To set up the SSL certificate with java keytool and install with SearchBlox, follow the steps below:
#Go to
cd /opt/searchblox
#Create a keystore
jre/bin/keytool -genkey -alias searchblox -keyalg RSA -keystore etc/SBkeystore.jks -keysize 2048
#create a signing request
jre/bin/keytool -certreq -alias searchblox -keystore etc/SBkeystore.jks -file searchblox.csr
Fill in the details as required:
- First name/last name is the CN (i.e must match FQDN that users will browse to)
- Choose password
#Get CSR signed by CA and bring back crt/pem
jre/bin/keytool -import -trustcacerts -alias rootca -file Root.crt -keystore etc/SBkeystore.jks -storepass <pass>
jre/bin/keytool -import -trustcacerts -alias intca -file Issue_CA.crt -keystore etc/SBkeystore.jks -storepass <pass>
jre/bin/keytool -import -alias searchblox -file searchblox.crt -keystore etc/SBkeystore.jks -storepass <pass>
#If you have a certificate which is in a pfx format please follow the steps below
(To list the contents of a keystore)
keytool -list -v -keystore identity.jks -storepass password
(To validate a certificate chain)
keytool -importkeystore -srckeystore <source_keystoreFile> -srcstoretype PKCS12 -destkeystore <destination_keystoreFile> -deststoretype JKS -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt
Example :
#Replace versions and password but otherwise run:
(In Linux)
cd /opt/searchblox/lib
java -cp jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>
(In Windows)
C:\SearchBloxServer\lib>java -cp jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>
This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml as below:
#Ensure etc/jetty-ssl-context.xml refers to the directory of the new keystore + the hashed password from the previous step e.g:
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set> <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set> <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set> <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set> <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="ExcludeCipherSuites"> |
#Please update start.d/ssl.ini with the same details
jre/bin/java -server -jar start.jar --add-to-startd=https
#Stop and Start SearchBlox
SearchBlox will now be able to use the SSL certificate and serve up the search results from the specified secure port.
Additional Note:
1) When creating or exporting the JKS, be sure to specify format PKCS #12 and not simply JKS format. Jetty requires PKCS #12.
2) If working with a SearchBlox cluster, specify all of the hostnames in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster
Comments