Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-26074

Enable use of a custom Elasticsearch RestClient Truststore

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.10
    • Fix Version/s: 9.10-HF22, 10.3
    • Component/s: Elasticsearch
    • Release Notes Summary:
      An Elasticsearch RestClient Truststore can now be configured.
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for the Elasticsearch RestClient:

      • elasticsearch.restClient.truststore.path
      • elasticsearch.restClient.truststore.password
      • elasticsearch.restClient.truststore.type
      • elasticsearch.restClient.keystore.path
      • elasticsearch.restClient.keystore.password
      • elasticsearch.restClient.keystore.type

      The following properties are deprecated (they were misnamed and are actually referring to the trustStore, not the keyStore):

      • elasticsearch.restClient.keystorePath
      • elasticsearch.restClient.keystorePassword
      • elasticsearch.restClient.keystoreType

      If more fine-grained configuration is needed than properties, the following extension point can be used instead:

        <require>org.nuxeo.elasticsearch.defaultConfig</require>
        <extension target="org.nuxeo.elasticsearch.ElasticSearchComponent" point="elasticSearchClient">
          <elasticSearchClient class="org.nuxeo.elasticsearch.client.ESRestClientFactory">
            ...
            <option name="trustStorePath">/path/to/cacerts.jks</option>
            <option name="trustStorePassword">changeit</option>
            <option name="trustStoreType">jks</option>
            <option name="keyStorePath">/path/to/keystore.jks</option>
            <option name="keyStorePassword">changeit</option>
            <option name="keyStoreType">jks</option>
          </elasticSearchClient>
        </extension>
      
      Show
      The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for the Elasticsearch RestClient: elasticsearch.restClient.truststore.path elasticsearch.restClient.truststore.password elasticsearch.restClient.truststore.type elasticsearch.restClient.keystore.path elasticsearch.restClient.keystore.password elasticsearch.restClient.keystore.type The following properties are deprecated (they were misnamed and are actually referring to the trustStore, not the keyStore): elasticsearch.restClient.keystorePath elasticsearch.restClient.keystorePassword elasticsearch.restClient.keystoreType If more fine-grained configuration is needed than properties, the following extension point can be used instead: <require> org.nuxeo.elasticsearch.defaultConfig </require> <extension target= "org.nuxeo.elasticsearch.ElasticSearchComponent" point= "elasticSearchClient" > <elasticSearchClient class= "org.nuxeo.elasticsearch.client.ESRestClientFactory" > ... <option name= "trustStorePath" > /path/to/cacerts.jks </option> <option name= "trustStorePassword" > changeit </option> <option name= "trustStoreType" > jks </option> <option name= "keyStorePath" > /path/to/keystore.jks </option> <option name= "keyStorePassword" > changeit </option> <option name= "keyStoreType" > jks </option> </elasticSearchClient> </extension>
    • Sprint:
      nxFG 10.3.9
    • Story Points:
      2

      Description

      The Elasticsearch RestClient currently allows a custom Keystore to be used. It should also allow a custom Truststore to be used as well.

      By allowing a custom Elasticsearch RestClient Truststore to be specified, the configuration of a secure connection between the nuxeo-apb and the nuxeo-elasticsearch-apb on OpenShift is simplified and improved.

      No longer does the nuxeo-elasticsearch-apb self-signed CA certificate need to be imported into the jvm-wide Nuxeo trustore. Instead, it can be imported into its own elasticsearch-specific truststore for direct use by Nuxeo. This also potentially eliminates the need in the nuxeo-apb to set ssl-related JVM system properties.

      An SSL best practice is to use a specific SSLContext for each secure client connection rather than relying on the global, DefaultSSLContext which is configured via JVM system properties. In some cases, using JVM system properties to set keystore/truststore passwords is problematic because the passwords appear on the java entry in the process list.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.