Updated: 06 Aug 2025
Securing Elastic Search 8.x with HTTPS Certificates
Securing your Elasticsearch instance is crucial to protect your data and ensure only authorised access. One of the ways to achieve this is by using HTTPS certificates. Enabling HTTPS on Elasticsearch provides an additional layer of security to ensure that all communications to and from Elasticsearch are encrypted. This is particularly important to protect username/password information from being eavesdropped and other man-in-the-middle type data breaches.
This blog post will guide you through the process used in our internal test server to configure a secure instance of Elastic Search 8.18 and connect Sage X3 2025 R1 to this secure Elasticsearch Instance. Note that this blog is an example setup for a test instance only, and you should refer to the official Elastic Search documentation for best practices for production environments.
https://www.elastic.co/guide/en/security/8.18/index.html
These are the main steps that will be covered in this blog.
- Installing Elasticsearch, (I won't go into too much depth but will direct you to the resources that will enable you to complete the installation)
- Configuring basic security in Elasticsearch 8.18
- Securing Elasticsearch Instance using HTTPS
- Creating the certificates
- Configuring HTTPS in the elasticsearch.yml (configuration file)
- Testing access (using browser & postman)
- Connecting Sage X3 to your Elasticsearch server
Install Elasticsearch 8 as a Service
From Sage X3 2024 R1 onwards, you can use Elasticsearch version 8.x as the search engine for your Sage X3 instance. As mentioned, I won't go into the full installation details as this has been covered previously in Tips & Tricks days and comprehensive information is available from Elastic and in the Sage knowledgebase.
https://www.elastic.co/guide/en/elasticsearch/reference/8.18/index.html
Download the latest ElasticSearch 8.x from https://www.elastic.co/downloads/past-releases#elasticsearch (8.18.4 as the time of writing)
Unzip the installation files to a suitable location of your choice.
You can use the attached “mzInstallElastic.cmd” script to install ElasticSearch as a service. Edit the script to reflect your installation location, etc. Then run the script with the “Run as Administrator” option. The script assumes you have extracted the ZIP file to the root of X:
Alternatively, you can follow the standard ElasticSearch instructions to do the same.
NOTE: I am not changing the default “elasticsearch.yml” file yet.
Start the Elasticsearch Service:
You should find you now have the Windows Service available, so start it up now and check it is OK
NOTE: if there is a problem, it may take 60 seconds for the service to show as failed
Check in the “X:\elasticsearch-8.18.4\logs\elasticsearch.log “ that the “current.health” is “GREEN”
Configuring basic security in Elasticsearch 8.18
By default, when you install Elasticsearch 8 security is enabled, so we need to set up a password for the built-in administrative user.
Set the password for the “elastic” user by using the following command
%ES_HOME%\bin\elasticsearch-reset-password -u elastic -i
(You could also edit the “mzInstallElastic.cmd” file and use that to reset the password if you prefer.)
NOTE: if you get an error such as “Failed to reset password for elastic user exit code 75” this may indicate a previous ElasticSearch installation has not been fully removed, or some other issue. In any case, a workaround is to setup a new administrative user and use that instead of “Elastic” user. You can use the following command to create a new user called “sage” as a superuser for this purpose.
elasticsearch-users useradd sage -p Password1 -r superuser
We can now test you can access the elastic search server using the username & password with the URL http://localhost:9200
Note: we do not recommend using this mechanism with Sage X3, so you should continue with the steps below to secure your ElasticSearch server installation.
Securing Elasticsearch Instance using HTTPS
- Creating the certificates.
You can use the provided “mzSetupElasticTLS.cmd” file, by first editing it for the site specific variables, then run it using the “Run as administrator” option.
Alternatively you can proceed with the individual steps manually, as described in the ElasticSearch documentation ( https://www.elastic.co/docs/deploy-manage/security/set-up-basic-security-plus-https ) and outlined below:
The first step in Securing your Elasticsearch instance with HTTPS involves creating a Certificate Authority (CA). This can be done using the elasticsearch-certutil command with the ca option. The --pem flag specifies that the output should be in PEM format, and the --ca-dn option sets the Distinguished Name (DN) for the CA. You can use an existing CA you have obtained from another source.
The certificates will be created in the ES_Home location in a .zip file.
Unzip and copy the certificates to a new directory for example %ES_Home%\config\certs
Next, we need to generate a certificate and private key using the CA just created. This is done with the elasticsearch-certutil cert command. The --pem flag specifies the PEM format, and the --ca-cert and --ca-key options point to the CA certificate and key. The --dns and --ip options set the DNS and IP addresses for the certificate, and the --name option sets the certificate’s name.
IMPORTANT NOTE: the DNS hostnames MUST be in lower case, otherwise searching from X3 will fail, complaining about Search server not being available.
These certificates will also be created in a zip file in the ES_Home location, move the created certificates from the certs folder which will now contain four certificates.
- Configuring HTTPS in the elasticsearch.yml (configuration file)
Now that our certificates are created and in the correct location, we can edit the elastic search configuration file to enable HTTPS security. Stop the Elastic search service and update the file so it includes the following xpack parameters.
network.host: W25-SQL22-X3V12
cluster.initial_master_nodes: ["node-1"]
## BEGIN additions for TLS Configuration
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.http.ssl.certificate: certs/SageElasticSearch.crt
xpack.security.http.ssl.key: certs/SageElasticSearch.key
xpack.security.http.ssl.client_authentication: required
## Inter-node communications
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.certificate: certs/SageElasticSearch.crt
xpack.security.transport.ssl.key: certs/SageElasticSearch.key
## END of additions for TLS Configuration
You can find detailed information about each of these settings in the elastic search online help.
https://www.elastic.co/guide/en/security/8.18/getting-started.html
- Testing your certificates
Try browsing the elastic search service on the URL http://localhost:9200
You should get an error, as this is just to confirm the service is running, but as we are not providing a client certificate it is expected to fail.
(Optional step) Before moving on to configure the secure connection in Sage X3 we can confirm that client authentication is working using certificates using the Postman application
In settings in Postman
Add your certificates from the elasticsearch-8.14.1\config\certs location. This means that every time we attempt to connect to https://localhost:9200 the certificates will be used for authentication when using Postman.
Don’t forget to add the ‘elastic’ user credentials to your request as well, you will receive the following response back status 200 OK.
Connecting Sage X3 to your Elasticsearch server
Now moving on to configuring Sage X3 to use our client certificates to secure the connection.
Navigate to CA certificate Administration, Administration, Certificates, Certificates of Certification Authorities and load the ca.crt file we located in “X:\elasticsearch-8.18.4\config\certs”
Navigate to CA certificate Administration, Administration, Certificates and load the client certificate files also located in “X:\elasticsearch-8.18.4\config\certs”
Navigate to Administration, Usage, Search, Search server setting to configure the Elastic Search server in Sage X3.
Make sure to select the correct version of Elasticsearch specify your connection settings and the certificates for authentication also populate the user authentication using the elastic user credentials.
Now proceed to test that you initiate the creation of an index using the index management function.
Navigate to Administration, Usage, Search, Search Index Management
Select ABANK as the only entity then ACTIONS, UPDATE INDEX
You could get an error such as “The search server is not available” in which case you need to check everything again.
Hopefully all is well and it completes OK so now you can run the full index update and complete your testing.
Conclusion
In summary in this blog, we walked through installing Elasticsearch version 8 on a Windows server and securing Elasticsearch with HTTPS certificate authentication. This setup ensures that your Elasticsearch instance and communications with Sage X3 are secured.
Additional resources
Elastic Search online help
https://www.elastic.co/guide/en/security/8.18/index.html
https://www.elastic.co/docs/deploy-manage/security/set-up-basic-security-plus-https
https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/security-settings
https://www.elastic.co/docs/reference/elasticsearch/command-line-tools/certutil
https://www.elastic.co/guide/en/elasticsearch/reference/8.18/index.html
https://www.elastic.co/guide/en/security/8.18/getting-started.html
Sage X3 Online help
Sage X3 Blogs and KB articles
Script files mentioned in the text
Attached file ElasticSearchScripts.zip
-
Carl Herrmann
-
Cancel
-
Vote Up
0
Vote Down
-
-
Sign in to reply
-
More
-
Cancel
Comment-
Carl Herrmann
-
Cancel
-
Vote Up
0
Vote Down
-
-
Sign in to reply
-
More
-
Cancel
Children