Correct use of SSL with Java REST API

Jurgen_Debedts · July 2, 2019, 11:41pm

Hello,

I created a new 2 node cluster ES 7.2.0. I have created successful integrations with the Java REST API in the past, but now I am adding the security layer and I am somewhat at a loss.

I followed the procedure described in the following blog: https://www.elastic.co/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash
to enable SSL. Kibana and https connection are working in SSL.
I found the following info on initializing the JAVA client : https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_encrypted_communication.html

However, there are a few parts missing for me, being a novice in the SSL implementation.
Is there a more complete guide/sample on how to connect the JAVA REST client to a ES cluster that used the procedure described in the blog?

Forgive me for being a newbie in this, but for example I have no idea where the keystore should be coming from in the code shown on the page to initialize the encrypted communication.
Do I even need a keystore on my client or do I just need to open an SSL style connection and pass on the username and password for the connection?

Regards,

Jurgen

Jurgen_Debedts · July 3, 2019, 2:46pm

So, I think I found most of the information.
Here is what I did:

Created a jks keystore by importing the elastic ca.crt file into a new store
imported the node certificates in the store

Updated my java code to set the necessary config:
private RestHighLevelClient SSLConnection(HttpHost hosts) {
final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(connectionUser, connectionPassword));

	KeyStore truststore;
	try {
		truststore = KeyStore.getInstance("jks");
		InputStream is = new FileInputStream(new File(jksBasePath + jksStore));
		truststore.load(is, jksPassword.toCharArray());
		SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
		final SSLContext sslContext = sslBuilder.build();
		
		RestClientBuilder builder = RestClient.builder(hosts)
				.setHttpClientConfigCallback(new HttpClientConfigCallback() {
					@Override
					public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
						httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
						httpClientBuilder.setSSLContext(sslContext);
						return httpClientBuilder;
					}
				});
		return new RestHighLevelClient(builder);
		
	} catch (KeyStoreException e) {
		Diag.error(TraceSubSection, "SSLConnection", "KeyStoreException on JKS file", e);
	} catch (FileNotFoundException e) {
		Diag.error(TraceSubSection, "SSLConnection", "JKS file not found", e);
	} catch (NoSuchAlgorithmException e) {
		Diag.error(TraceSubSection, "SSLConnection", "NoSuchAlgorithmException", e);
	} catch (CertificateException e) {
		Diag.error(TraceSubSection, "SSLConnection", "CertificateException", e);
	} catch (IOException e) {
		Diag.error(TraceSubSection, "SSLConnection", "IOException on JKS file", e);
	} catch (KeyManagementException e) {
		Diag.error(TraceSubSection, "SSLConnection", "KeyManagementException on sslBuilder.build()", e);
	} 
	return null;
}

I know the catch side can be more efficient but that is just for clarity sake during dev.
It seems to work, but I wanted to check whether I missed something that might bite me later like with regards, to performance

Jurgen_Debedts · July 12, 2019, 9:06pm

Anybody has any tips/input on this?

system · August 9, 2019, 9:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.