Configure TLS/SSL and Authentication for Elasticsearch 8.x in Performance Monitoring Toolset

  1. ColdFusion Tools User Guide
  2. Performance Monitoring Toolset
    1. Overview of ColdFusion Performance Monitoring Toolset
    2. Auto-discovery of ColdFusion nodes and clusters
    3. Code profiler in ColdFusion Performance Monitoring Toolset
    4. Configure ColdFusion Performance Monitoring Toolset settings
    5. Install ColdFusion Performance Monitoring Toolset
    6. View cloud metrics
    7. Monitor GraphQL in Performance Monitoring Toolset
    8. Configure TLS/SSL and Authentication for Elasticsearch 8.x  in Performance Monitoring Toolset
    9. View cluster and node metrics
    10. View data source metrics
    11. View external services
    12. View incoming services
    13. View list of sites and busy connections
    14. View topology of sites
    15. Datastore Health Monitoring
    16. Performance Monitoring Toolset Update 1
    17. Secure Performance Monitoring Toolset with HTTPS/SSL
    18. Performance Monitoring Toolset deployment guide
  3. Use ColdFusion Builder
    1. About ColdFusion Builder
    2. System requirements | ColdFusion Builder
    3. Install ColdFusion Builder
    4. Edit code in ColdFusion Builder
    5. Manage servers in ColdFusion Builder
    6. Manage projects in ColdFusion Builder
    7. What's new in Adobe ColdFusion Builder (2018 release)
    8. Frequently Asked Questions (FAQ) | Adobe ColdFusion Builder (2018 release)
    9. Debug applications in ColdFusion Builder
    10. ColdFusion Builder workbench
    11. ColdFusion Builder extensions
    12. Debugging Perspective in ColdFusion Builder
    13. Build mobile applications using ColdFusion Builder
    14. Bundled ColdFusion Server
    15. Debug mobile applications in ColdFusion Builder
    16. Use extensions in ColdFusion Builder
  4. Coldfusion API Manager
    1. Overview of Adobe ColdFusion API Manager
    2. Features in ColdFusion API Manager
    3. Get started with ColdFusion API Manager
    4. Install ColdFusion API Manager
    5. Authentication types
    6. Create and publish APIs
    7. Administrator
    8. Subscriber
    9. Throttling and rate limiting
    10. Notifications
    11. Connectors
    12. Set up cluster support
    13. Integrate ColdFusion and API Manager
    14. Metrics and Logging in API Manager
    15. Generate Swagger documents
    16. Configure SSL
    17. Known issues in this release
    18. Policies in ColdFusion API Manager
    19. Create a Redis cluster
    20. Multitenancy in API Manager
    21. Docker images for ColdFusion API Manager

ColdFusion Performance Monitoring Toolset uses Elasticsearch 8.2.x as datastore. As vital information about servers is collected and stored in a datastore, you need end-to-end encryption. 

What has changed

Elasticsearch version has been upgraded from 5.x to 8.x in ColdFusion (2023 release) Performance Monitoring Toolset.

Create SSL certificates and enable TLS for Elasticsearch on a node (node-1)

Generate CA and server certificates

Generate certificates by using certgen in Elasticsearch

Run elasticsearch-certgen at this path:

ColdFusion2023PerformanceMonitoringToolset/datastore/bin.

The process of generating the certification requires some basic information. See the terminal output below for reference.

Enter the desired output file [C:/ColdFusion2023PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip]:

  • Enter instance name: <node-1>
  • Enter name for directories and files [Datastore instance name]:
  • Enter IP Addresses for instance (comma-separated if more than one) []: 1.2.3.4
  • Enter DNS names for instance (comma-separated if more than one) []: Datastore instance DNS

Would you like to specify another instance? Press 'y' to continue entering instance information:

Certificates written to C:/ColdFusion2023PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip:

  1. Unzip the certificates generated at: ColdFusion2023PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip.
  2. Move the generated .crt  files and .key files to: C:/ColdFusion2021PerformanceMonitoringToolset/datastore/config folder.

This is a mandatory step.    

Note:

The ca.crt file is a self-signed certificate. For production deployment, you must submit it to the certificate authority, and get it signed.

Include certificate paths in elasticsearch.yml file

The file is located at ColdFusion2023PerformanceMonitoringToolset/datastore/config.

  1. Include the following keys in this file:

    1. cluster.initial_master_nodes: [ "node1" ]
    2. node.name: node1 network.host: node1.elastic.test.com
    3. xpack.security.enabled: true
    4. xpack.security.http.ssl.enabled: true
    5. xpack.security.transport.ssl.enabled: true
    6. xpack.security.http.ssl.key: certs/node1.key
    7. xpack.security.http.ssl.certificate: certs/node1.crt
    8. xpack.security.http.ssl.certificate_authorities: certs/ca.crt
    9. xpack.security.transport.ssl.key: certs/node1.key
    10. xpack.security.transport.ssl.certificate: certs/node1.crt
    11. xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
    12. discovery.seed_hosts: [ "node1.elastic.test.com" ]
    13. cluster.initial_master_nodes: [ "node1" ]
    Note:

    There is a space after each colon.

  2. Set password or reset password or add new user using following scripts placed at ColdFusion2023PerformanceMonitoringToolset/datastore/bin

    • ./elasticsearch-users useradd <user>
      Enter new password:
      Retype new password: 
    • ./elasticsearch-users useradd elastic2  -p changeme -r all
    • ./elasticsearch-reset-password -u elastic 

    This tool will reset the password of the [elastic] user to an autogenerated value.

    The password will be printed in the console.

  3. Restart Elasticsearch. To test SSL and authentication, type this URL:

    https://[ES_HOST]:[ES_PORT]

    Note:

    https should be used now for communication. Also, browsers should prompt to enter username & password.

Import certificates to JVMs of PMT and ColdFusion

Import the Java keytool to import ca.crt generated to the keystore of JVMs of PMT and ColdFusion that you want to monitor. Use the following command:

keytool -importcert -alias [aliasname] -keystore "[path to keystore]" -storepass [password of keystore] -file [path to ca.crt]default_keystore_path = ColdFusion2023/jre/lib/security/cacerts, ColdFusion2021PerformanceMonitoringToolset/jre/lib/security/cacertsdefault_keystore_password = changeit

Note:

We can use tools like KeyStore explorer(https://keystore-explorer.org/) to import certificates from server directly.

Restart JVM.

Performance Monitoring Toolset changes

Run datastore.bat/datastore.sh file at location ColdFusion2023PerformanceMonitoringToolset/bin>

This utility is used to update the details of datastore.

Enter datastore host [localhost]: <host IP>

Enter datastore port [9200]:  <port>

Is datastore running over SSL [N]? (Y/N): y

Enter datastore username: <user-name>

Enter datastore password: <password>

Restart Performance Monitoring Toolset for the changes to reflect.

Post-upgrade benefits

  1. Elasticsearch takes less disk space than previous versions to store data.
  2. Enhanced performance of Elasticsearch.
  3. Security features like SSL/TLS for which we depended on third party licensing of x-pack are free and part of Elasticsearch itself now.

Get help faster and easier

New user?