feedback