Changing Certificates for Elasticsearch

The Elasticsearch nodes in File Access Manager all use the same certificate as identification when other nodes or File Access Manager services communicate with them. The certificate is also used to encrypt communication between the nodes.

The Elasticsearch certificate is stored in a PKCS#12 file, which is a standard way of storing certificates and private keys. This is equivalent to the Windows Certificate Store. We will have to provide a certificate with its private key and the CA (Certificate Authority) certificate that signed it.

Note: The commands below should be run in an elevated command line. If any of the paths contain spaces, surround them with quotation marks (").

High Level Steps

  1. Choose an Elasticsearch node at random.

  2. Delete the current certificate from the PKCS#12 file used by Elasticsearch.

  3. Provide a certificate with a private key, import the new certificate's pfx/p12 file and change the certificate alias.

  4. Provide the signing CA (Certificate Authority) certificate's .cer file and import it into Elasticsearch's PKCS#12 file to trust the certificate within Elasticsearch.

  5. Restart the Elasticsearch service.

  6. Copy the new PKCS#12 file to the other Elasticsearch nodes and restart them.

  7. Insert the new PKCS#12 file into the File Access Manager database using the SailPoint FAMCertificateManager tool.

Detailed Steps

  1. Choose one of the Elasticsearch nodes to perform the following steps on. It can be any of the currently installed nodes, no matter the order of installation.

  2. Delete the current certificate from the PKCS#12 file used by Elasticsearch:

Copy 
"%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
8.2.2\jdk\bin\keytool.exe" -delete -alias key -storepass "" -keystore 
"%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
8.2.2\config\fileaccessmanager-elastic-cert.p12"

 

Copy 
"%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
8.2.2\jdk\bin\keytool.exe" -delete -alias cert -storepass "" -
keystore "%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
8.2.2\config\fileaccessmanager-elastic-cert.p12"

  1. Provide a new certificate with a private key, import the new certificate's pfx/p12 file and change the certificate alias:

    1. Provide a new certificate in a pfx/p12 format using your organization's standard method of obtaining server certificates. It should contain the certificate's private key.

    2. Use the following command to import the private key from the new pfx/p12 file into the one used by Elasticsearch:

      Copy 
      "%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
      8.2.2\jdk\bin\keytool.exe" -importkeystore -srckeystore <full 
      path to pfx/p12 file> -destkeystore 
      "%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
      8.2.2\config\fileaccessmanager-elastic-cert.p12" -deststorepass 
      "" -srcstorepass <pfx/p12 file password>

    3. The import process will generate a default alias for the private key, which is displayed in the last commands output. Set the private key's alias to "key" by running the following command:

      Copy 
      "%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
      8.2.2\jdk\bin\keytool.exe" -changealias -alias <default alias> 
      -destalias key -keystore 
      "%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
      8.2.2\config\fileaccessmanager-elastic-cert.p12" -storepass ""

  1. Provide the signing CA (Certificate Authority) certificate's .cer file and import it into Elasticsearch's PKCS#12 file to trust the certificate within Elasticsearch:

    1. Provide the signing CA (Certificate Authority) certificate's .cer file using your organization's standard method of obtaining CA certificates. It should not contain the private key, just the certificate itself.

    2. Import the certificate using the following command:

      Copy 
      "%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
      8.2.2\jdk\bin\keytool.exe" -importcert -file <full path to cer 
      file> -keystore "%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
      8.2.2\config\fileaccessmanager-elastic-cert.p12" -storepass "" 
      -alias cert

  1. Restart the Elasticsearch service.

  2. Copy the new PKCS#12 file to the other Elasticsearch nodes and restart them as well.

    Make sure to copy the file to the same path as the first node, which according to the previous steps should be: %SAILPOINT_HOME%\Elasticsearch\elasticsearch-8.2.2\config\fileaccessmanager-elastic-cert.p12.

    Note: This should also be done for the Elasticsearch nodes in Disaster Recovery as well.

  3. Insert the new PKCS#12 file into the File Access Manager database, using the SailPoint FAMCertificateManager tool on just one of the nodes:

    Copy 
    "%SAILPOINT_HOME%\FileAccessManager\Server 
    Installer\Tools\FAMCertificateManager\FAMCertificateManager.exe" 20 -
    esCertFile="%SAILPOINT_HOME%\Elasticsearch\elasticsearch-
    8.2.2\config\fileaccessmanager-elastic-cert.p12"

    Note: 20 is the ID of the first Elasticsearch node. Using the ID of any node will always assign this certificate to the other nodes as well.