Setting up certificates for type-ahead search

If you deployed Elasticsearch in your HCL Connections deployment , use these instructions to set up certificates before you configure type-ahead search.

Before you begin

Verify that the server where type-ahead search is hosted can connect to the Elasticsearch server.

About this task

You can configure type-ahead search using either the stand-alone Elasticsearch server or the Elasticsearch component of the Component Pack for Connections. Both metrics and type-ahead search use Elasticsearch, they share the destination server URL and some certificate information. Check the following steps to determine if they are required to be run type-ahead search servers, if Elasticsearch has already been enabled.

Procedure

  1. If metrics is not already enabled, then enable the type-ahead search service by completing the following steps to provide the Elasticsearch URL and port:

    If you enabled metrics, then this information was configured at that time.

    1. Open wsadmin and start the Search service by running the following commands.

      Linux example:

      cd /opt/IBM/WebSphere/DeploymentManager/profiles/Dmgr01/bin
./wsadmin.sh -lang jython -user User_name -password Password
execfile('searchAdmin.py')
    2. On the server where type-ahead search is hosted, run the following SearchService administration command, which sets the URL that type-ahead search should use to connect to the Elasticsearch instance: 
      SearchService.setESQuickResultsBaseUrl(url)
      For example:
      SearchService.setESQuickResultsBaseUrl("https://example.org:30099")

      For information on running SearchService commands, see SearchService commands.

  2. If metrics is not already enabled, or metrics and type-ahead search will be hosted in different WebSphere clusters, complete the following steps to ensure that both features can access the certificate information.

    If metrics is enabled and is hosted in the same WebSphere cluster as search, skip this step and proceed to the next topic.

    1. To ensure a secure connection to Elasticsearch, retrieve the PKCS12 and CA Signer certificates from the Elasticsearch server.
      If you are using the Component Pack Elasticsearch, run the following commands on the primary Kubernetes master to retrieve the files: 
      kubectl get secret elasticsearch-secret -n connections -o=jsonpath="{.data['chain-ca\.pem']}" | base64 -d > chain-ca.pem
kubectl get secret elasticsearch-secret -n connections -o=jsonpath="{.data['elasticsearch-metrics\.p12']}" | base64 -d > elasticsearch-metrics.p12
    2. Copy the certificate files to the Deployment Manager in a common location readable and writable by all WebSphere® Application Server users.
    3. Open wsadmin by running the following commands.

      Linux example:

      cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
./wsadmin.sh -lang jython -user User_name -password Password
    4. Run the following command to merge the signer certificate into the elasticsearch_metrics.p12 keystore: 
      execfile('esSearchAdmin.py')
enableSslForESSearch('Keystore_full_path', 'Store_password', 'Signer_CA_full_path', 'Elasticsearch_HTTPS_port')
quit
    5. Copy the updated elasticsearch_metrics.p12 file from the Deployment Manager to the same location on the WebSphere® Application Server nodes.