Configuring SSL between PeopleSoft and Elasticsearch

You can configure SSL connections between your PeopleSoft system and Elasticsearch. When you have SSL configured, you then need to set the SSL Option field on the Search Instance Properties page to ENABLE.

To set up SSL on the PeopleSoft system, use the instructions provided in the System and Server Administration guide. See Implementing WebLogic SSL Keys and Certificates.

After you configure SSL in Elasticsearch, add the CA root certificate of Elasticsearch to the PeopleSoft keystore so that it will be trusted.

  1. Copy the Elasticsearch CA root certificate (for example, trustedCA.cer) to the Webserver folder.

  2. Use pskeymanager -import command to import the certificate to the PeopleSoft truststore.

To set up SSL in Elasticsearch, complete these steps in all the nodes of Elasticsearch cluster:

Note: Keystore and Truststore files should be placed under the ES_HOME/config directory.

  1. Import the trusted root from Certification Authority (CA) and save it locally, for example, /home/certs/cacert.cer.

  2. Set up truststore and import trusted root certificate from CA to the truststore using JAVA_HOME/bin keytool.

    keytool -importcert -keystore ES_HOME/config/keystore/mytruststore.jks -file /home/certs/cacert.cer -alias my_ca

    When prompted, provide a password. This should be later encrypted and placed in the elasticsearch.yml configuration file.

    In steps 7, 8, and 9, when prompted whether you trust this certificate, enter Yes.

  3. Set up keystore and private key.

    keytool -genkey -alias node_alias -keystore ES_HOME/config/keystore/mykeystore.jks -keyalg RSA -keysize 2048 -validity 90

    When prompted, provide a password. This should be later encrypted and placed in the elasticsearch.yml configuration file.

    Enter details for the questions prompted on the screen.

    Enter key password for <node_alias> when prompted on the screen.

  4. Create Certificate Signing request (CSR).

    keytool -certreq -alias node_alias -keystore ES_HOME/config/keystore/mykeystore.jks -file /home/certs/mycsr.csr -keyalg rsa

    This step creates a CSR.

  5. Use the CSR to get a certificate from CA. Download it and save it locally, for example, /home/certs/signed.cer.

  6. Import the certificate to the Keystore. Use the same alias as the private key and certificate request.

    keytool -importcert -keystore ES_HOME/config/keystore/mykeystore.jks -file /home/certs/signed.cer -alias node_alias

  7. In the elasticsearch.yml configuration file, add these properties to set up SSL:

    Field or Control

    Definition
    orclssl.http.ssl

    true
    orclssl.transport.ssl

    Set the property to true if you want to enable SSL in transport layer for node to node encryption. Enter false if you want to disable SSL in transport layer.
    orclssl.keystore

    <path to keystore>
    orclssl.keystore_password

    <keystore password>
    orclssl.truststore

    <path to truststore>
    orclssl.truststore_password

    <truststore password>
    orclssl.callback

    To set this property, refer to the Call Back Properties section in Creating Search Instances.

  8. Use elasticsearchuser script to encrypt the keystore and truststore password.

    ES_HOME/bin> elasticsearchuser encrypt [password]

  9. Use the encrypted password for the orclssl.keystore_password and orclssl.truststore_password in the elasticsearch.yml configuration file.

Note: As both HTTP and HTTPS use the same channel, the port for HTTPS is the same as the one configured in http.port in the elasticsearch.yml configuration file. After SSL is enabled, the port configured for HTTP becomes HTTPS and HTTP will be disabled.