Enterprise Search and SSL

Has anyone gotten Workplace Search to work over port 443? I believe I have set everything up correctly, but ES/WS will not start.

I get this, which doesn't really tell me anything and the logs don't either.

Enterprise Search is starting...
*** [DEPRECATION WARNING] The setting '#/ent_search/auth/source' is deprecated and will be removed in version '8.0.0'. Please use the new auth config format ent_search.auth.<auth_name>.source.
LoadError: load error: /usr/share/enterprise-search/lib/war/config/application -- java.lang.ClassCastException: org.bouncycastle.asn1.DLApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
                require at org/jruby/RubyKernel.java:978
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
        load_dependency at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:240
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:36
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:42
           run_and_exit at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:10
  run_supported_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:143
            run_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:125
                   run! at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:112
                 <main> at bin/enterprise-search-internal:15

My configuration looks like this:

ent_search.external_url: https://ent-search.msman.com:443
#
# Web application listen_host and listen_port.
# Your application will run on this host and port.
#
# * ent_search.listen_host: Must be a valid IPv4 or IPv6 address.
# * ent_search.listen_port: Must be a valid port number (1-65535).
#
ent_search.listen_host: 192.168.30.72
ent_search.listen_port: 443

...

ent_search.ssl.enabled: true
ent_search.ssl.certificate: "/usr/share/enterprise-search/config/elastic-wps-http.crt"
ent_search.ssl.key: "/usr/share/enterprise-search/config/elastic-wps-http.key"
#ent_search.ssl.keystore.path:
#ent_search.ssl.keystore.password:
#ent_search.ssl.keystore.key_password:
#ent_search.ssl.redirect_http_from_port:

What I would really like to see is a walk through on configuring SSL with Workplace Search like you have for Kibana and Elasticsearch.

Thanks!

-Chris

I figured it out. It was a certificate issue. (isn't it always... :slight_smile:)

Thanks!

-Chris

@christopher.farmer you're too fast! :slight_smile:

While you got it fixed, I'm going to expound on the solution, in case others run into the same and find your post.

First, thanks for pointing out that we're a bit short on our SSL/TLS configuration guidance. We'll work to get that fleshed out to be on-par with our other product guides.

Second, looks like this is the error you were likely running into: https://github.com/jruby/jruby-openssl/issues/104
The manner in which you generate your keyfile, therefore matters. Given that you have a PKCS12 file, keystore.p12,

openssl pkcs12 -in keystore.p12 -nocerts -nodes -out my_store.key

will generate a file that begins like:

Bag Attributes
    friendlyName: server-alias
    localKeyID: 54 69 6D 65 20 31 36 31 31 36 30 39 38 38 36 33 37 33
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCOLEC5CUH614cb
...

You can get rid of these troublesome "Bag Attributes" by instead running:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -passin pass:changeme | openssl rsa -out my_store.key

It's worth noting, we don't have ent_search.ssl.certificate or ent_search.ssl.key documented as options - how did you find these were available?

We'd prefer for customers to use Java Key Store formatted files, and to use configs like:

ent_search.ssl.keystore.path: "/path/to/your/keystore.jks"
ent_search.ssl.keystore.password: "changeme"
ent_search.ssl.keystore.key_password: "changeme"
ent_search.ssl.redirect_http_from_port: 80

Such a self-signed keystore can be generated with these three commands:

keytool -genkey -alias server-alias -keyalg RSA -keypass changeme -storepass changeme -keystore keystore.jks
keytool -export -alias server-alias -storepass changeme -file server.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeme -storepass changeme

You can read about those three commands here.

2 Likes

First, I follow this answer from Stackoverflow to input the configuration setting (enterprise-search.yml) for SSL in elasticsearch section: https://stackoverflow.com/a/64051320/5932828

Then I got the error as mentioned above.

LoadError: load error: /usr/share/enterprise-search/lib/war/config/application -- java.lang.ClassCastException: org.bouncycastle.asn1.DLApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
                require at org/jruby/RubyKernel.java:978
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
        load_dependency at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:240
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:36
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:42
           run_and_exit at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:10
  run_supported_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:143
            run_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:125
                   run! at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:112
                 <main> at bin/enterprise-search-internal:15

And the reason is from the SSL key, which has "Bag Attributes". So after I remove that, now all running.

Below is the configuration for elasticsearch SSL

elasticsearch.ssl.enabled: true
elasticsearch.ssl.certificate: "/usr/share/enterprise-search/outfile.crt"
elasticsearch.ssl.certificate_authority: "/usr/share/enterprise-search/ca.crt"
elasticsearch.ssl.key: "/usr/share/enterprise-search/outfile.key"

Thanks.

Thanks Sean! Yeah, "I fixed it" was not very community friendly. I appreciate the pick-up.

So yes, I did end up using the keystore settings in the configuration file (yml). The other settings came from ES/WS 7.9.1 (Note: Kids, make sure you reference the new yml file from an RPM update. It might have saved me a lot of time.).

I ended up using the certificate tool from one of my elasticsearch nodes in order to create the PKCS12 keystore, setting the password and pointing to that in the config.

./elasticsearch-certutil cert -name ent-search.domain.com -dns ent-search.domain.com, 192.168.30.100

Modified yml file:

ent_search.ssl.enabled: true
ent_search.ssl.keystore.path: "/usr/share/enterprise-search/config/ent-search.domain.com.p12"
ent_search.ssl.keystore.password: "changeme"

That was it!

Thanks again for the replies... my main goal was to get the SharePoint Online content source working... which I have now accomplished.

-Chris

1 Like

Perfect, thanks for the extra context, @christopher.farmer!

Wanted to let you know, your feedback has led to the existence of an SSL/TLS Guide for Enterprise Search. Yay community! :fist_right: :fist_left:

1 Like