I am playing with possibilities of Elasticsearch and Orchestrator.
I have got working my robots. They are sending logs not only in orchestrator but also in Elastic.
…
Next step was authentication and security in Elastic+kibana.
I folllowed instructions at the elastic and now i can reach my kibana via “HTTPS” and elastic is “Secured at transport level and http level”
I can see my indexes i made BEFORE security settings.
ALL certificates generated without passwords.
Orchestrator, elastic and kibana are installed at ONE win2012 server .
Elastic has ONE node .
NOthing espesial.
But elastic dont bite orchestrator:
oke
elasticsearch.yml
I didnt resolve Issue with HTTPS but you have to add Username and password in web.config anyway ! These passwords are the same as password and username in Kibana.Yml
I removed the ssl config for Elasticsearch and I’m able to see logs both in Orchestrator and Kibana without any problems. And Elasticsearch’s log looks clean.
Then I re-enabled ssl config for Elasticseach and I can only see logs in Orchastrator. Elasticsearch is not getting logs anymore. And Elasticsearch’s log file displays the following:
[2020-01-23T11:11:15,346][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [SERVERNAME] http client did not trust this server’s certificate, closing connection [id: 0x6c323a92, L:0.0.0.0/0.0.0.0:9200 ! R:/0:0:0:0:0:0:0:1:51900]
Using the mmc cert tool import the certificate to the Local Computer / Personnal / Certificate and Local Computer / Truster Root Certification Authorities stores.
Optional: You can use the certificate for Orchestrator as well
You should then import the pfx file into the Server Certificate feature of IIS and reconfigure the Bindings with the new certificate on the UiPath Orchestrator app pool level.
bootstrap.memory_lock: false
cluster.name: elasticsearch
network.host: 1.2.3.4 <your ip address>
http.port: 9200
node.data: true
node.ingest: true
node.master: true
node.max_local_storage_nodes: 1
node.name: YOURSERVERNAME
path.data: your path to the data folder
path.logs: your path to the logs folder
transport.tcp.port: 9300
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.ssl.verification_mode: none
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: your path to the cacerts
xpack.security.transport.ssl.keystore.password: YourPwd
xpack.security.transport.ssl.truststore.path: your path to the cacerts
xpack.security.transport.ssl.truststore.password: YourPwd
xpack.security.transport.ssl.verification_mode: none
xpack.security.http.ssl.enabled: true
#xpack.security.http.ssl.client_authentication: none
xpack.security.http.ssl.keystore.path: your path to the cacerts
xpack.security.http.ssl.keystore.password: YourPwd
xpack.security.http.ssl.truststore.path: your path to the cacerts
xpack.security.http.ssl.truststore.password: YourPwd
Remember that any edit on those files need a service restart in order to be effective.
IE and Chrome can have a slightly different behavior regarding the self-signed certificates, you can add the url to the Local Intranet zone in IE Internet Options.
Sorry for the multiple post, timeouts prevent me to edit old posts.
keytool -genkey -alias YourServerName -keyalg RSA -keysize 2048 -dname “CN=YourServerName.FQDN.local,OU=yourOU,O=yourO,L=YourLocation,ST=Some-State,C=YourCity” -keystore cacerts -storepass YourPwd -keypass YourPwd -validity 3650 –ext SAN=dns:yourservername.fqdn.local,dns:yourservername_alias.fqdn.local
…
L=YourLocation,ST=Some-State,C=YourCity
Those parameters i should change to? i am Netherland located and we have no states ))))) if i set NL NL NL ?
Yes, you can basicaly put whatever you want. Those information are here to reflect your infra/company setup, but as it’s a self-signed, there is no need to pay too much attenion.
Nevertheless, the CN and the SAN value are important.
HI! I dont have pure JAVA
cd C:\Program Files\Java\jre1.8.0_181\bin"" instead of it i used
cd C:\Program Files\Elastic\Elasticsearch\7.5.0\jdk
and i didnt get parameter SAN and used
keytool -genkey -alias vm1.elastic -keyalg RSA -keysize 2048 -dname “CN=vm1,OU=blabla BV,O=blabla,L=Roermond,ST=Lim,C=NL” -keystore cacerts -storepass password -keypass password -validity 3650
yes yes and all another files with open SSL i have got too i am confusing a bit with these parameters in “YOUR” elastic config:
*----------------------------------------------------------
xpack.security.transport.ssl.keystore.path: your path to the cacerts
xpack.security.transport.ssl.keystore.password: YourPwd
xpack.security.transport.ssl.truststore.path: your path to the cacerts
xpack.security.transport.ssl.truststore.password: YourPwd
xpack.security.transport.ssl.verification_mode: none
*---------------------------------------------
i made something like this
xpack.security.transport.ssl.keystore.path: C:\TEMP\cacerts
xpack.security.transport.ssl.keystore.password: blablabla
xpack.security.transport.ssl.truststore.path: C:\TEMP\cacerts
xpack.security.transport.ssl.truststore.password: blablabla
xpack.security.transport.ssl.verification_mode: none
*-----------------
service would not be running
logs says - O !NO! certificates has to be located in elastic config map C:\ProgramData\Elastic\Elasticsearch\config
okey ( said me) i copied them from c:\temp an dchanged config parameters - nope ((((
Yes, it seems that the cacerts file need to be located in the config folder of Eleasticseach (C:\ProgramData\Elastic\Elasticsearch\config\cacerts), this is also the case on my side.
The same has to be done for the security.HTTP section