To set up the SSL certificate with java keytool and install with SearchBlox, follow the steps below:
#Go to
cd /opt/searchblox
#Create a keystore
jre/bin/keytool -genkey -alias searchblox -keyalg RSA -keystore etc/SBkeystore.jks -keysize 2048
#create a signing request
jre/bin/keytool -certreq -alias searchblox -keystore etc/SBkeystore.jks -file searchblox.csr
Fill in the details as required:
- First name/last name is the CN (i.e must match FQDN that users will browse to)
- Choose password
#Get CSR signed by CA and bring back crt/pem
jre/bin/keytool -import -trustcacerts -alias rootca -file Root.crt -keystore etc/SBkeystore.jks -storepass <pass>
jre/bin/keytool -import -trustcacerts -alias intca -file Issue_CA.crt -keystore etc/SBkeystore.jks -storepass <pass>
jre/bin/keytool -import -alias searchblox -file searchblox.crt -keystore etc/SBkeystore.jks -storepass <pass>
#If you have a certificate which is in a pfx format please follow the steps below
(To list the contents of a keystore)
keytool -list -v -keystore identity.jks -storepass password
(To validate a certificate chain)
keytool -importkeystore -srckeystore <source_keystoreFile> -srcstoretype PKCS12 -destkeystore <destination_keystoreFile> -deststoretype JKS -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt
Example :
#Replace versions and password but otherwise run:
(In Linux)
cd /opt/searchblox/lib
java -cp jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>
(In Windows)
C:\SearchBloxServer\lib>java -cp jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>
This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml as below:
#Ensure etc/jetty-ssl-context.xml refers to the directory of the new keystore + the hashed password from the previous step e.g:
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="ExcludeCipherSuites">#Enable SSL
jre/bin/java -server -jar start.jar --add-to-startd=https
#Please update start.d/ssl.ini with the OBF passcode and other details as below
## Keystore file path (relative to $jetty.base)
jetty.sslContext.keyStorePath=jksfile.jks
## Truststore file path (relative to $jetty.base)
jetty.sslContext.trustStorePath=jksfile.jks
## Keystore password
jetty.sslContext.keyStorePassword=OBF:1xfp1x8g1w9f1i9i1v8u1v9s1sw01hgy1ym51rwh1wtu17cv1wuk1rwd
## Keystore type and provider
jetty.sslContext.keyStoreType=JKS
# jetty.sslContext.keyStoreProvider=
## KeyManager password
jetty.sslContext.keyManagerPassword=OBF:1xfp1x8g1w9f1i9i1v8u1v9s1sw01hgy1ym51rwh1wtu17cv1wuk1rwd
## Truststore password
jetty.sslContext.trustStorePassword=OBF:1xfp1x8g1w9f1i9i1v8u1v9s1sw01hgy1ym51rwh1wtu17cv1wuk1rwd
#Stop and Start SearchBlox
SearchBlox will now be able to use the SSL certificate and serve up the search results from the specified secure port.
Additional Note:
1) When creating or exporting the JKS, be sure to specify format PKCS #12 and not simply JKS format. Jetty requires PKCS #12.
2) If working with a SearchBlox cluster, specify all of the hostnames in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster
Comments