Configure SSL/TLS
editConfigure SSL/TLS
editBy default, Enterprise Search does not enable TLS (Transport Layer Security).
To enable SSL/TLS, set the following configuration settings:
ent_search.ssl.enabled: true ent_search.ssl.keystore.path: "/path/to/keystore.jks" ent_search.ssl.keystore.password: "changeme" ent_search.ssl.keystore.key_password: "changeme"
Create the Java KeyStore
editIn the above example, keystore.jks
is a Java KeyStore file.
Create a Java KeyStore file using the keytool
utility, which is included with the JVM.
See keytool - Key and Certificate Management Tool in the Java documentation.
For example, to create a self-signed certificate and add it to a keystore for use with a server running on localhost
, run:
keytool -genkey -alias server-alias -keyalg RSA \ -storepass changeme -keypass changeme -keystore keystore.jks \ -dname 'CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown'
Note that the values used in -keypass changeme
and -storepass changeme
correspond directly to the values that must be set for ent_search.ssl.keystore.key_password
and ent_search.ssl.keystore.password
, respectively.
Please note: In a production scenario, you will need a public certificate signed by a trusted Certificate Authority.
Hosting on the default HTTPS port
editIn addition to the above instructions, you may want to avoid having your users specify a port number when visiting Enterprise Search. In order to allow your users to make use of HTTPS only, you can set:
ent_search.listen_port: 443 ent_search.external_url: https://my_host.my_domain.com:443 ent_search.ssl.redirect_http_from_port: 80
This will bind your server to port 443
(the default HTTPS traffic port), and will ensure that traffic routed to port 80
(the default HTTP port) will redirect to 443
.
This ensures that any visitor to my_host.my_domain.com
will make use of TLS.
Troubleshooting
edit-
java.lang.ClassCastException: org.bouncycastle.asn1.DERApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
This error may occur if you’re using a legacy configuration that specifies keys and certificates separately, and it is a known JRuby bug: https://github.com/jruby/jruby-openssl/issues/104. It is recommended that you use a Java KeyStore file as explained above. If this is not possible, endeavor to remove the "Bag Attributes" from your keyfile. This can be done by generating your keyfile like:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -passin pass:changeme | openssl rsa -out my_store.key
You can also manually remove the "Bag Attributes" portion of your keyfile with a text editor.