Search Guard provides Elasticsearch users with encryption, authentication, authorization, audit logging and multi-tenancy. The following documentation outlines how to install Search Guard for your TeamConnect instance. Search Guard is optional and can be toggled on or off in the TeamConnect installer.
 

This documentation covers a basic installation of Search Guard for TeamConnect Global Search. For more information on generating your own security certificates or configuring Search Guard roles, please see the plugin documentation here: http://floragunncom.github.io/search-guard-docs/.

 

Ensure that your JAVA_HOME path is directed to JDK8.

 

1.Download Elasticsearch 5.3.0 & extract the contents to a local directory

https://www.elastic.co/downloads/past-releases/elasticsearch-5-3-0

2.Install the Searchguard plugin.

a.Open the command prompt and change directory to your Elasticsearch folder

b.Run the command:

                bin\elasticsearch-plugin install -b com.floragunn:search-guard-5:5.3.0-12

3.Install the mapper plugin

a.In the command prompt, navigate & set your active directory to your Elasticsearch folder.

b.Run the command:

          bin\elasticsearch-plugin install mapper-attachments

4.(Optional) Download & Install OpenSSL (v1.0.2 recommended). Users will need to create or obtain their own security certificates as these will not be provided by Mitratech.

 https://slproweb.com/products/Win32OpenSSL.html

5.Implement your config and certificate files.

a.Place elasticsearch.yml, node-keystore.jks & a copy of truststore.jks in the Elasticsearch/config directory

b.Place client-keystore.jks & truststore.jks in the directory of your choosing.

c.Update teamconnect.properties settings as detailed below.

6.Close all Java instances.

7.Run the following shell commands, as administrator, from the Elasticsearch\config directory.

a.(Optional) Clean up any previously used SG aliases

i.keytool -delete -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass changeit  -alias <old alias name >

b.Whitelist your certificates by adding the signing authority to your keytool chain.

i.keytool -importcert -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass changeit -alias signing-ca -file signing-ca.crt

8. If you created your own certificates, update elasticsearch.yml settings to match appropriately.

9.Start Elasticsearch by running "elasticsearch.bat" in  Elasticsearch/bin.

10.Customize your roles & permissions. Then load these settings into elasticsearch in order to initialize the cluster.

a.Open a cmd shell in "Elasticsearch\plugins\search-guard-5\tools"

b.Run the command:

sgadmin -ks ..\..\..\config\node-keystore.jks -kspass changeit -ts ..\..\..\config\truststore.jks -tspass changeit -cd ..\sgconfig -nhnv

 
Re-run this command every time searchguard config changes are made.

 

Configuring Searchguard Properties

Navigate to elasticsearch/plugins/search-guard-5/sgconfig

Add the full name of each client keystore as below

CN=client1,OU=client,O=client,L=Test,C=DE:

    hash: "_transport_only"

 

Add the unencrypted username & bcrypt encrypted password following the format below.

 

The fields can be found as elasticsearch.transport.username & elasticsearch.transport.password in teamconnect.properties

username: hash: $2y$10$X1B8ncqRb1B.5SrjMEjM2e9wOtggziRF0AlceAmL0In.sMaeDe91i

Add the keystore name & username to the sg_all_access group as below

 

(Optional) Create your own custom role instead of using sg_all_access and add it to SG_ROLES.YML & SG_ROLES_MAPPING.YML

sg_all_access:

    users:

         - admin

         - 'CN=client1,OU=

Searchguard Properties in teamconnect.properties

Note: These fields can be configured in the TeamConnect Installer and do not have to be edited manually. For more information on this, please see Running the Installer in the TeamConnect Installation Help.