May 12, 2021
Configuring TLS/SSL and Authentication for Elasticsearch in Performance Monitoring Toolset
May 12, 2021
Configuring TLS/SSL and Authentication for Elasticsearch in Performance Monitoring Toolset
Explorer 1 posts
Followers: 0 people

ColdFusion Performance Monitoring Toolset uses Elasticsearch 5.6.16 as data store. As vital information about servers are collected and stored in datastore, we need an end to end encryption. Therefore, if you want to configure TLS/SSL and authentication for Elasticsearch, you must make some changes in the following:

  • Elasticsearch
  • Performance Monitoring Toolset
  • JVM

1. Elasticsearch changes

  • Download and install x-pack plugin.
    Run elasticsearch-plugin install x-pack by navigating to ColdFusion2021PerformanceMonitoringToolset/datastore/bin in terminal.
  • Generate certificates by using certgen in ES.
    Run certgen at this path ColdFusion2021PerformanceMonitoringToolset/datastore/bin/x-pack
    cert generation requires some basic information. See the terminal output below for reference.Please enter the desired output file [C:ColdFusion2021PerformanceMonitoringToolset/datastore/config/x-pack/]:
    Enter instance name: see-wv-a401
    Enter name for directories and files [see-wv-a401]:
    Enter IP Addresses for instance (comma-separated if more than one) []:
    Enter DNS names for instance (comma-separated if more than one) []: see-wv-a401
    Would you like to specify another instance? Press ‘y’ to continue entering instance information:
    Certificates written to C:ColdFusion2021PerformanceMonitoringToolset/datastore/config/x-pack/
  • Unzip the certificates generated at ColdFusion2021PerformanceMonitoring/Toolset/datastore/config/x-pack/
    Move the generated .crt  files and .key files to C:/ColdFusion2021PerformanceMonitoringToolset/datastore/config folder.
    It is a mandatory step.
    The ca.crt file is a self signed certificate. For production deployment, we need to submit it to certificate authority and get it signed.

  • Include certificate paths in elasticsearch.yml file.
    The file is located at ColdFusion2021PerformanceMonitoringToolset/datastore/config.
    Include the following keys in this file: true true

    xpack.ssl.key: ‘[path to ssl.key]’

    xpack.ssl.certificate: ‘[path to ssl.crt]’

    xpack.ssl.certificate_authorities: ‘[path to ca.crt]’

    Note: There is one space after each colon.

    Our ES configuration is done. We can restart elasticsearch.
    To test ssl and authentication, try to hit from browser:

    default ES_PORT: 9250
    default ES_username: elastic
    default ES_password: changeme

    If browser pops up asking for username,password. Congrats, our ssl and authentication for Elasticsearch is configured.

2. Import certificates to JVMs of PMT and CF

  • Java keytool command can be used to import ca.crt generated to the keystore of JVMs of PMT and CF that we are suppose to monitor.keytool -importcert -alias [aliasname] -keystore “[path to keystore]” -storepass [password of keystore] -file [path to ca.crt]default_keystore_path = ColdFusion2021/jre/lib/security/cacerts, ColdFusion2021PerformanceMonitoringToolset/jre/lib/security/cacertsdefault_keystore_password = changeit
  • note: jvm has to be restarted after it.

3. Performance Monitoring Toolset changes

  • Run datastore.bat/ file at location ColdFusion2021PerformanceMonitoringToolset/bin>
    It ask some information related to Elastisearch. Pasted below is terminal output for reference:C:ColdFusion2021PerformanceMonitoringToolset/bin>datastore.batThis utility is used to update the details of datastore.Enter datastore host [see-wv-a401]:
    Enter datastore port [9250]:Is datastore running over SSL [N]? (Y/N): Y

    Enter datastore username: elastic
    Enter datastore password: changeme

    Restart Performance Monitoring Toolset for the changes to reflect.

    Let’s start datastore, ColdFusion, and Performance Monitoring Toolset to start monitoring.

Add Comment