By default, without any network configuration, Elasticsearch connects to available loopback addresses and scans ports 9300 to 9305 to attempt to connect to other nodes running on the same server. This provides an automatic clustering experience without having to do any configuration.
When it's time to create a cluster with nodes on other servers, you'll need to provide a list of IPs from other nodes in the cluster that are likely to be active and contactable. For my lab, it was not necessary to configure this property.
To prevent data loss, it is vital to configure the discovery.zen.minimum_master_nodes setting so that each master-eligible node knows the minimum number of master-eligible nodes that must be visible in order to form a cluster.
Step 6. Configurar a propriedade network.host
network.host: To form a cluster with nodes on other servers, your node will need to bind to a non-loopback address. Although there are many network configurations, generally all you need to configure is network.host.
For my environment, I left the defaults values configured.
NOTE: If you will configure X-Pack Security, the IP configured here should be used to create the certificates and keys.
Step 7: Configure Liferay DXP to connect to your Elasticsearch cluster.
Through the Liferay control panel, let's configure it to connect to your remote Elasticsearch, go to:
Control panel → Settings → System Settings → Search.
Click Elasticsearch 6 in the list of settings. Now you can configure it.
Here are the configuration options to change:
Cluster Name: Place the name defined in Elasticsearch in the cluster.name property of the file elasticsearch.yml
Operation Mode: Switch to REMOTE to connect to Elasticsearch.
Transport Addresses: Enter a delimited list of transport addresses for the Elasticsearch nodes. Here, you enter the transport address of the Elasticsearch server that you started. The default value is localhost:9300, which will work, if your elasticsearch is running locally.
Step 8: Restart Liferay DXP and reindex your search indexes.
- Stop Liferay
- Start Elasticsearsh:
- Start Liferay
- Reindex all search indexes:
- Control Panel → Setup → Search → Execute Reindex all Search Index.
Installing Liferay Enterprise Search
The X-Pack is an extension of Elasticsearch to protect and monitor Elasticsearch clusters. If you use Elasticsearch, X-Pack's security features include Elasticsearch cluster data access authentication and Elasticsearch internal and external communications encryption.
A Liferay Enterprise Search Premium subscription lets you access the two connectors, the X-Pack Connector and the Monitoring Connector. A Liferay Enterprise Search Standard subscription provides the monitoring integration, you only have access to the Monitoring Connector.
NOTE: The X-Pack comes out-of-the-box within the elasticsearch bundle.
- Download the connectors according to your subscription:
- Enterprise Search Standard
- Enterprise Search Premium
- Deploy connectors in Liferay at:
- Restart Liferay
Enabling X-Pack Security
Before start the X-pack security enablement process you need the licenses, if you do not already have a subscription, you can generate a 30-day trial license.
Follow the steps in the link below to generate a 30-day trial license:
The first thing to do is enable X-Pack security.
- Add the following property to the elasticsearch.yml file of each node in your elasticsearch cluster:
- xpack.security.enabled: true
Restart the elasticsearch nodes
Setting Up X-Pack Users
On a system that uses X-Pack Security and X-Pack Monitoring, these internal X-Pack users are important:
To create the passwords for these users run the following command:
NOTE: If a message that the elastic user password has already been changed appears, you can see this link to resolve.
Enabling Transport Layer Security
- Generate Node Certificates
- Create a certificate authority, using X-Pack’s certutil command:
- ./bin/elasticsearch-certutil ca --pem --ca-dn CN=localhost
- This generates a ZIP file. Extract the contents in the [Elasticsearch Home]/config folder.
- Generate X.509 certificates and private keys using the CA created:
- ./bin/elasticsearch-certutil cert --pem --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --dns localhost --ip 127.0.0.1 --name localhost
- This generates another ZIP file. Extract the contents in the [Elasticsearch Home]/config folder.
NOTE: Use the IP that was configured in the network.host property of the elasticsearch.yml file
On each node in the elasticsearch.yml file add the following properties:
xpack.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt
xpack.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key
- Enable transport layer TLS (on each node in the file elasticsearch.yml add the following properties):
- Enable TLS on the HTTP layer to encrypt client communication (on each node in the file elasticsearch.yml add the following property):
Configure the Liferay Connector to X-Pack Security
- Create the following file in [Liferay_Home]/osgi/configs:
- Add the following properties:
NOTA: Remember to change the path of certificates and keys
Configure Liferay Enterprise Search Monitoring
Monitoring is enabled in Elasticsearch by default, but data collection is not. Enable data collection by adding this line to elasticsearch.yml:
- xpack.monitoring.collection.enabled: true
- Download Kibana according to the version of elasticsearch you are using;
- Unzip Kibana in the desired directory;
- Tell Kibana which elastic you will monitor through the kibana.yml file;
- elasticsearch.url: "http://localhost:9200"
NOTE: If SSL is enabled on Elasticsearch, this is an https URL.
If you’re using X-Pack’s security features on the Elasticsearch server.
CONFIGURE KIBANA WITH AUTHENTICATION
If X-Pack requires authentication to access the Elasticsearch cluster, follow these steps:
- Set the password for the built-in kibana user in [Kibana Home]/config/kibana.yml:
- elasticsearch.username: "kibana"
- elasticsearch.password: "liferay"
- The password used in this step was created before the topic above Setting Up X-Pack Users.
- Once Kibana is installed, you can change the built-in user passwords from the Management user interface.
CONFIGURING KIBANA WITH ENCRYPTION
Add these settings to kibana.yml:
elasticsearch.ssl.certificateAuthorities: [ "/path/to/ca.crt" ]
server.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt
server.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key
NOTE: Remember to change the path of certificates and keys
Configuring the Liferay Connector to X-Pack Monitoring
- Once the connector is installed and Kibana and Elasticsearch are securely configured, create a configuration file named:
- Place these settings in the .config file:
NOTE: The values depend on your Kibana configuration. For example, use a secure URL such as kibanaURL="https://localhost:5601" if you’re using X-Pack Security features.
- Deploy this configuration file to [Liferay Home]/osgi/configs, and your running instance applies the settings. There’s need to restart the server.
IF YOU WANT TO USE LIFERAY X-PACK MONITORING PORTLET INSTEAD THE KIBANA ADMIN DASHBOARD, CONFIGURE THE FOLLOWING SETTINGS
- There are two more settings to add to Kibana itself. The first forbids Kibana from rewriting requests prefixed with server.basePath. The second sets Kibana’s base path for the Monitoring portlet to act as a proxy for Kibana’s monitoring UI. Add this to kibana.yml:
NOTE: Once you set the server.basePath, you cannot access the Kibana UI through Kibana’s URL (e.g., https://localhost:5601). All access to the Kibana UI is through the Monitoring portlet.
- Because you’re using the Monitoring portlet in Liferay DXP as a proxy to Kibana’s UI, if you are using X-Pack Security, you must configure the application server’s startup JVM parameters to recognize a valid truststore and password.
- Navigate to Elasticsearch Home and generate a PKSC#12 certificate from the CA you created when setting up X-Pack security:
./bin/elasticsearch-certutil cert --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --ip 127.0.0.1 --dns localhost --name localhost --out /path/to/Elasticsearch_Home/config/localhost.p12
NOTE: If the network.host property of the elasticsearch.yml file has been configured, you must use it here.
- Next use the keytool command to generate a truststore:
keytool -importkeystore -deststorepass liferay -destkeystore /path/to/truststore.jks -srckeystore /path/to/Elasticsearch_Home/config/localhost.p12 -srcstoretype PKCS12 -srcstorepass liferay
- Add the trustore path and password to your application server’s startup JVM parameters. Here are example truststore and path parameters for appending to a Tomcat server’s CATALINA_OPTS:
Monitoring in Liferay DXP
Once Kibana and X-Pack are successfully installed and configured and all the servers are running, add the X-Pack Monitoring portlet to a page:
- Open the Add menu on a page and choose Widgets
- Search for monitoring and drag the X-Pack Monitoring widget from the Search category onto the page.