ColdFusion Performance Monitoring Toolset uses Elasticsearch 5.6.16 as data store. As vital information about servers are collected and stored in datastore, we need an end to end encryption. Therefore, if you want to configure TLS/SSL and authentication for Elasticsearch, you must make some changes in the following:
- Performance Monitoring Toolset
1. Elasticsearch changes
- Download and install x-pack plugin.
Run elasticsearch-plugin install x-pack by navigating to ColdFusion2021PerformanceMonitoringToolset/datastore/bin in terminal.
- Generate certificates by using certgen in ES.
Run certgen at this path ColdFusion2021PerformanceMonitoringToolset/datastore/bin/x-pack
cert generation requires some basic information. See the terminal output below for reference.Please enter the desired output file [C:ColdFusion2021PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip]:
Enter instance name: see-wv-a401
Enter name for directories and files [see-wv-a401]:
Enter IP Addresses for instance (comma-separated if more than one) : 103.43.114.xxx
Enter DNS names for instance (comma-separated if more than one) : see-wv-a401
Would you like to specify another instance? Press ‘y’ to continue entering instance information:
Certificates written to C:ColdFusion2021PerformanceMonitoringToolset/datastore/config/x-pack/certificate-bundle.zip
- Unzip the certificates generated at ColdFusion2021PerformanceMonitoring/Toolset/datastore/config/x-pack/certificate-bundle.zip.
Move the generated .crt files and .key files to C:/ColdFusion2021PerformanceMonitoringToolset/datastore/config folder.
It is a mandatory step.
The ca.crt file is a self signed certificate. For production deployment, we need to submit it to certificate authority and get it signed.
- Include certificate paths in elasticsearch.yml file.
The file is located at ColdFusion2021PerformanceMonitoringToolset/datastore/config.
Include the following keys in this file:
xpack.ssl.key: ‘[path to ssl.key]’
xpack.ssl.certificate: ‘[path to ssl.crt]’
xpack.ssl.certificate_authorities: ‘[path to ca.crt]’
Note: There is one space after each colon.
Our ES configuration is done. We can restart elasticsearch.
To test ssl and authentication, try to hit from browser:
default ES_PORT: 9250
default ES_username: elastic
default ES_password: changeme
If browser pops up asking for username,password. Congrats, our ssl and authentication for Elasticsearch is configured.
2. Import certificates to JVMs of PMT and CF
- Java keytool command can be used to import ca.crt generated to the keystore of JVMs of PMT and CF that we are suppose to monitor.keytool -importcert -alias [aliasname] -keystore “[path to keystore]” -storepass [password of keystore] -file [path to ca.crt]default_keystore_path = ColdFusion2021/jre/lib/security/cacerts, ColdFusion2021PerformanceMonitoringToolset/jre/lib/security/cacertsdefault_keystore_password = changeit
- note: jvm has to be restarted after it.
3. Performance Monitoring Toolset changes
- Run datastore.bat/datastore.sh file at location ColdFusion2021PerformanceMonitoringToolset/bin>
It ask some information related to Elastisearch. Pasted below is terminal output for reference:C:ColdFusion2021PerformanceMonitoringToolset/bin>datastore.batThis utility is used to update the details of datastore.Enter datastore host [see-wv-a401]:
Enter datastore port :Is datastore running over SSL [N]? (Y/N): Y
Enter datastore username: elastic
Enter datastore password: changeme
Restart Performance Monitoring Toolset for the changes to reflect.
Let’s start datastore, ColdFusion, and Performance Monitoring Toolset to start monitoring.