To set up the SSL certificate with java keytool and install with SearchBlox, follow the steps below:
cd /opt/searchblox
#Create a keystore
jre/bin/keytool -genkey -alias searchblox -keyalg RSA -keystore etc/SBkeystore.jks -keysize 2048
#create a signing request
jre/bin/keytool -certreq -alias searchblox -keystore etc/SBkeystore.jks -file searchblox.csr
Fill in the details as required:
- First name/last name is the CN (i.e must match FQDN that users will browse to)
- Choose password
Get CSR signed by CA and bring back crt/pem
jre/bin/keytool -import -trustcacerts -alias rootca -file Root.crt -keystore etc/SBkeystore.jks -storepass <pass>
jre/bin/keytool -import -trustcacerts -alias intca -file Issue_CA.crt -keystore etc/SBkeystore.jks -storepass <pass>
jre/bin/keytool -import -alias searchblox -file searchblox.crt -keystore etc/SBkeystore.jks -storepass <pass>
Replace versions and password but otherwise run:
cd /opt/searchblox/lib
java -cp jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>
C:\SearchBloxServer>java -cp lib/jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>
This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml as below:
Ensure etc/jetty-ssl-context.xml refers to the directory of the new keystore + the hashed password from the previous step e.g:
|
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set> <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set> <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set> <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set> <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="ExcludeCipherSuites"> |
Please update start.d/ssl.ini with the same details
jre/bin/java -server -jar start.jar --add-to-startd=https
nohup ./startSearchBlox &
SearchBlox will now be able to use the SSL certificate and serve up the search results from the specified secure port.
Additional Note:
1) When creating or exporting the JKS, be sure to specify format PKCS #12 and not simply JKS format. Jetty requires PKCS #12.
2) If working with a SearchBlox cluster, specify all of the host names in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster
Comments