Securing Elastic Search 8.14 with HTTPS Certificates
Securing your Elasticsearch instance is crucial to protect your data and ensure only authorised access. One of the ways to achieve this is by using HTTPS certificates. Enabling HTTPS on Elasticsearch provides an additional layer of security to ensure that all communications to and from Elasticsearch are encrypted. This is particularly important to protect username/password information from being eavesdropped and other man-in-the-middle type data breaches.
This blog post will guide you through the process used in our internal test server to configure a secure instance of Elastic Search 8.14 and connect Sage X3 2024 R2 to your secure Elasticsearch Instance. Note that this blog is an example setup for a test instance only, and you should refer to the official documentation for best practices for production environments.
https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html
These are the main steps that will be covered in this blog.
1. Installing Elasticsearch, (I won't go into too much depth but will direct you to the resources that will enable you to complete the installation)
2. Configuring basic security in Elasticsearch 8.14
3. Securing Elasticsearch Instance using HTTPS
- Creating the certificates
- Configuring HTTPS in the elasticsearch.yml (configuration file)
- Testing access (using browser & postman)
4. Connecting Sage X3 to your Elasticsearch server
1. Install Elasticsearch 8 as a Service:
From Sage X3 2024 R1 you can use Elasticsearch version 8 as the search engine for your Sage X3 instance. As mentioned, I won't go into the full installation details as this has been covered previously in Tips & Tricks days and comprehensive information is available from Elastic and in the Sage knowledgebase.
Installing Elasticsearch | Elasticsearch Guide [8.14] |
Additional notes when upgrading Elasticsearch (sage.com)
In summary, unzip the installation files to a suitable location of your choice.Open Command Prompt as an administrator. Navigate to the bin directory in your Elasticsearch installation location also known as the (%ES_HOME%\bin)
Run the following command to install Elasticsearch as a service:
set "mzNewServiceName= elasticsearch-8.14.1" set "ES_HOME= D:\Sage\FreeComponents\elasticsearch-8.14.1" REM Set your ES_JAVA_HOME if you do not want to use the bundeled JDK REM set "ES_JAVA_HOME= D:\Sage\FreeComponents\elasticsearch-8.14.1\jdk" REM The following lines should not need to be changed cd /d "%ES_HOME%\bin" set "ES_PATH_CONF=%ES_HOME%\config" set "ES_START_TYPE=auto" set "SERVICE_ID=%mzNewServiceName%" set "SERVICE_DISPLAY_NAME=%mzNewServiceName%" set "SERVICE_DESCRIPTION=%mzNewServiceName%" elasticsearch-service.bat install
Start the Elasticsearch Service:
In the same Command Prompt window, start the service with:
elasticsearch-service.bat start
Elasticsearch should now be installed and started, you can check in the logs if all is successful you should see the status is green in the Elasticsearch logs in \elasticsearch-8.14.1\logs
2. Configuring basic security in Elasticsearch 8.14
By default, when you install Elasticsearch 8 security is enabled so we need to set up the built-in users. Set the password for only one user by using the following command
bin/elasticsearch-reset-password -u elastic -I
Once you have set the elastic user password confirm you can access the elastic search server using the username & password and http using the browser.
Note: It is not possible to use only basic authentication with Sage X3, if at this point you do want to test the connection from Sage X3 you will need to disable all security defaults by adding the following xpack setting in the config\elasticsearch.yml
xpack.security.enabled: false
3. Securing Elasticsearch Instance using HTTPS
• Creating the certificates.
The first step in Securing your Elasticsearch instance with HTTPS involves creating a Certificate Authority (CA). This can be done using the elasticsearch-certutil command with the ca option. The --pem flag specifies that the output should be in PEM format, and the --ca-dn option sets the Distinguished Name (DN) for the CA.
You can use an existing CA you have obtained from another source.
Bin\elasticsearch-certutil ca --pem --ca-dn CN=elastic-ca
The certificates will be created in the ES_Home location in a .zip file.
Unzip and copy the certificates to a new directory for example %ES_Home%\config\certs
Next, we need to generate a certificate and private key using the CA just created. This is done with the elasticsearch-certutil cert command. The --pem flag specifies the PEM format, and the --ca-cert and --ca-key options point to the CA certificate and key. The --dns and --ip options set the DNS and IP addresses for the certificate, and the --name option sets the certificate’s name.
Bin\elasticsearch-certutil cert --pem --ca-cert config/ca.crt --ca-key config/ca.key --dns localhost, x3erpv12sqlvm --ip 127.0.0.1 --name elasticsearch
These certificates will also be created in a zip file in the ES_Home location, move the created certificates from the certs folder which will now contain four certificates.
• Configuring HTTPS in the elasticsearch.yml (configuration file)
Now that our certificates are created and in the correct location, we can edit the elastic search configuration file to enable HTTPS security. Stop the Elastic search service and update the file so it includes the following xpack parameters.
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.certificate_authorities: [ "certs/ca.crt" ] xpack.security.http.ssl.certificate: certs/elasticsearch.crt xpack.security.http.ssl.key: certs/elasticsearch.key xpack.security.http.ssl.client_authentication: required
You can find detailed information about each of these settings in the elastic search online help.
Security settings in Elasticsearch | Elasticsearch Guide [8.14] |
• Testing your certificates
Now when browsing the elastic search service https://localhost:9200 we get ERR_CONNECTION_REFUSED this confirms that the service is requesting client authentication using certificates.
Before moving on to configure the secure connection in Sage X3 we can confirm that client authentication is working using certificates using the Postman application
In settings in Postman
Add your certificates from the elasticsearch-8.14.1\config\certs location. This means that every time we attempt to connect to https://localhost:9200 the certificates will be used for authentication when using Postman.
Don’t forget to add the ‘elastic’ user credentials to your request as well, you will receive the following response back status 200 OK.
5. Connecting Sage X3 to your Elasticsearch server
Now moving on to configuring Sage X3 to use our client certificates to secure the connection.
First, add the ca to Sage X3 using the CACertificates Function from the elasticsearch certs folder.
Add client certificates to Sage X3 using the certificates function from the elasticsearch certs folder that was created.
The last step involves configuring the connection to the Elasticsearch server using the Search Server Settings Function. Make sure to select the correct version of Elasticsearch specify your connection settings and the certificates for authentication also populate the user authentication using the elastic user credentials.
Now proceed to test that you initiate the creation of an index using the index management function.
Conclusion
In summary in this blog, we walked through installing Elasticsearch version 8 on a Windows server and securing Elasticsearch with HTTPS certificate authentication. This setup ensures that your Elasticsearch instance and communications with Sage X3 are secured.
Some additional resources that you will find useful if undertaking this setup.
https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html
Security settings in Elasticsearch | Elasticsearch Guide [8.14] |
