Configure Settings on Exalead CloudView

This section describes how to enable HTTPS on Exalead CloudView.

This task shows you how to:

See Also
Firewall Protection and Recommended HTTPS Configuration
Configure Settings on MQL (Indexing Side)
Configure Settings on FCS
Configure Settings on 3DSpace
Configuring the Connection to the CloudView Servers

Generate Your Own Certificate and Private Key

At installation time, the Exalead CloudView installer generates a self-signed certificate. However, for production, it is better to generate your own certificate signed by a trusted certificate authority.

  1. Stop the Exalead CloudView server.
  2. Verify your certificate format using the following command: 

    openssl x509 -in <infile.cert> -text -inform <format>

    The certificate must follow these requirements:

    • DER format to facilitate the integration with Java tools (certification import/export in trust stores, etc.), or PEM depending on your needs.
    • Generated key length must be: 2048 bits.
    • Modulus must be: 2048 bits.
    • Exalead CloudView also supports SHA-2 certificates.

  3. Encrypted PEM files usually storePrivate keys. Convert them to a nonencrypted file.

    You can use openssl on the command line: 

    openssl pkcs8 -topk8 -in <key> -out <hostname>-<instance>.key -nocrypt

    The Private key must follow these requirements:

    • Standard not encrypted PEM file format.
    • Generated key length must be 2048 bits.
    • It must have the following headers and footers:
      -----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

  4. Verify that Exalead CloudView stores the certificate correctly, using UNIX LF end of line characters:
    • On Windows, you can use the following tool: http://www.thefreecountry.com/tofrodos/index.shtml.
    • On UNIX, you can use dos2unix.
  5. On each product instance, overwrite the key and certificate files generated at installation time in DATADIR/security:
    • The public certificate: DATADIR/security/<hostname>-<instance>.cert
    • The Private key: DATADIR/security/<hostname>-<instance>.key

    Note: If you are using an alias, the Private key name must use the alias and not the default <hostname>-<instance>.

  6. Add the server certificate to the truststore of every product instance. See Add Certificates to the Keystore.

Add Certificates to the Keystore

You then have to import all cv/data/security/*.cert to <DATADIR>/security/trusted.servers.ks.

  1. Stop the Exalead CloudView server.
  2. To add the Exalead CloudView server certificate to the trusted.servers.ks keystore, use the following command: 

    keytool -import -file <.cert file (DER)> -alias <jetty> 
            -keystore DATADIR/security/trusted.servers.ks -storepass <exalead>

    Note: Exalead CloudView may generate two .cert files under <DATADIR>/security. Make sure to import both in trusted.servers.ks.

  3. When prompted for password, enter: exalead (case sensitive).
  4. To verify that the trusted.servers.ks store type is JKS, run the following command: 

    keytool -list -keystore  /…./trusted.servers.ks

    The command returns:
    Keystore type: JKS
Keystore provider: SUN
  5. Run <DATADIR>/bin/buildgct.
  6. Start Exalead CloudView server.

Enable HTTPS for Exalead CloudView APIs

This section describes how to enable HTTPS for the Exalead CloudView APIs.

  1. Stop the Exalead CloudView server.
  2. Edit <DATADIR>/config/ProductSecurity.xml.
  3. Add the following lines above <IdentityProviderConfig> (where my_certificate is the name of the .key file deployed in <DATADIR>/security): 

    <SearchAPISecurity serverCertificate="my_certificate" useHttps="true" />
<MAMISecurity serverCertificate="my_certificate" useHttps="true" />
<PushAPISecurity serverCertificate="my_certificate" useHttps="true" />

  4. Start Exalead CloudView.
    All three APIs are now HTTPS secured.