Security

​

Required software

• Java Development Kit. To store certificates, you can use the Java keytool Key and Certificate Management utility which is a part of the JDK.
• OpenSSL. You might need the openssl command line tool:
  • If you have the certificate chain and private key as separate files, then you can use the openssl command line tool to create a PKCS #12 file.
  • If you have an intermediate CA certificate, then you can use it and openssl to generate the certificate chain and private key files.

​

Load an SSL certificate into a Fusion keystore

• Self-signed certificate. If Fusion is behind a firewall, you can use a self-signed certificate for SSL communication with other hosts in your internal network. Create a keystore for the Fusion Proxy service and load the keystore with the self-signed PKCS #12 certificate.
• Certificate signed by a certificate authority. In a production environment, SSL certificates typically originate with certificate signing requests (CSRs) and are signed by a trusted third-party Certificate Authority (CA). Create a keystore for the Fusion Proxy service and load the keystore with the PKCS #12 certificate from a CA.

​

Alternative 1: Self-signed certificate

1. Set environment variables:
   Copy

   export JAVA_HOME=JavaHomeDirectory
   export FUSION_HOME=FusionHomeDirectory
   

2. Create the Fusion Proxy service keystore, generate the key pair and self-signed certificate, and load them into the keystore:
   Copy

   "$JAVA_HOME/bin/keytool" -genkeypair -keystore "$FUSION_HOME/apps/jetty/proxy/etc/keystore" -dname "CN=CommonName, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass KeyPassword -storepass KeystorePassword -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:ServerFqdn,ip:ServerIpAddress
   

   You must include the qualified domain name and/or the IP address of the Fusion server in the -ext SAN part of the command. Failure to do so results in SSL validation errors.
   Example command:
   Copy

   "$JAVA_HOME/bin/keytool" -genkeypair -keystore "$FUSION_HOME/apps/jetty/proxy/etc/keystore" -dname "CN=search.mycorp, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass 59Winter.Is.Long45 -storepass 46I.Prefer.Vanilla24 -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:search.mycorp,ip:192.168.1.40,dns:localhost
   

https://search.mycorp:ProxyPort
https://192.168.1.40:ProxyPort
https://localhost:ProxyPort

​

Alternative 2: CA-signed certificate

​

Preliminary steps

1. Obtain a domain from a domain registrar.
2. Change the A record of your domain to the public IP address of your web server instance.

​

Generate SSL certificate files

• Certificate chain and private key files. In this case, you will need to convert these files into a single certificate file in PKCS #12 format.
• A PKCS #12 certificate. This must contain both the certificate chain and private key. In this case, no conversion is necessary.

1. In most cases, you will need to temporarily open ports 80 and 443 in your firewall configuration. The SSL certificate provider must be able to make successful HTTP and HTTPS requests to your server through the Domain Name System (DNS).
2. Use an SSL certificate provider to generate the certificate chain (fullchain.pem) and private key (privkey.pem) files, or the PKCS #12 certificate, from a trusted CA. Steps will vary based on the certificate provider. Contact your certificate provider for details.
3. Close ports 80 and 443 in your firewall configuration.
4. Change the A record of your domain to the public domain-name address of your web server instance.

• If you have certificate chain and private key files, perform the steps in Convert the certificate chain and private key files to a PKCS #12 certificate and Import the PKCS #12 certificate into the Fusion Proxy service keystore.
• If you have a PKCS #12 certificate, perform the steps in Import the PKCS #12 certificate into the Fusion Proxy service keystore.

​

Convert the certificate chain and private key files to a PKCS #12 certificate

openssl pkcs12 -export -out /path/to/keystore.p12 -in /path/to/fullchain.pem -inkey /path/to/privkey.pem

​

Create the Fusion Proxy service keystore and import the PKCS #12 certificate

1. To create the keystore and import the PKCS #12 certificate:
2. Use the keytool import command to create a JSSE keystore.
   Copy

   keytool -importkeystore -srckeystore /path/to/keystore.p12 -srcstoretype PKCS12 -destkeystore "$FUSION_HOME/apps/jetty/proxy/etc/keystore" -deststoretype PKCS12
   

3. (Optional) If desired, delete the PKCS #12 certificate file that resides outside of the Fusion Proxy service keystore (the one you created from the certificate chain and private key files, or obtained from a trusted CA.
   Copy

   rm /path/to/keystore.p12
   

​

Enable HTTPS in the Fusion Proxy service

1. (Only for Fusion Server 4.0.x and 4.1.0) Prevent the start.jar program from downloading a default keystore file, which is not needed. Edit $FUSION_HOME/apps/jetty/home/modules/ssl.mod. Comment out the indicated line using #. Change:
   Copy

   [files]
   https://raw.githubusercontent.com/eclipse/jetty.project/master/jetty-server/src/test/config/etc/keystore?id=${jetty.tag.version}|etc/keystore
   

   To:
   Copy

   [files]
   # https://raw.githubusercontent.com/eclipse/jetty.project/master/jetty-server/src/test/config/etc/keystore?id=${jetty.tag.version}|etc/keystore
   

2. Set environment variables:
   Copy

   export JAVA_HOME=JavaHomeDirectory
   export FUSION_HOME=FusionHomeDirectory
   

3. Add HTTPS protocol support to the Jetty TLS (SSL) connector:
   Copy

   cd "$FUSION_HOME/apps/jetty/proxy/"
   java -jar "$FUSION_HOME/apps/jetty/home/start.jar" --add-to-start=https
   

   Example output:
   Copy

   INFO: ssl             initialized (transitively) in ${jetty.base}/start.ini
   INFO: https           initialized in ${jetty.base}/start.ini
   INFO: Base directory was modified
   

4. Get the obfuscated version of your keystore password:
   Copy

   java -cp "$FUSION_HOME/apps/jetty/home/lib/*" org.eclipse.jetty.util.security.Password PASSWORD
   

   Replace PASSWORD with the password you used for the keystore. If the password contains special characters, URL encode them. Example output:
   Copy

   2018-05-15 12:32:48.988:INFO::main: Logging initialized @133ms
   password345XYZ
   OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
   MD5:b91cd1a54781790beaa2baf741fa6789
   

5. Edit the file $FUSION_HOME/apps/jetty/proxy/start.ini:
   1. Include obfuscated passwords by adding these properties to the end of the file:
      Copy

      * `jetty.sslContext.keyStorePassword`
      * `jetty.sslContext.keyManagerPassword`
      * `jetty.sslContext.trustStorePassword`
      

   2. Use the OBF-encrypted password from step 4 (including the OBF: string) as the value for all three of the properties.
      For example:
      Copy

      ## Keystore password
      jetty.sslContext.keyStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
      
      ...
      
      ## KeyManager password
      jetty.sslContext.keyManagerPassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
      
      ## Truststore password
      jetty.sslContext.trustStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
      

   3. Set the local SSL port by adding the jetty.ssl.port property to the end of the file, and providing the port number. For example:
      Copy

      ## Connector port to listen on
      jetty.ssl.port=8443
      

   4. Save the file $FUSION_HOME/apps/jetty/proxy/start.ini.

​

Restart Fusion and test access through HTTPS

1. Restart all Fusion services:
   Copy

   ./bin/fusion restart
   

   HTTPS should now be enabled in the Fusion Proxy service.
2. Sign in to the Fusion UI. Specify the HTTPS URL scheme and SSL port, for example, https://search.mycorp:8443.

​

Disable HTTP access to the Fusion Proxy service

• Disable HTTP access on the firewall or load balancer - This is the preferred approach.
• Disable listening for HTTP requests in the Fusion Proxy service

​

Alternative 1: Disable HTTP access on the firewall or load balancer

1. Disallow all requests for port 8764 from the outside world. Only localhost should be able to communicate with Fusion on the non-SSL port 8764. Block all other requestors.
2. If you are using a firewall or load balancer in front of Fusion, use it to redirect all HTTP requests to use HTTPS instead. For example, Apache would redirect all incoming HTTP traffic to HTTPS.

​

Alternative 2: Disable listening for HTTP requests in the Fusion Proxy service

1. Edit /opt/lucidworks/fusion/latest.x/apps/jetty/proxy/start.d/http.ini.
   1. Change this line:
      Copy

      --module=http
      

      To:
      Copy

      #--module=http
      

   2. Save the file.
2. Edit the Fusion configuration file, /opt/lucidworks/fusion/latest.x/conf/fusion.cors.
   1. Ensure that the Agent JVM uses the Fusion Proxy service’s keystore by adding this to the end of the file:
      Copy

      agent.jvmOptions=-Djavax.net.ssl.trustStore="${FUSION_HOME}/apps/jetty/proxy/etc/keystore" -Djavax.net.ssl.trustStorePassword=PASSWORD -Djavax.net.ssl.keyStore="${FUSION_HOME}/apps/jetty/proxy/etc/keystore" -Djavax.net.ssl.keyStorePassword=PASSWORD
      

      Replace PASSWORD with your Fusion keystore password.
   2. Uncomment the default.address and change it to the hostname of the server that is validated by your SSL certificate.
      If the hostname saved in default.address is not validated by your SSL certificate, then the Fusion Proxy service will not start, because the agent’s liveness detector will not be able to access the HTTPS port to determine whether Fusion is running.
      If you self-signed the certificate, then the default.address must match the hostname you specified while signing the certificate. Failure to do this will result in the Fusion Proxy service not starting after you have disabled HTTP.
      For example, if your SSL certificate’s validated hostname is search.mycorp, then change:
      Copy

      #default.address = 127.0.0.1
      

      To:
      Copy

      default.address = search.mycorp
      

   3. Change the proxy.port to the SSL port you chose.
   4. Uncomment proxy.ssl and change its value to true. Change:
      Copy

      # proxy.ssl=false
      

      To:
      Copy

      proxy.ssl=true
      

​

References and tutorials

• Transport Layer Security (Wikipedia)
• Public Key Certificate (Wikipedia)
• OpenSSL Cookbook (free ebook)
• OpenSSL Command Line Utilities (OpenSSL wiki)
• Java Tutorials: Generating and Verifying Certificates
• IBM developerWorks: What is the JSSE all about?

​

Required software

• Java Development Kit. To store certificates, you can use the Java keytool Key and Certificate Management utility which is a part of the JDK.
• OpenSSL. You might need the openssl command line tool:
  • If you have the certificate chain and private key as separate files, then you can use the openssl command line tool to create a PKCS #12 file.
  • If you have an intermediate CA certificate, then you can use it and openssl to generate the certificate chain and private key files.

​

Overview of procedure

1. Load an SSL certificate into a Fusion keystore.
2. Enable SSL in the Fusion Proxy service.
3. Restart Fusion and test access through HTTPS.
4. Disable HTTP access to the Fusion Proxy service.

​

Load an SSL certificate into a Fusion keystore

• Self-signed certificate. If Fusion is behind a firewall, you can use a self-signed certificate for SSL communication with other hosts in your internal network. Create a keystore for the Fusion Proxy service and load the keystore with the self-signed PKCS #12 certificate.
• Certificate signed by a certificate authority. In a production environment, SSL certificates typically originate with certificate signing requests (CSRs) and are signed by a trusted third-party Certificate Authority (CA). Create a keystore for the Fusion Proxy service and load the keystore with the PKCS #12 certificate from a CA.

​

Alternative 1: Self-signed certificate

1. Set environment variables:
   Copy

   set JAVA_HOME=JavaHomeDirectory
   set FUSION_HOME=FusionHomeDirectory
   

2. Create the Fusion Proxy service keystore, generate the key pair and self-signed certificate, and load them into the keystore:
   Copy

   "%JAVA_HOME%\bin\keytool.exe" -genkeypair -keystore "%FUSION_HOME%\apps\jetty\proxy\etc\keystore" -dname "CN=CommonName, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass KeyPassword -storepass KeystorePassword -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:ServerFqdn,ip:ServerIpAddress
   

   You must include the qualified domain name and/or the IP address of the Fusion server in the -ext SAN part of the command. Failure to do so results in SSL validation errors.
   Example command:
   Copy

   "%JAVA_HOME%\bin\keytool.exe" -genkeypair -keystore "%FUSION_HOME%\apps\jetty\proxy\etc\keystore" -dname "CN=CommonName, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass 59Winter.Is.Long45 -storepass 46I.Prefer.Vanilla24 -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:search.mycorp,ip:192.168.1.40,dns:localhost
   

   The resulting certificate enables validated SSL transport to these hosts:

https://search.mycorp:ProxyPort
https://192.168.1.40:ProxyPort
https://localhost:ProxyPort

​

Alternative 2: CA-signed certificate

​

Preliminary steps

1. Obtain a domain from a domain registrar.
2. Change the A record of your domain to the public IP address of your web server instance.

​

Generate SSL certificate files

• Certificate chain and private key files. In this case, you will need to convert these files into a single certificate file in PKCS #12 format.
• A PKCS #12 certificate that contains both the certificate chain and private key. In this case, no conversion is necessary.

1. In most cases, you will need to temporarily open ports 80 and 443 in your firewall configuration. The SSL certificate provider must be able to make successful HTTP and HTTPS requests to your server through the Domain Name System (DNS).
2. Use an SSL certificate provider to generate the certificate chain (fullchain.pem) and private key (privkey.pem) files, or the PKCS #12 certificate, from a trusted CA. Steps will vary based on the certificate provider. Contact your certificate provider for details.
3. Close ports 80 and 443 in your firewall configuration.
4. Change the A record of your domain to the public domain-name address of your web server instance.

• If you have certificate chain and private key files, perform the steps in Convert the certificate chain and private key files to a PKCS #12 certificate and Import the PKCS #12 certificate into the Fusion Proxy service keystore.
• If you have a PKCS #12 certificate, perform the steps in Import the PKCS #12 certificate into the Fusion Proxy service keystore.

​

Convert the certificate chain and private key files to a PKCS #12 certificate

openssl pkcs12 -export -out \path\to\keystore.p12 -in \path\to\fullchain.pem -inkey \path\to\privkey.pem

​

Create the Fusion Proxy service keystore and import the PKCS #12 certificate

1. To create the keystore and import the PKCS #12 certificate:
   Copy

   "%JAVA_HOME%\bin\keytool.exe" -genkeypair -alias mykeystore -keyalg RSA -keysize 2048 -keystore keystore.jks
   
   "%JAVA_HOME%\bin\keytool.exe" -importkeystore -srckeystore mycertificate.p12 -srcstoretype PKCS12 -destkeystore keystore.jks
   

2. Use the keytool import command to create a JSSE keystore.
   Copy

   keytool -importkeystore -srckeystore \path\to\keystore.p12 -srcstoretype PKCS12 -destkeystore "%FUSION_HOME%\apps\jetty\proxy\etc\keystore" -deststoretype PKCS12
   

3. (Optional) If desired, delete the PKCS #12 certificate file that resides outside of the Fusion Proxy service keystore (the one you created from the certificate chain and private key files, or obtained from a trusted CA.
   Copy

   del \path\to\keystore.p12
   

​

Enable HTTPS in the Fusion Proxy service

1. Set environment variables:
   Copy

   set JAVA_HOME=JavaHomeDirectory
   set FUSION_HOME=FusionHomeDirectory
   

2. Add HTTPS protocol support to the Jetty TLS (SSL) connector:
   Copy

   cd "%FUSION_HOME%\apps\jetty\proxy\"
   java -jar "%FUSION_HOME%\apps\jetty\home\start.jar" --add-to-start=https
   

   Example output:
   Copy

   INFO: ssl             initialized (transitively) in ${jetty.base}/start.ini
   INFO: https           initialized in ${jetty.base}/start.ini
   INFO: Base directory was modified
   

3. Get the obfuscated version of your keystore password:
   Copy

   java -cp "$FUSION_HOME/apps/jetty/home/lib/*" org.eclipse.jetty.util.security.Password PASSWORD
   

   Replace PASSWORD with the password you used for the keystore. If the password contains special characters, URL encode them. Example output:
   Copy

   2018-05-15 12:32:48.988:INFO::main: Logging initialized @133ms
   password345XYZ
   OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
   MD5:b91cd1a54781790beaa2baf741fa6789
   

4. Edit the file %FUSION_HOME%\apps\jetty\proxy\start.ini:
   1. Include obfuscated passwords by adding these properties to the end of the file:
      • jetty.sslContext.keyStorePassword
      • jetty.sslContext.keyManagerPassword
      • jetty.sslContext.trustStorePassword
   2. Use the OBF-encrypted password from step 4 (including the OBF: string) as the value for all three of the properties.
      For example:
      Copy

      ## Keystore password
      jetty.sslContext.keyStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
      
      ...
      
      ## KeyManager password
      jetty.sslContext.keyManagerPassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
      
      ## Truststore password
      jetty.sslContext.trustStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
      

   3. Set the local SSL port by adding the jetty.ssl.port property to the end of the file, and providing the port number. For example:
      Copy

      ## Connector port to listen on
      jetty.ssl.port=8443
      

   4. Save the file %FUSION_HOME%\apps\jetty\proxy\start.ini.

​

Restart Fusion and test access through HTTPS

1. Restart all Fusion services:
   Copy

   bin\fusion.cmd restart
   

   HTTPS should now be enabled in the Fusion Proxy service.
2. Sign in to the Fusion UI. Specify the HTTPS URL scheme and SSL port, for example, https://search.mycorp:8443.

​

Disable HTTP access to the Fusion Proxy service

• Disable HTTP access on the firewall or load balancer - This is the preferred approach.
• Disable listening for HTTP requests in the Fusion Proxy service

​

Alternative 1: Disable HTTP access on the firewall or load balancer

1. Disallow all requests for port 8764 from the outside world. Only localhost should be able to communicate with Fusion on the non-SSL port 8764. Block all other requestors.
2. If you are using a firewall or load balancer in front of Fusion, use it to redirect all HTTP requests to use HTTPS instead. For example, Apache would redirect all incoming HTTP traffic to HTTPS.

​

Alternative 2: Disable listening for HTTP requests in the Fusion Proxy service

1. Edit \lucidworks\fusion\latest.x\apps\jetty\proxy\start.d\http.ini.
   1. Change this line:
      Copy

      --module=http
      

      To:
      Copy

      #--module=http
      

   2. Save the file.
2. Edit the Fusion configuration file, \lucidworks\fusion\latest.x\conf\fusion.cors.
   1. Ensure that the Agent JVM uses the Fusion Proxy service’s keystore by adding this to the end of the file:
      Copy

      agent.jvmOptions=-Djavax.net.ssl.trustStore="%{FUSION_HOME}%\\apps\\jetty\\proxy\\etc\\keystore" -Djavax.net.ssl.trustStorePassword=PASSWORD -Djavax.net.ssl.keyStore="%{FUSION_HOME}%\\apps\\jetty\\proxy\\etc\\keystore" -Djavax.net.ssl.keyStorePassword=PASSWORD
      

      Replace PASSWORD with your Fusion keystore password.
   2. Uncomment the default.address and change it to the hostname of the server that is validated by your SSL certificate.
      If the hostname saved in default.address is not validated by your SSL certificate, then the Fusion Proxy service will not start, because the agent’s liveness detector will not be able to access the HTTPS port to determine whether Fusion is running.
      If you self-signed the certificate, then the default.address must match the hostname you specified while signing the certificate. Failure to do this will result in the Fusion Proxy service not starting after you have disabled HTTP.
      For example, if your SSL certificate’s validated hostname is search.mycorp, then change:
      Copy

      #default.address = 127.0.0.1
      

      To:
      Copy

      default.address = search.mycorp
      

   3. Change the proxy.port to the SSL port you chose. For example, change:
      Copy

      proxy.port = 8764
      

      To:
      Copy

      proxy.port = 8443
      

   4. Uncomment proxy.ssl and change its value to true. Change:
      Copy

      # proxy.ssl=false
      

      To:
      Copy

      proxy.ssl=true
      

​

References and tutorials

• Transport Layer Security (Wikipedia)
• Public Key Certificate (Wikipedia)
• OpenSSL Cookbook (free ebook)
• OpenSSL Command Line Utilities (OpenSSL wiki)
• Java Tutorials: Generating and Verifying Certificates
• IBM developerWorks: What is the JSSE all about?

​

Configure a Security Realm in Fusion

1. In the Fusion workspace, navigate to System > Access Control.
2. Click Security Realms.
3. Click Add Security Realm.
4. Enter the following information for the new realm:
   • Enter a Name. The name must be unique and should be descriptive yet short.
   • Select saml from the Type pulldown menu.
   When you select a type, Fusion displays additional configuration options.
   • The default value for Enabled is true. This setting controls whether or not Fusion allows user logins for this security realm.
   • The default value for Ephemeral Users is false. When disabled, this setting prevents ephemeral users from being created in ZooKeeper during login. If enabled, this property negates Auto Create Users.
   • The default value for Auto Create Users is true. If enabled, a user account is created automatically upon initial authentication. If disabled, then a Fusion user with admin permissions must create Fusion users.

• Enter the Identity Provider URL. This URL is used by the SAML authority for single sign-on. For example: https://www.example.com/APP-PATH/adfs/ls
• Enter the URL of the IdP Issuer. For example: http://www.example.com/adfs/services/trust.
  • IdP Issuer must match <saml:Issuer> in the SAML payload.
• Optional: Provide the App Issuer. This field is required if there is an audienceRestriction in the SAML assertion and must match <saml:Audience> in the SAML payload.
• In the Certificate Fingerprint, paste the contents of the SAML authority certificate, without the certificate header and footer.
• Optional: Enter the User ID Attribute. By default, the Fusion username is the same as the login name known to the Identity Provider. When another field or attribute in the user record stored by the IdP should be used as the Fusion username, that attribute name is the value of the User ID Attribute.
• Optional: Provide a Post Login Redirect URL. If not set, the Fusion URL is used.
• Optional: Provide a Logout URL.
  1. Optional: Under Groups Mapping, specify the Group Name Attribute and add group mappings.
  2. Click Save.

​

Set up the application (relying party trust) in AD FS

1. Launch the Add Relying Party Trust Wizard, then select Claims aware.
2. Choose the option to enter the data manually.
3. Set a Display name.
4. Configure URL. Enable the option for SAML 2.0 WebSSO protocol.
5. Set the Relying party trust identifier to the URL of the Fusion application.
6. Edit the Claim Rules to pass through the User Principal Name as the NameID claim.
7. In a terminal, create the OAuth AD FS client for the Fusion application:
   Copy

   Add-ADFSClient -Name "Fusion OAuth" -ClientId "1234567890-ABCDEF" -RedirectUri="http://localhost:8080/oauthLogin"
   

​

Configure the OAuth module for the application setup in AD FS

client-id: 168f3ee4-63fc-4723-a61a-6473f6cb515d
adfs-url: https://your-adfs-server/adfs
resource: http://localhost:8080
high-trust: false

• The client-id is the ID that was set up against AD FS using the Add-ADFSClient PowerShell command.
• The adfs-url is the URL of the AD FS server with the /adfs context appended.
• The resource is the relying party trust identifier set up in AD FS management.
• The high-trust parameter is only required when integrating the AD FS and SharePoint modules. This article is only concerned with authentication against AD FS.

​

Test the authentication

​

Prerequisites

• Oracle Java JDK 1.8

​

New installations

​

1. Create a JKS

​

2. Create a Certificate Signing Request (CSR)

​

3. Send the CSR to your CA to get a signed certificate

• A PKCS12 certificate file, such as CAreply.pkcs. This is a full keystore containing all the keys you need, including the root certificate and the signed chain certificate.
• Several PEM files, such as 0000_cert.pem, 0000_chain.pem, and 0001_chain.pem. These files contain the root certificate, the chain certificate(s), and the signed chain certificate.

​

4. Import the signed certificate into the api-gateway.jks

• If you received a PKCS file, import it using the following keytool command:

• If you receive PEM files, run the following commands to import the keys:
  • keytool -importcert -alias root -file 0000_cert.pem -keystore api-gateway.jks -trustcacerts
  • keytool -importcert -alias intermediate -file 0000_chain.pem -keystore api-gateway.jks -trustcacerts
  • keytool -importcert -alias jwt-signer -file 0001_chain.pem -keystore api-gateway.jks -trustcacerts

​

5. Upload the api-gateway.jks as a Kubernetes generic secret

1. Delete the <namespace>-api-gateway.jks secret if it already exists.
2. Upload the new secret with the following command:

​

6. Install Fusion 5 using Helm

​

Existing installation

​

1. Create a JKS with your CA certificate or the java keytool

​

2. Scale down Fusion deployment to 0

​

3. Delete the existing Kubernetes JKS secret for Fusion

​

4. Create a Kubernetes secret with the JKS using the name of the deployment

​

5. Scale up Fusion deployment

​

Obtain each public certificate in .pem format.

openssl s_client -connect self-signed.badssl.com:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /home/ndipiazza/Downloads/spark-ssl-test/badssl-com-chain.pem

​

Trust store certificate option

1. Embed at runtime each enterprise/self-signed certificate to a local trust store used by the Apache HttpClient.

​

Add each public certificate to the trust store

1. Download the truststore from the fusion-truststore Kubernetes secret to a local folder.
2. Add any additional certificates to the truststore that you need using Java’s keytool.
3. Upload the updated truststore back to the secrets store.

# add a cert to the truststore

cert_to_add=/home/ndipiazza/Downloads/spark-ssl-test/badssl-com-chain.pem

kubectl get secret fusion-truststore \
    --namespace=$NAMESPACE \
    -o jsonpath="{['data']['truststore\\.jks']}" | \
base64 -d > truststore.jks

keytool -import -alias self-signed.badssl.com -keystore truststore.jks -file "${cert_to_add}" -storepass changeit

echo "\"$(cat truststore.jks | base64 -w 0)\"" > truststore.jks.base64

kubectl get secret fusion-truststore \
    --namespace=$NAMESPACE \
    -o json | \
jq --slurpfile enc truststore.jks.base64 '.data["truststore.jks"]=$enc[0]' | \
kubectl apply -f -

​

Verifying it works

import org.apache.commons.io.IOUtils
import org.apache.http.client.methods.HttpGet
import org.apache.http.impl.client.HttpClients

import java.io.{IOException, InputStream}
import java.security.cert.{CertificateFactory, X509Certificate}
import java.security.{GeneralSecurityException, KeyStore}

def url = "https://self-signed.badssl.com"

def createEmptyKeyStore(): KeyStore = {
  val keyStore = KeyStore.getInstance("JKS")
  keyStore.load(null, null);
  keyStore;
}

@throws[IOException]
@throws[GeneralSecurityException]
def loadCertificate(publicCertIn: InputStream): X509Certificate = {
  val factory = CertificateFactory.getInstance("X.509")
  val cert = factory.generateCertificate(publicCertIn).asInstanceOf[X509Certificate]
  cert
}

/**
 * Returns the text content from a REST URL. Returns a blank String if there
 * is a problem.
 */
def getRestContent(url:String): String = {
  val httpClient = HttpClients.custom()
    .build();
  val httpResponse = httpClient.execute(new HttpGet(url))
  val entity = httpResponse.getEntity
  var content = ""
  if (entity != null) {
    val inputStream = entity.getContent
    content = IOUtils.toString(inputStream)
    inputStream.close()
  }
  httpClient.close()
  content
}

val content = getRestContent(url)
println(content);

​

Embed each enterprise/self-signed certificate to a local trust store used by the Apache HttpClient at runtime

• If you do not have Kubernetes admin access to edit the keystore secret.
• If the HTTPS URL is isolated to a single job or pipeline stage, as it is simpler to do it this way versus adding it to the keystore.

​

How to use it

1. Use the X.509 certificate file created earlier and copy it as text. In your program, create a map of {alias, pem file string} called trustedPublicCertificates that contains your public certificates.
2. Replace trustedPublicCertificates with an alias name as the key of the map, then set the PEM file string contents as the value.
3. Use the Apache HttpClient to access the resource.

​

Examples

• Scala
• Nashorn JavaScript
• Java

Scala Example:

import org.apache.commons.io.IOUtils
import org.apache.http.client.methods.HttpGet
import org.apache.http.conn.ssl.SSLConnectionSocketFactory
import org.apache.http.impl.client.HttpClients
import org.apache.http.ssl.SSLContexts

import java.io.{ByteArrayInputStream, IOException, InputStream}
import java.security.{GeneralSecurityException, KeyStore}
import java.security.cert.{CertificateFactory, X509Certificate}
import javax.net.ssl.HostnameVerifier

def url = "https://self-signed.badssl.com"

def trustedPublicCertificates = Map("sharepoint-local" -> "-----BEGIN CERTIFICATE-----\nMIIDeTCCAmGgAwIBAgIJAMnA8BB8xT6wMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp\nc2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0y\nMTEwMTEyMDAzNTRaFw0yMzEwMTEyMDAzNTRaMGIxCzAJBgNVBAYTAlVTMRMwEQYD\nVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK\nDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2\nPmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW\nhyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A\nxPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve\nww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY\nQCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T\nBAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI\nhvcNAQELBQADggEBAC4DensZ5tCTeCNJbHABYPwwqLUFOMITKOOgF3t8EqOan0CH\nST1NNi4jPslWrVhQ4Y3UbAhRBdqXl5N/NFfMzDosPpOjFgtifh8Z2s3w8vdlEZzf\nA4mYTC8APgdpWyNgMsp8cdXQF7QOfdnqOfdnY+pfc8a8joObR7HEaeVxhJs+XL4E\nCLByw5FR+svkYgCbQGWIgrM1cRpmXemt6Gf/XgFNP2PdubxqDEcnWlTMk8FCBVb1\nnVDSiPjYShwnWsOOshshCRCAiIBPCKPX0QwKDComQlRrgMIvddaSzFFTKPoNZjC+\nCUspSNnL7V9IIHvqKlRSmu+zIpm2VJCp1xLulk8=\n-----END CERTIFICATE-----")

def createEmptyKeyStore(): KeyStore = {
  val keyStore = KeyStore.getInstance("JKS")
  keyStore.load(null, null);
  keyStore;
}

@throws[IOException]
@throws[GeneralSecurityException]
def loadCertificate(publicCertIn: InputStream): X509Certificate = {
  val factory = CertificateFactory.getInstance("X.509")
  val cert = factory.generateCertificate(publicCertIn).asInstanceOf[X509Certificate]
  cert
}

/**
 * Returns the text content from a REST URL. Returns a blank String if there
 * is a problem.
 */
def getRestContent(url:String): String = {
  val sslBuilder = SSLContexts.custom()
  val keyStore = createEmptyKeyStore()  
    for ((alias,certificate) <- trustedPublicCertificates) {
    keyStore.setCertificateEntry(alias, loadCertificate(new ByteArrayInputStream(certificate.getBytes)))
  }

  val sslContextBuilder = sslBuilder.loadTrustMaterial(keyStore, null)
  val sslContext = sslContextBuilder.build()
  val hostnameVerifier = null : HostnameVerifier
  val sslConSocFactory = new SSLConnectionSocketFactory(sslContext, hostnameVerifier)  
    val httpClient = HttpClients.custom()
    .setSSLSocketFactory(sslConSocFactory)
    .build();
  val httpResponse = httpClient.execute(new HttpGet(url))
  val entity = httpResponse.getEntity
  var content = ""
  if (entity != null) {
    val inputStream = entity.getContent
    content = IOUtils.toString(inputStream)
    inputStream.close()
  }
  httpClient.close()
  content
}

val content = getRestContent(url)
println(content);