Spring Data ElasticSearch with SSL

Daniel_Schneider · December 18, 2022, 6:26pm

Hi,

I'm trying to understand how basic SSL works using Spring Data Elasticsearch.
In order to use SSL for Secure HTTPS configuration you need to call usingSsl() method without any parameter during creation of RestHighLevelClient client:
ClientConfiguration.MaybeSecureClientConfigurationBuilder builder = ClientConfiguration.builder().usingSsl()

For common code example please refer to:

My question is how the client knows which trust store it should use for server certificate. Is it a property that should be provided in some configuration file? If yes, what is a name of the property and where it should be defined?

Thank you in advance
Daniel

Yang_Wang · December 19, 2022, 3:07am

This is more of a question for the spring data team than elasticsearch. That said, the Builder class has a overloaded usingSsl method that takes a SSLContext parameter.

github.com

spring-projects/spring-data-elasticsearch/blob/2ea568d2e41f0fc971de2714136884fc31347b24/src/main/java/org/springframework/data/elasticsearch/client/ClientConfigurationBuilder.java#L117


      
          
          
		this.useSsl = true;
          		return this;
          	}
          
          
	/*
          	 * (non-Javadoc)
          	 * @see org.springframework.data.elasticsearch.client.ClientConfiguration.MaybeSecureClientConfigurationBuilder#usingSsl(javax.net.ssl.SSLContext)
          	 */
          	@Override
          	public TerminalClientConfigurationBuilder usingSsl(SSLContext sslContext) {
          
          
		Assert.notNull(sslContext, "SSL Context must not be null");
          
          
		this.useSsl = true;
          		this.sslContext = sslContext;
          		return this;
          	}
          
          
	/*
          	 * (non-Javadoc)

Daniel_Schneider · December 19, 2022, 9:31am

Thank you. Yes, indeed, there is an overloaded method, but I would like to know how Elasticsearch server trust store is defined without parameters.

Yang_Wang · December 19, 2022, 10:46pm

The spring data code configures the client, not the server. Assuming your question is about how "client" truststore is configured without parameter. A reasonable guess would be it will use the JDK's default truststore (cacerts).

Daniel_Schneider · December 19, 2022, 10:59pm

Yes, it seems so. Spring Data should use default Elasticsearch certificate generated by publicly trusted CA installed on client's machine. Thank you very much.

system · January 16, 2023, 11:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.