Hello,
I created a new 2 node cluster ES 7.2.0. I have created successful integrations with the Java REST API in the past, but now I am adding the security layer and I am somewhat at a loss.
I followed the procedure described in the following blog: https://www.elastic.co/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash
to enable SSL. Kibana and https connection are working in SSL.
I found the following info on initializing the JAVA client : https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_encrypted_communication.html
However, there are a few parts missing for me, being a novice in the SSL implementation.
Is there a more complete guide/sample on how to connect the JAVA REST client to a ES cluster that used the procedure described in the blog?
Forgive me for being a newbie in this, but for example I have no idea where the keystore should be coming from in the code shown on the page to initialize the encrypted communication.
Do I even need a keystore on my client or do I just need to open an SSL style connection and pass on the username and password for the connection?
Regards,
Jurgen
So, I think I found most of the information.
Here is what I did:
- Created a jks keystore by importing the elastic ca.crt file into a new store
- imported the node certificates in the store
Updated my java code to set the necessary config:
private RestHighLevelClient SSLConnection(HttpHost hosts) {
final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(connectionUser, connectionPassword));
KeyStore truststore;
try {
truststore = KeyStore.getInstance("jks");
InputStream is = new FileInputStream(new File(jksBasePath + jksStore));
truststore.load(is, jksPassword.toCharArray());
SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
RestClientBuilder builder = RestClient.builder(hosts)
.setHttpClientConfigCallback(new HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
httpClientBuilder.setSSLContext(sslContext);
return httpClientBuilder;
}
});
return new RestHighLevelClient(builder);
} catch (KeyStoreException e) {
Diag.error(TraceSubSection, "SSLConnection", "KeyStoreException on JKS file", e);
} catch (FileNotFoundException e) {
Diag.error(TraceSubSection, "SSLConnection", "JKS file not found", e);
} catch (NoSuchAlgorithmException e) {
Diag.error(TraceSubSection, "SSLConnection", "NoSuchAlgorithmException", e);
} catch (CertificateException e) {
Diag.error(TraceSubSection, "SSLConnection", "CertificateException", e);
} catch (IOException e) {
Diag.error(TraceSubSection, "SSLConnection", "IOException on JKS file", e);
} catch (KeyManagementException e) {
Diag.error(TraceSubSection, "SSLConnection", "KeyManagementException on sslBuilder.build()", e);
}
return null;
}
I know the catch side can be more efficient but that is just for clarity sake during dev.
It seems to work, but I wanted to check whether I missed something that might bite me later like with regards, to performance
Anybody has any tips/input on this?