I am trying to add password authentication in my elasticsearch cluster using readonlyrest plugin. I installed the plugin successfully now i am trying to configure my configuration file(.yml file) but there In case 0 they are using a keystore see below
http.type: ssl_netty4
readonlyrest:
enable: true
ssl:
enable: true
keystore_file: "/elasticsearch/plugins/readonlyrest/keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest
Can anyone please tell me from where i can generate this keystore and also where is the username and password authentication parameters set in this plugin.
You can use Letsencrypt to generate a valid SSL certificate for free.
Use Letsencrypt's own tool called certbot
A Letsencrypt certificate works just fine in ReadonlyREST, but first you have to convert it into a JKS keystore.
Obtaining a JKS keystore from Letsencrypt certs is a common procedure: you would do the same if you want to use Letsencrypt with Tomcat. A very common, googleable use case.
PS: I will progressively release some detailed documentation in the following weeks on the official website.
Related
i try to develop my SpringBoot Backend Application on STRATO.de
i buyed a ubunutu vServer and runned my spring app via jar.
but backend (http) and frontend (https) cant connect because of the ssl. I created a self signed jks file for my spring boot app and the https works but when i open my backend ip adress and port firstly i get the message "this ist not a secure connection" and i have to accept the certificate. After that everything works fine.
Is there a Option to get a secure connection? i try to use LetsEncrypt CerBot etc. nothing works. The Tutorials are not for the newest Ubuntu version.
Where can i secure my SpringBoot app via HTTPS without a SelfSigned certificate?
Both frontend & backend needs to have https connection for secured communication. Hence it's necessary to use https for your spring-boot application. Self signed jks is only good for development, which is not meant to be used for production.
You may follow these steps:
Install OpenSSL if not available in your server. How to install OpenSSL
Run this command, # openssl req -new -newkey rsa:2048 -nodes -keyout yourkey.key -out yourcsr.csr
Here, yourkey.key = It’s your private key and
yourcsr.csr = Your Certificate Signing Request which needs to send to CA authorities. While creating CSR, it will ask some questions, which will be later required for keystore. Hence, save them properly.
Buy your SSL certificate from your preferable registrant, ie name.com
Send your yourcsr.csr file information to the registrants. Please follow their respective instructions.
Once approved, you will receive two files. yourserver.crt and yourca.crt
# openssl pkcs12 -export -in yourserver.crt -inkey yourkey.key -out yourkeystore.p12 -name somealias -certfile yourca.crt -caname root
It will ask some questions, pls make sure it matches the information that you provided earlier while creating the CSR. It will prompt for password for the keystore. This command will create a keystore named yourkeystore.p12
# keytool -importkeystore -srckeystore yourkeystore.p12 -srcstoretype PKCS12 -destkeystore yourkeystore.jks -deststoretype JKS -deststorepass newkeystorepassword -destkeypass newkeypassword Convert to JKS, if you specifically want to use JKS for spring boot. This command will create a keystore named yourkeystore.jks
Put required information at application.properties.
server.port: 8443
server.ssl.key-store: classpath: yourkeystore.jks
server.ssl.key-store-password: newkeystorepassword
server.ssl.key-store-type: jks
server.ssl.key-alias: somealias
server.ssl.key-password: newkeypassword
I have a spring cloud config server running with spring bus. I want to make the calls to that server secure:
When a client is asking for configurations.
When calling /monitor - used by the webhook.
What is the best practice to do that? basic? encryption?
Can someone provide a working example?
Thanks!
You can secure it by adding encrypting and decrypting properties
You need to provide jks for securely encrypting and decrypting them
Spring cloud config server supports symmetric and asymmetric keys
To configure a symmetric key, you need to set encrypt.key to a secret String (or use the ENCRYPT_KEY environment variable to keep it out of plain-text configuration files).
For asymmetric you need to provide in bootsrap.yml such properties:
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: your git url or your local repository on file system
username: username for git or bitbucket if needed
password: password
clone-on-start: true this property will clone all repo localy on starttup
force-pull: true
application:
name: config-server
encrypt:
key-store:
location: jks location
password: letmein
alias: mytestkey
secret: changeme
For generating jks you need to execute this command
keytool -genkeypair -alias mytestkey -keyalg RSA \
-dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
-keypass changeme -keystore server.jks -storepass letmein
Actually java by default has a limitation on certain key length parameters.
Its 128 bit by default.
To use key more key length you just need replace existing local_policy.jar and US_export_policy.jar in <java-home>/lib/security
Here is link for download :
https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
And also you can encrypt and decrypt your properties by such endpoints :
curl config_server_host:port/encrypt-d your data to be encrypted
curl config_server_host:port/decrypt -d your data to be decrypted // this will automatically use this endpoint to decrypt values
//Both are http post requests
To use encryption by config server you need to provide such prefix in your configuration for your application which will get configs from config server:
'{cipher}your_encrypted_data'
Also, you can control access to secrets in the config by the using of Spring Cloud Vault.
This solution simpler than encrypt all communication between your application and config server, but maybe this is not what you want.
I hope it helps.
My Spring Boot project works fine on https / ssl, when serving locally, using a p12 cert, but fails when uploading to AWS Elastic Beanstalk.
The following is the application.properties configuration:
security.require-ssl=true
server.use-forward-headers=true
server.port=8443
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: jonathan
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
The WebSecurityConfigurerAdapter subclass, configure(HttpSecurity http) method, contains the following line, to enable HTTPS / SSL:
http.requiresChannel().antMatchers("/**").requiresSecure();
Attached is classic load configurer configuration, inside AWS elastic beanstalk console:
Here is the SSL Certificate issued with the grasshapper.net domain, under AWS Certificate Manager:
I also have settings for under .ebextensions, the file with path is, src/main/resources/.ebextensions/.config (not sure if even needed):
option_settings:
aws:elb:listener:8443:
SSLCertificateId: [keeping private]
ListenerProtocol: HTTPS
InstancePort: 80
InstanceProtocol: HTTP
aws:elb:listener:80:
ListenerEnabled: false
Note (SSLCertifcateId): the ID is taken from the ARN, my AWS Certifcate manager SSL Certificate (if you expand the SSL Certificate you will see the ARN).
Does the proxy have a trusted IP address?
By default, IP addresses in 10/8, 192.168/16, 169.254/16 and 127/8 are
trusted. You can customize the valve’s configuration by adding an
entry to application.properties, as shown in the following example:
server.tomcat.internal-proxies=192\.168\.\d{1,3}\.\d{1,3}
Reference: https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto-embedded-web-servers.html#howto-customize-tomcat-behind-a-proxy-server
I have installed Mirth connect and it is running on https://example.com:8443 but it throwing https warning. If I run https://example.com it doesn't show any warning because ssl certificate is instaled. The issue is with the port. Please help me out from this problem.
Thanks.
Mirth Connect generates a new self-signed certificate on first startup. You can replace this with your own cert, it's the "mirthconnect" alias in the keystore.jks file. Follow the Changing The Server Certificate section in the user guide.
We recently changed from using standalone Tomcat 8 containers to using the embedded Tomcat 8 container. We are having some trouble getting SSL to work on Grails 3.1.6 with the embedded container. We had been using the certificateFile approach with APR Native Libraries with the standalone container. We would like to keep this approach with the embedded Tomcat instead of changing to the keystore approach. I tried the Grails documentation, went deep into the Spring Boot embedded container documentation, but haven't found a working solution yet.
I tried many different configuration approaches in the application.yml. Based on several different pieces of documentation, sources, etc. my latest attempt was:
environments:
test:
grails:
server:
port: 8443
ssl:
enabled: true
certificateKeyFile: '/usr/share/app/my_domain_net.key'
certificateFile: '/usr/share/app/my_domain_net.crt'
certificateChainFile: '/usr/share/app/myCA.crt'
serverURL: "https://test.mydomain.net:8443"
tomcat:
port: 8443
ssl:
enabled: true
certificateKeyFile: '/usr/share/app/my_domain_net.key'
certificateFile: '/usr/share/app/my_domain_net.crt'
certificateChainFile: '/usr/share/app/myCA.crt'
I also tried adding this to the end of the application.yml:
server:
port: 8443
ssl:
enabled: true
certificateKeyFile: '/usr/share/app/my_domain_net.key'
certificateFile: '/usr/share/app/my_domain_net.crt'
certificateChainFile: '/usr/share/app/myCA.crt'
but this gave me a 'resource location may not be null' error. Most examples and questions I see are quite dated at this point. Time to ask a fresh question on stackoverflow. Thanks in advance!
It was not possible to use the openssl certificateKeyFile approach, even with the APR native libraries loaded on LD_LIBRARY_PATH. (I think it may be possible if you edit grails-app/init/myapp/Application.groovy and follow the Spring
documentation for adding an additional connector (at paragraph 70.9 of http://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html), but this is difficult and you need to read the org.springframework sources to figure out how to make this work with openssl certificates and APR Native.) For me, it wasn't worth it, so here is how you do it using the keystore approach.
I had to re-key the certificate using the Tomcat keytool method.
Then, the application.yml was updated to look like this:
---
---
environments:
development:
server:
port: 8080
ssl:
enabled: false
grails:
serverURL: "http://localhost:8080"
---
---
environments:
test:
server:
port: 8443
ssl:
enabled: true
key-store: classpath:my_domain_net.jks
key-store-password: mypassword
key-password: mypassword
grails:
serverURL: "https://test.mydomain.net:8443"
My process for preparing the certificate was:
1) create a directory for ssl_certificates
2) pick a Certificate Authority (I chose DigiCert)
3) use the CA's instructions for generating a csr for Tomcat:keytool
4) the CA's keytool command asks for a keystore password and key password
5) submit the csr and wait ~10 minutes for the cert to be issued
6) download the issued certificate as my_domain_net.p7b into the
ssl_certificates folder created above
7) keytool -import -trustcacerts -alias server -file my_domain_net.p7b \
-keystore my_domain_net
8) copy my_domain_net.jks into src/main/resources/ of your web project.