Learned By Doing: How to configure Kibana in TAC to work with HTTPS?

Quick links :

 

The context

Talend Administration Console (TAC) is a central point of control for your Talend Data Integration architecture. If the authorized users access TAC from the Internet or a non-secured network, a sniffing attack is possible. Therefore, securing the communication between the browser and TAC may become a requirement for your company.

 

When configuring HTTPS port on a tomcat instance hosting TAC, the logging menu is no longer able to display the statistics on log events.

 

At best, the browser displays the error message:

Mixed Content: The page at 'https://<TAC_URL>:<TAC_PORT_SSL>/kibana/' was loaded over HTTPS, 
but requested an insecure XMLHttpRequest endpoint 'http://<LOGSERVER_HOSTNAME:9200/_nodes'. 
This request has been blocked; the content must be served over HTTPS.

 

At worst, you have a black page and nothing else:

img01.png

 

First question: What is mixed content ?

"When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and is therefore safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted; the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, so the connection is not safeguarded. When a web page exhibits this behavior, it is called a mixed content page."

(source: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content)

 

So when selecting a "logging" link on the TAC page, the browser is redirected to an HTTP URL, which is seen as a security flaw. Tweaking the browser may come into our mind, but changing anything on the client side means propagating the change on any browser of any potential end-users...forget it.

 

Second question: When does my browser go to unsecured content?

The TAC logging service is based on ElasticSearch and Kibana (for details, see Displaying log events).

 

If you are curious, have a look to the HTTP traces (so before any HTTPS configuration):

 

Browser TAC Kibana LogServer
1. The user clicks on the "Logging" menu. http://tld621:8080/tac621/administrator/config
POST /tac621/administrator/config HTTP/1.1
Host: tld621:8080
...
HTTP/1.1 200 OK
   
2. The browser is redirected to Kibana.   http://tld621:8080/kibana
GET /kibana HTTP/1.1
Host: tld621:8080
HTTP/1.1 302 Found
Location: /kibana/
 
3. The browser is redirected to the Logserver.     http://tld621:9200/_nodes
GET /_nodes HTTP/1.1
Host: tld621:9200
...
Origin: http://tld621:8080

 

The browser is sent to collect data from the Logserver by Kibana. As the Logserver is using HTTP, the web browser is not surprising, you are trying to access unsecured content within secured content. So, the solution will come from securing the Logserver?

 

Solution 1: Securing the Logserver

The Talend 6.2.1 Logserver is based on Elastic 1.5.2. To secure Elasticsearch, the Elastic documentation proposes to use the plugin 'SHIELD' (https://www.elastic.co/guide/en/shield/shield-1.3/getting-started.html)

 

This solution has several limitations:

 

If you are not using any ESB components/software of our platform, page https://www.elastic.co/guide/en/shield/shield-1.3/ssl-tls.html explains how to configure the plugin 'SHIELD'. Talend Professional Services can help you in evaluating this solution.

 

Solution 2: Configure A Reverse Proxy

The idea here is to keep HTTPS for Kibana/TAC and HTTP for Elasticsearch/Logstash as they are, and place in front of Elasticsearch a reverse proxy with SSL termination.

 

browser <--HTTP-->reverse proxy<--HTTP-->Elasticsearch

 

Note: These steps are given "as-is" and are not covered by Talend Support, and include how to secure Tomcat.

 

This installation was done with:

  • Ubuntu 14.04
  • openssl installed with apt-get (version 1.0.1f 6 Jan 2014)
  • jdk 1.8.0_101 (downloaded from Oracle site) and installed manually
  • Talend 6.2.1 TAC, Kibana and LogServer installed manually on the same machine
  • machine hostname "tld621", TAC web application deployed as "tac621"

Create Certificates

cd $HOME
mkdir mypki
cd mypki

 

CA

openssl genrsa 2048 > ca-key.pem 
openssl req -sha1 -new -x509 -nodes -days 10000 -key ca-key.pem > ca-cert.pem 

img02.png

 

Apache

openssl req -sha1 -newkey rsa:2048 -days 10000 -nodes -keyout apache-key.pem > apache-req.pem 

img04.png

openssl x509 -sha1 -req -in apache-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > apache-cert.pem

Then move the Apache certificate and key to the Apache folder and change the owner:

sudo mv apache-cert.pem /etc/apache2
sudo mv apache-key.pem /etc/apache2

sudo chown root:root /etc/apache2/apache-*.pem

 

Tomcat

openssl req -sha1 -newkey rsa:2048 -days 10000 -nodes -keyout tomcat-key.pem > tomcat-req.pem

img03.png

openssl x509 -sha1 -req -in tomcat-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > tomcat-cert.pem

 

Tomcat Keystore

As you may know, Tomcat is not using certificate and key files but a Java keystore to store its private key, certificates, and trusted certificates. Here are the steps to create a Java keystore with the certificate and key you created in the previous step:

 

openssl pkcs12 -export -in tomcat-cert.pem -inkey tomcat-key.pem -out tomcat.p12 -name myTomcat -CAfile ca-cert.pem -caname myCA
/opt/java/jdk1.8.0_101/bin/keytool -importkeystore -deststorepass cangetin -destkeypass cangetin -destkeystore tomcat.jks -srckeystore tomcat.p12 -srcstoretype PKCS12 -srcstorepass cangetin -alias myTomcat

 

Configure Apache As Reverse Proxy

First, you need to install Apache and the needed modules:

sudo apt-get install apache2 apache2-utils
sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html xml2enc ssl
sudo service apache2 restart

 

Then you need to change the file /etc/apache2/sites-enabled/default-ssl.conf to reflect the usage of the certificate and also the redirection to the Logserver. (As always, before modifying anything, keep a copy of this file somewhere else.)

 

In this example, you will use the URL https://tld621:443/elk to redirect to the Logserver. In the future this proxy server may be configured to proxy other resources using other URIs.

 

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost

		DocumentRoot /var/www/html
		ErrorLog ${APACHE_LOG_DIR}/error.log

		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on

		SSLCertificateFile	/etc/apache2/ssl/apache-cert.pem
		SSLCertificateKeyFile /etc/apache2/ssl/apache-key.pem

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>


		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    ProxyPreserveHost On

    ProxyPass /elk http://tld621:9200/
    ProxyPassReverse /elk http://tld621:9200/

	</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

 

Restart Apache and test the connection to the Logserver (don't forget to start the Logserver).

 

img05.png

Beautiful isn't it?

 

At this moment, you may still access the "Logging" menu in TAC because direct access to the Logserver is not blocked and the Logserver is configured to accept requests from Kibana.

 

Configure Tomcat To Use SSL

Move the keystore to a convenient place (accessible by Tomcat with the correct ownership/permission).

mv tomcat.jks /Talend/621/tac/tomcat/

 

Edit /Talend/621/tac/tomcat/conf/server.xml to reflect the following changes (as always, before modifying anything, keep a copy of this file somewhere else):

 

   <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->

  <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="/Talend/621/tac/tomcat/tomcat.jks" keystorePass="cangetin" keyAlias="myTomcat"/>

 

Configure the Kibana URL in TAC

Logged in with administrative rights, access the Configuration page to change the Kibana URL:

img07.png

 

Configure Kibana To Use Reverse Proxy

There are two locations in the Kibana web application where the Logserver URL is set:

  • $TOMCAT/webapps/kibana/config.js
  • $TOMCAT/webapps/kibana/app/app.js

(As always, before modifying anything, keep a copy of these files somewhere else.)

 

Locate and change the value below.

OLD:

"http://"+window.location.hostname+":9200"

NEW:

"https://"+window.location.hostname+":443"

 

Configure the Logserver to accept the new Kibana URL

If Elasticsearch is configured with restrictions, you need to change your elastic.yml to reflect the new protocol and new port used by Kibana.

 

In this case, you have to change the value below in /Talend/621/logserver/elasticsearch-1.5.2/config/elasticsearch.yml:

OLD

http.cors.enabled: true
http.cors.allow-origin: "http://tld621:8080"

NEW

http.cors.enabled: true
http.cors.allow-origin: "https://tld621:8443"

 

Final Test (you did it!)

img06.png

Happy testing!

Version history
Revision #:
45 of 45
Last update:
‎05-24-2017 01:41 PM
Updated by:
 
Contributors