Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-26074

Enable use of a custom Elasticsearch RestClient Truststore

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.10
    • Fix Version/s: 9.10-HF22, 10.3
    • Component/s: Elasticsearch
    • Release Notes Summary:
      An Elasticsearch RestClient Truststore can now be configured.
    • Tags:
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for the Elasticsearch RestClient:

      • elasticsearch.restClient.truststore.path
      • elasticsearch.restClient.truststore.password
      • elasticsearch.restClient.truststore.type
      • elasticsearch.restClient.keystore.path
      • elasticsearch.restClient.keystore.password
      • elasticsearch.restClient.keystore.type

      The following properties are deprecated (they were misnamed and are actually referring to the trustStore, not the keyStore):

      • elasticsearch.restClient.keystorePath
      • elasticsearch.restClient.keystorePassword
      • elasticsearch.restClient.keystoreType

      If more fine-grained configuration is needed than properties, the following extension point can be used instead:

        <require>org.nuxeo.elasticsearch.defaultConfig</require>
  <extension target="org.nuxeo.elasticsearch.ElasticSearchComponent" point="elasticSearchClient">
    <elasticSearchClient class="org.nuxeo.elasticsearch.client.ESRestClientFactory">
      ...
      <option name="trustStorePath">/path/to/cacerts.jks</option>
      <option name="trustStorePassword">changeit</option>
      <option name="trustStoreType">jks</option>
      <option name="keyStorePath">/path/to/keystore.jks</option>
      <option name="keyStorePassword">changeit</option>
      <option name="keyStoreType">jks</option>
    </elasticSearchClient>
  </extension>
      Show
      The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for the Elasticsearch RestClient: elasticsearch.restClient.truststore.path elasticsearch.restClient.truststore.password elasticsearch.restClient.truststore.type elasticsearch.restClient.keystore.path elasticsearch.restClient.keystore.password elasticsearch.restClient.keystore.type The following properties are deprecated (they were misnamed and are actually referring to the trustStore, not the keyStore): elasticsearch.restClient.keystorePath elasticsearch.restClient.keystorePassword elasticsearch.restClient.keystoreType If more fine-grained configuration is needed than properties, the following extension point can be used instead: <require> org.nuxeo.elasticsearch.defaultConfig </require> <extension target= "org.nuxeo.elasticsearch.ElasticSearchComponent" point= "elasticSearchClient" > <elasticSearchClient class= "org.nuxeo.elasticsearch.client.ESRestClientFactory" > ... <option name= "trustStorePath" > /path/to/cacerts.jks </option> <option name= "trustStorePassword" > changeit </option> <option name= "trustStoreType" > jks </option> <option name= "keyStorePath" > /path/to/keystore.jks </option> <option name= "keyStorePassword" > changeit </option> <option name= "keyStoreType" > jks </option> </elasticSearchClient> </extension>
    • Sprint:
      nxFG 10.3.9
    • Story Points:
      2

      Description

      The Elasticsearch RestClient currently allows a custom Keystore to be used. It should also allow a custom Truststore to be used as well.

      By allowing a custom Elasticsearch RestClient Truststore to be specified, the configuration of a secure connection between the nuxeo-apb and the nuxeo-elasticsearch-apb on OpenShift is simplified and improved.

      No longer does the nuxeo-elasticsearch-apb self-signed CA certificate need to be imported into the jvm-wide Nuxeo trustore. Instead, it can be imported into its own elasticsearch-specific truststore for direct use by Nuxeo. This also potentially eliminates the need in the nuxeo-apb to set ssl-related JVM system properties.

      An SSL best practice is to use a specific SSLContext for each secure client connection rather than relying on the global, DefaultSSLContext which is configured via JVM system properties. In some cases, using JVM system properties to set keystore/truststore passwords is problematic because the passwords appear on the java entry in the process list.

        Attachments

          Issue Links

          depends on

          New Feature - A new feature of the product, which has yet to be developed. NXP-23048 Allow use of X-Pack to replace Elasticsearch Shield

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXP-23060 ES Rest client support TLS and BasicAuth

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          New Feature - A new feature of the product, which has yet to be developed. NXP-25956 Add simple configuration for Kafka SASL and TLS authentication

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXP-26072 Enable use of a custom MongoDB Client TrustStore for in-flight encryption

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h