Thursday, 24 August 2017

Configuration of Elastic Search with Peoplesoft load balanced gateway

If SSL is implemented in PeopleSoft only and Elasticsearch will remain in http mode, then:

We have already a document n Oracle support site E-ES: How to configure SSL in Search Framework implementations using Elasticsearch ? (Doc ID 2217683.1) for it, but as many people faced issue though they were following this doc. Hope your issues also will be touch in this I will highlight with different colour which all things are new apart from doc:

- From the PeopleSoft machine, proceed as follows:

1. Extract the root+intermediate certificates from your PIA page. This can easily be done by accessing your PIA page using IE, click on the keypad lock at the URL.
2.  You will see a link "View Certificates". 
3.  Extract the Root certificate to a file, say called ps_root.cer
4.  Extract the Intermediate certificate to a file, say called ps_intermediate.cer
5.  Concatenate the "Intermediate + Root" in one file, starting with the intermediate first. Say you called this file ps_inter_root.cer.
So I had question like when we are downloading certificate they come in .cer format how will we concatenate it.
a) to concatenate the certificate easiest way is open notepad drag and drop the intermediate certificate first then below it drop root certificate in notepad and save the file in .cer format.
6.  Delete any extra carriage-returns that will exist in the extracted files. This step is important. Please do not ignore.
7. Navigate to 

 PeopleTools > Security > Security Objects > Digital Certificates

8. Import the ps_root.cer and the ps_inter_root.cer into the PeopleSoft database using the Digital Certificates page. Import them both as type "Root CA".
9. You would need to restart the application server and the web server in order for these trusted certificates to be recognized.

- On your Elasticsearch box proceed as follows:

1. Copy the extracted ps_root.cer and ps_inter_root.cer over to your Elasticsearch box.
2. Set up a truststore and import both trusted certificates above, i.e. ps_root.cer and ps_inter_root.cer to the new truststore using JAVA_HOME/bin/keytool utility as follows:

keytool -importcert -keystore ES_HOME/config/keystore/my_es_truststore.jks -file /home/certs/ps_root.cer -alias my_ps_root

keytool -importcert -keystore ES_HOME/config/keystore/my_es_truststore.jks -file /home/certs/ps_inter_root.cer -alias my_ps_inter_root

or you can give 

$JAVA_HOME/bin/keytool -importcert -keystore $ES_HOME/config/keystore/es_truststore.jks -file root.cer -alias '*****'
here .jks file will be directly in keystore folder but for above statement follow below step

Now people had question like they didn't find keystore folder, for this you need to create folder under ES_HOME/config directory. Later go to JAVA_HOME/bin and run above 2 commands in blue. But It gave error to me so I  ran as below :

keytool -importcert -keystore my_es_truststore.jks -file /home/certs/ps_root.cer -alias my_ps_root

keytool -importcert -keystore my_es_truststore.jks -file /home/certs/ps_inter_root.cer -alias my_ps_inter_root

So with this .jks file will be there in JAVA_HOME/bin folder only, give it required permission and transfer it under keystore folder.

3. Use the "elasticsearchuser" script to encrypt the truststore password.

ES_HOME/bin> elasticsearchuser encrypt [password]

If your password contains a special character, then enclose it between single quotes when you encrypt it, e.g. something like this:
ES_HOME/bin> elasticsearchuser encrypt 'pAssw$rd1'

4. Configure the SSL properties in elasticsearch.yml file as follows:

orclssl.http.ssl: false
orclssl.transport.ssl: false
orclssl.keystore: 
orclssl.keystore_password: 
orclssl.truststore: <path to truststore, e.g. ES_HOME/config/keystore/my_es_truststore.jks>
orclssl.truststore_password: <truststore password that you encrypted in the previous step>

If you are using Elastic search and Peoplesoft both SSL then follow Section B of Oracle doc. Let me know if any issue you get.

The End



No comments:

Post a Comment

The purge process did not run because the Oprid configured to start the Process Scheduler did not have the required permissions to run the purge process.

  Purge process - Required permissions The PeopleSoft Oprid used to start the Process Scheduler, as defined in the Scheduler's psprcs.cf...