Configuring the EventLogging server to connect to a secured Elasticsearch

This procedure explains how to configure the EventLogging server to access a secured Elasticsearch.

Before you begin

Prerequisite:

You must have set up SSL/TLS for Elasticsearch with Shield.

Procedure

Start the Talend Runtime container to access the secured Elasticsearch.source scripts/configEventLogging_REST.sh agent1 tesb:start-locator
Edit the etc/org.talend.eventlogging.server.cfg file in the Talend Runtime container, as follows:
```
elasticsearch.secured=true
elasticsearch.ssl.truststore=any
elasticsearch.ssl.truststore.password=none
elasticsearch.ssl.pass.hostname=any
elasticsearch.username=es_admin
elasticsearch.password=es_admin
```
You can set different values for the elasticsearch.username and elasticsearch.password properties, depending on the Elasticsearch configuration.
(Optional) Create a TrustStore in the JKS format by importing the Elasticsearch server public key:
```
keytool -export -rfc -keystore keystore.jks -storepass password -alias mykey -file esServer.cer
                            keytool -import -trustcacerts -keystore truststore.jks -storepass password -alias mytrust -file esServer.cer -noprompt
```
In the etc/org.talend.eventlogging.server.cfg file, add the TrustStore configuration properties:
```
elasticsearch.ssl.truststore=./etc/keystores/truststore.jks
elasticsearch.ssl.truststore.password=password
```
With this configuration, the EventLogging server only trusts the certificates provided in the truststore.jks file.
Refresh the Elasticsearch server bundle to activate the changes:
```
karaf@trun>refresh event-logging-server
```

From your browser, open https://localhost:9200/talendesb-%3Cyyyy%3E.%3Cmm%3E.%3Cdd%3E/ESB/_search?pretty=true to test the configuration.

You should see the hits and total numbers increasing continuously. If not, refer to the troubleshooting note below.

Troubleshooting

[2016-10-19 16:13:46,437][DEBUG][rest.suppressed          ] path: /talendesb-2016.10.19/ESB, params: {index=talendesb-20
16.10.19, type=ESB}
ElasticsearchSecurityException[unable to authenticate user [es_admin11] for REST request [/talendesb-2016.10.19/ESB]]
        at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:39)

The input you provided in the elasticsearch.username or elasticsearch.password property is not correct.

[2016-10-17 11:19:13,069][WARN ][shield.transport.netty   ] [Knickknack] Caught exception while handling client http tra
ffic, closing connection [id: 0x22446442, /127.0.0.1:52527 => /127.0.0.1:9200]
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)

The elasticsearch.ssl.truststore parameter has been configured but the JKS TrustStore does not reference the imported Elasticsearch certificate.

Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)[:1.8.0_101]

Exception in the Talend Runtime log meaning the keystore password you defined in the elasticsearch.ssl.truststore.password property is not correct.

javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=localhost, OU=ESB, O=Talend, L=Beijing, ST=Beijing, C=CN)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)[274:org.apache.httpcomponents.httpclient:4.5.2]

Exception in the Talend Runtime log meaning the Elasticsearch hostname you provided has failed verification. Input the correct Elasticsearch hostname or type in the value "any" in the elasticsearch.ssl.hostname property.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here