Enterprise Search and SSL

Has anyone gotten Workplace Search to work over port 443? I believe I have set everything up correctly, but ES/WS will not start.

I get this, which doesn't really tell me anything and the logs don't either.

Enterprise Search is starting...
*** [DEPRECATION WARNING] The setting '#/ent_search/auth/source' is deprecated and will be removed in version '8.0.0'. Please use the new auth config format ent_search.auth.<auth_name>.source.
LoadError: load error: /usr/share/enterprise-search/lib/war/config/application -- java.lang.ClassCastException: org.bouncycastle.asn1.DLApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
                require at org/jruby/RubyKernel.java:978
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
        load_dependency at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:240
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:36
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:42
           run_and_exit at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:10
  run_supported_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:143
            run_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:125
                   run! at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:112
                 <main> at bin/enterprise-search-internal:15

My configuration looks like this:

ent_search.external_url: https://ent-search.msman.com:443
#
# Web application listen_host and listen_port.
# Your application will run on this host and port.
#
# * ent_search.listen_host: Must be a valid IPv4 or IPv6 address.
# * ent_search.listen_port: Must be a valid port number (1-65535).
#
ent_search.listen_host: 192.168.30.72
ent_search.listen_port: 443

...

ent_search.ssl.enabled: true
ent_search.ssl.certificate: "/usr/share/enterprise-search/config/elastic-wps-http.crt"
ent_search.ssl.key: "/usr/share/enterprise-search/config/elastic-wps-http.key"
#ent_search.ssl.keystore.path:
#ent_search.ssl.keystore.password:
#ent_search.ssl.keystore.key_password:
#ent_search.ssl.redirect_http_from_port:

What I would really like to see is a walk through on configuring SSL with Workplace Search like you have for Kibana and Elasticsearch.

Thanks!

-Chris

I figured it out. It was a certificate issue. (isn't it always... )

Thanks!

-Chris

@christopher.farmer you're too fast!

While you got it fixed, I'm going to expound on the solution, in case others run into the same and find your post.

First, thanks for pointing out that we're a bit short on our SSL/TLS configuration guidance. We'll work to get that fleshed out to be on-par with our other product guides.

Second, looks like this is the error you were likely running into: https://github.com/jruby/jruby-openssl/issues/104
The manner in which you generate your keyfile, therefore matters. Given that you have a PKCS12 file, keystore.p12,

openssl pkcs12 -in keystore.p12 -nocerts -nodes -out my_store.key

will generate a file that begins like:

Bag Attributes
    friendlyName: server-alias
    localKeyID: 54 69 6D 65 20 31 36 31 31 36 30 39 38 38 36 33 37 33
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCOLEC5CUH614cb
...

You can get rid of these troublesome "Bag Attributes" by instead running:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -passin pass:changeme | openssl rsa -out my_store.key

It's worth noting, we don't have ent_search.ssl.certificate or ent_search.ssl.key documented as options - how did you find these were available?

We'd prefer for customers to use Java Key Store formatted files, and to use configs like:

ent_search.ssl.keystore.path: "/path/to/your/keystore.jks"
ent_search.ssl.keystore.password: "changeme"
ent_search.ssl.keystore.key_password: "changeme"
ent_search.ssl.redirect_http_from_port: 80

Such a self-signed keystore can be generated with these three commands:

keytool -genkey -alias server-alias -keyalg RSA -keypass changeme -storepass changeme -keystore keystore.jks
keytool -export -alias server-alias -storepass changeme -file server.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeme -storepass changeme

You can read about those three commands here.

First, I follow this answer from Stackoverflow to input the configuration setting (enterprise-search.yml) for SSL in elasticsearch section: https://stackoverflow.com/a/64051320/5932828

Then I got the error as mentioned above.

LoadError: load error: /usr/share/enterprise-search/lib/war/config/application -- java.lang.ClassCastException: org.bouncycastle.asn1.DLApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
                require at org/jruby/RubyKernel.java:978
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
        load_dependency at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:240
                require at /usr/share/enterprise-search/lib/war/gems/gems/activesupport-4.2.11.3/lib/active_support/dependencies.rb:274
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:36
             initialize at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:42
           run_and_exit at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:10
  run_supported_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:143
            run_command at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:125
                   run! at /usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:112
                 <main> at bin/enterprise-search-internal:15

And the reason is from the SSL key, which has "Bag Attributes". So after I remove that, now all running.

Below is the configuration for elasticsearch SSL

elasticsearch.ssl.enabled: true
elasticsearch.ssl.certificate: "/usr/share/enterprise-search/outfile.crt"
elasticsearch.ssl.certificate_authority: "/usr/share/enterprise-search/ca.crt"
elasticsearch.ssl.key: "/usr/share/enterprise-search/outfile.key"

Thanks.

Thanks Sean! Yeah, "I fixed it" was not very community friendly. I appreciate the pick-up.

So yes, I did end up using the keystore settings in the configuration file (yml). The other settings came from ES/WS 7.9.1 (Note: Kids, make sure you reference the new yml file from an RPM update. It might have saved me a lot of time.).

I ended up using the certificate tool from one of my elasticsearch nodes in order to create the PKCS12 keystore, setting the password and pointing to that in the config.

./elasticsearch-certutil cert -name ent-search.domain.com -dns ent-search.domain.com, 192.168.30.100

Modified yml file:

ent_search.ssl.enabled: true
ent_search.ssl.keystore.path: "/usr/share/enterprise-search/config/ent-search.domain.com.p12"
ent_search.ssl.keystore.password: "changeme"

That was it!

Thanks again for the replies... my main goal was to get the SharePoint Online content source working... which I have now accomplished.

-Chris

Perfect, thanks for the extra context, @christopher.farmer!

Wanted to let you know, your feedback has led to the existence of an SSL/TLS Guide for Enterprise Search. Yay community!