Configuring the EventLogging server to connect to a secured Elasticsearch - 7.1

Talend ESB Infrastructure Services Configuration Guide

Version
7.1
Language
English (United States)
Product
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
Module
Talend ESB
Talend Runtime
Content
Design and Development
Installation and Upgrade
This procedure explains how to configure the EventLogging server to access a secured Elasticsearch.

Before you begin

Prerequisite:

Procedure

  1. Start the Talend Runtime container to access the secured Elasticsearch.source scripts/configEventLogging_REST.sh agent1 tesb:start-locator
  2. Edit the etc/org.talend.eventlogging.server.cfg file in the Talend Runtime container, as follows:
    elasticsearch.secured=true
    elasticsearch.ssl.truststore=any
    elasticsearch.ssl.truststore.password=none
    elasticsearch.ssl.pass.hostname=any
    elasticsearch.username=es_admin
    elasticsearch.password=es_admin
    You can set different values for the elasticsearch.username and elasticsearch.password properties, depending on the Elasticsearch configuration.
  3. (Optional) Create a TrustStore in the JKS format by importing the Elasticsearch server public key:
    keytool -export -rfc -keystore keystore.jks -storepass password -alias mykey -file esServer.cer
                                keytool -import -trustcacerts -keystore truststore.jks -storepass password -alias mytrust -file esServer.cer -noprompt
    In the etc/org.talend.eventlogging.server.cfg file, add the TrustStore configuration properties:
    elasticsearch.ssl.truststore=./etc/keystores/truststore.jks
    elasticsearch.ssl.truststore.password=password
    With this configuration, the EventLogging server only trusts the certificates provided in the truststore.jks file.
    Refresh the Elasticsearch server bundle to activate the changes:
    karaf@trun>refresh event-logging-server
  4. From your browser, open https://localhost:9200/talendesb-%3Cyyyy%3E.%3Cmm%3E.%3Cdd%3E/ESB/_search?pretty=true to test the configuration.

    You should see the hits and total numbers increasing continuously. If not, refer to the troubleshooting note below.

    Troubleshooting

    [2016-10-19 16:13:46,437][DEBUG][rest.suppressed          ] path: /talendesb-2016.10.19/ESB, params: {index=talendesb-20
    16.10.19, type=ESB}
    ElasticsearchSecurityException[unable to authenticate user [es_admin11] for REST request [/talendesb-2016.10.19/ESB]]
            at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:39)

    The input you provided in the elasticsearch.username or elasticsearch.password property is not correct.

    [2016-10-17 11:19:13,069][WARN ][shield.transport.netty   ] [Knickknack] Caught exception while handling client http tra
    ffic, closing connection [id: 0x22446442, /127.0.0.1:52527 => /127.0.0.1:9200]
    javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
            at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)

    The elasticsearch.ssl.truststore parameter has been configured but the JKS TrustStore does not reference the imported Elasticsearch certificate.

    Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)[:1.8.0_101]

    Exception in the Talend Runtime log meaning the keystore password you defined in the elasticsearch.ssl.truststore.password property is not correct.

    javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=localhost, OU=ESB, O=Talend, L=Beijing, ST=Beijing, C=CN)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)[274:org.apache.httpcomponents.httpclient:4.5.2]
    Exception in the Talend Runtime log meaning the Elasticsearch hostname you provided has failed verification. Input the correct Elasticsearch hostname or type in the value "any" in the elasticsearch.ssl.hostname property.