Configure TLS/SSL and Authentication for Elasticsearch 8.x in Performance Monitoring Toolset

ColdFusion Performance Monitoring Toolset uses Elasticsearch 8.2.x as datastore. As vital information about servers is collected and stored in a datastore, you need end-to-end encryption. 

What has changed

Elasticsearch version has been upgraded from 5.x to 8.x in ColdFusion (2023 release) Performance Monitoring Toolset.

Create SSL certificates and enable TLS for Elasticsearch on a node (node-1)

Generate CA and server certificates

Generate certificates by using certgen in Elasticsearch

Run elasticsearch-certgen at this path:

ColdFusion2023PerformanceMonitoringToolset/datastore/bin.

The process of generating the certification requires some basic information. See the terminal output below for reference.

Enter the desired output file [C:/ColdFusion2023PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip]:

  • Enter instance name: <node-1>
  • Enter name for directories and files [Datastore instance name]:
  • Enter IP Addresses for instance (comma-separated if more than one) []: 1.2.3.4
  • Enter DNS names for instance (comma-separated if more than one) []: Datastore instance DNS

Would you like to specify another instance? Press 'y' to continue entering instance information:

Certificates written to C:/ColdFusion2023PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip:

  1. Unzip the certificates generated at: ColdFusion2023PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip.
  2. Move the generated .crt  files and .key files to: C:/ColdFusion2021PerformanceMonitoringToolset/datastore/config folder.

This is a mandatory step.    

註解:

The ca.crt file is a self-signed certificate. For production deployment, you must submit it to the certificate authority, and get it signed.

Include certificate paths in elasticsearch.yml file

The file is located at ColdFusion2023PerformanceMonitoringToolset/datastore/config.

  1. Include the following keys in this file:

    1. cluster.initial_master_nodes: [ "node1" ]
    2. node.name: node1 network.host: node1.elastic.test.com
    3. xpack.security.enabled: true
    4. xpack.security.http.ssl.enabled: true
    5. xpack.security.transport.ssl.enabled: true
    6. xpack.security.http.ssl.key: certs/node1.key
    7. xpack.security.http.ssl.certificate: certs/node1.crt
    8. xpack.security.http.ssl.certificate_authorities: certs/ca.crt
    9. xpack.security.transport.ssl.key: certs/node1.key
    10. xpack.security.transport.ssl.certificate: certs/node1.crt
    11. xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
    12. discovery.seed_hosts: [ "node1.elastic.test.com" ]
    13. cluster.initial_master_nodes: [ "node1" ]
    註解:

    There is a space after each colon.

  2. Set password or reset password or add new user using following scripts placed at ColdFusion2023PerformanceMonitoringToolset/datastore/bin

    • ./elasticsearch-users useradd <user>
      Enter new password:
      Retype new password: 
    • ./elasticsearch-users useradd elastic2  -p changeme -r all
    • ./elasticsearch-reset-password -u elastic 

    This tool will reset the password of the [elastic] user to an autogenerated value.

    The password will be printed in the console.

  3. Restart Elasticsearch. To test SSL and authentication, type this URL:

    https://[ES_HOST]:[ES_PORT]

    註解:

    https should be used now for communication. Also, browsers should prompt to enter username & password.

Import certificates to JVMs of PMT and ColdFusion

Import the Java keytool to import ca.crt generated to the keystore of JVMs of PMT and ColdFusion that you want to monitor. Use the following command:

keytool -importcert -alias [aliasname] -keystore "[path to keystore]" -storepass [password of keystore] -file [path to ca.crt]default_keystore_path = ColdFusion2023/jre/lib/security/cacerts, ColdFusion2021PerformanceMonitoringToolset/jre/lib/security/cacertsdefault_keystore_password = changeit

註解:

We can use tools like KeyStore explorer(https://keystore-explorer.org/) to import certificates from server directly.

Restart JVM.

Performance Monitoring Toolset changes

Run datastore.bat/datastore.sh file at location ColdFusion2023PerformanceMonitoringToolset/bin>

This utility is used to update the details of datastore.

Enter datastore host [localhost]: <host IP>

Enter datastore port [9200]:  <port>

Is datastore running over SSL [N]? (Y/N): y

Enter datastore username: <user-name>

Enter datastore password: <password>

Restart Performance Monitoring Toolset for the changes to reflect.

Post-upgrade benefits

  1. Elasticsearch takes less disk space than previous versions to store data.
  2. Enhanced performance of Elasticsearch.
  3. Security features like SSL/TLS for which we depended on third party licensing of x-pack are free and part of Elasticsearch itself now.

更快、更輕鬆地獲得協助

新的使用者?