Configuring the EventLogging server to connect to a secured Elasticsearch - 7.1

Talend ESB Infrastructure Services Configuration Guide

EnrichVersion
7.1
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
EnrichPlatform
Talend ESB
Talend Runtime
task
Design and Development
Installation and Upgrade
This procedure explains how to configure the EventLogging server to access a secured Elasticsearch.

Before you begin

Prerequisite:

Procedure

  1. Start the Talend Runtime container to access the secured Elasticsearch.source scripts/configEventLogging_REST.sh agent1 tesb:start-locator
  2. Edit the etc/org.talend.eventlogging.server.cfg file in the Talend Runtime container, as follows:
    elasticsearch.secured=true
    elasticsearch.ssl.truststore=any
    elasticsearch.ssl.truststore.password=none
    elasticsearch.ssl.pass.hostname=any
    elasticsearch.username=es_admin
    elasticsearch.password=es_admin
    You can set different values for the elasticsearch.username and elasticsearch.password properties, depending on the Elasticsearch configuration.
  3. (Optional) Create a TrustStore in the JKS format by importing the Elasticsearch server public key:
    keytool -export -rfc -keystore keystore.jks -storepass password -alias mykey -file esServer.cer
                                keytool -import -trustcacerts -keystore truststore.jks -storepass password -alias mytrust -file esServer.cer -noprompt
    In the etc/org.talend.eventlogging.server.cfg file, add the TrustStore configuration properties:
    elasticsearch.ssl.truststore=./etc/keystores/truststore.jks
    elasticsearch.ssl.truststore.password=password
    With this configuration, the EventLogging server only trusts the certificates provided in the truststore.jks file.
    Refresh the Elasticsearch server bundle to activate the changes:
    karaf@trun>refresh event-logging-server
  4. From your browser, open https://localhost:9200/talendesb-%3Cyyyy%3E.%3Cmm%3E.%3Cdd%3E/ESB/_search?pretty=true to test the configuration.

    You should see the hits and total numbers increasing continuously. If not, refer to the troubleshooting note below.

    Troubleshooting

    [2016-10-19 16:13:46,437][DEBUG][rest.suppressed          ] path: /talendesb-2016.10.19/ESB, params: {index=talendesb-20
    16.10.19, type=ESB}
    ElasticsearchSecurityException[unable to authenticate user [es_admin11] for REST request [/talendesb-2016.10.19/ESB]]
            at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:39)

    The input you provided in the elasticsearch.username or elasticsearch.password property is not correct.

    [2016-10-17 11:19:13,069][WARN ][shield.transport.netty   ] [Knickknack] Caught exception while handling client http tra
    ffic, closing connection [id: 0x22446442, /127.0.0.1:52527 => /127.0.0.1:9200]
    javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
            at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)

    The elasticsearch.ssl.truststore parameter has been configured but the JKS TrustStore does not reference the imported Elasticsearch certificate.

    Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)[:1.8.0_101]

    Exception in the Talend Runtime log meaning the keystore password you defined in the elasticsearch.ssl.truststore.password property is not correct.

    javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=localhost, OU=ESB, O=Talend, L=Beijing, ST=Beijing, C=CN)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)[274:org.apache.httpcomponents.httpclient:4.5.2]
    Exception in the Talend Runtime log meaning the Elasticsearch hostname you provided has failed verification. Input the correct Elasticsearch hostname or type in the value "any" in the elasticsearch.ssl.hostname property.