Gravatar for juanpablo.albuja@verndale.com

Question by jpalbuja, Dec 10, 2015 3:54 PM

Enable Admin Service Security after an unsecure Installation

Hi everyone, I installed Coveo Enterprise Search 7.0 x64 (7914), Coveo Search API and the Coveo for Sitecore without securing the Admin Service. Now, I want to enable the security for the Admin Services withou re installing all.

Is there any tutorial to become my unsecure installation to a secure one? I mean a tutorial taht contains the generation of certificates, modification of coveo config files etc?

Thanks

1 Reply
Gravatar for slangevin@coveo.com

Answer by Simon, Dec 10, 2015 4:01 PM

Hi,

Since the password will be encrypted in the Coveo File system, you will need to run the Coveo Enterprise Search install wizard again. It will not install everything all over again so it should not take that long.

For the rest of the procedure, simply follow this guide:

https://developers.coveo.com/display/public/SitecoreV3/Securing+the+Admin+Service

Cheers
Simon

Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 10, 2015 4:19 PM

Hi @Simon ♦♦, I just followed those instruction but, my service is still running in http://localhost/AdminService and not in https://localhost/AdminService. After restarting my machine, it starts working correctly. Those instructions doesn't have the changes that I need to do from the sitecore side (Coveo for Sitecore) to use it in a securely way. Can you please advice?

Thanks

Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 10, 2015 9:35 PM

I tried to run again the Cover for Sitecore Zip but I can't get the installation wizard. How I can configure Cove for Sitecore to connect to the Ces in a secure way?

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Dec 11, 2015 10:07 AM

You just have to add https to the <AdminServiceUri> value of your Coveo.SearchProvider.config file and specify the Username and Password like this:

<adminServiceConfiguration type="Coveo.Framework.Configuration.AdminServiceConfiguration, Coveo.Framework">
  <AdminServiceUri>https://YourCesServerHostname/AdminService</AdminServiceUri>
  <!-- The Username element allows to specify the username used to connect to the AdminService. -->
  <Username>Your AdminService Username Here</Username>
  <!-- The Password element allows to specify the password used to connect to the AdminService. -->
  <Password>Your AdminService Password Here</Password>
</adminServiceConfiguration>
Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 11, 2015 11:05 AM

Hi @jflheureux ♦♦, I already did those steps, but the problem is that in the Coveo Disgnostics Page I see the following issues:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

Thanks so much, for your help

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Dec 11, 2015 11:10 AM

Your error message says "The remote certificate is invalid according to the validation procedure.".

Did you register the AdminService certificate on your Sitecore machines certificate store?

Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 11, 2015 11:48 AM

Hi @jflheureux ♦♦, actually the same machine hosts CES and Sitecore, is my local machine. My service is up on https://localhost/AdminService.

So what I did so far was:

  1. Follow https://developers.coveo.com/display/public/SitecoreV3/Securing+the+Admin+Service to modify CES installation and generate a .pfx certificate.
  2. After doing these I noticed that the generated certificate has been added automatically to: MMC -> Trusted Root Certification Authorities/Certificates and also in MMC -> Personal/Certificates
  3. I did also you lates instruction in the Coveo.SearchProvider.config

Something that I noticed is that If I open a browser and I do https://localhost/AdminService, the broser saids that the machine do not trust on that certificate.

Thanks so much

Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 11, 2015 12:08 PM

Hi @jflheureux ♦♦ I think that I figured out. The problem was the the CES installer when creates the certificate by default in the options "CES Server name", by default is the computer name there and not localhost

So for that reason: https://localhost/AdminService was not trusted but but https:///AdminService is tristed so, in the Coveo.SearchProvider.config I set https:///AdminService and it works.

Thanks so much for your support.

Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 11, 2015 12:57 PM

Hi @jflheureux ♦♦, I am just curious for something, when you install for the first time Coveo for Sitecore (Zip file) and you do not use Admin Security check, you never set the fields "Administrator Username" and "Administrator Password" correct? because those options are available only when you set the Security Admin.

Now, that I update my local CES to use Security Admin, I only update the Coveo.SearchProvider.config, so there I set the "Admin Service Username" and the "Admin Service Password". What about the other password? the "Administrator Username" and "Administrator Password"?

Why those were not necessary to set?

Thanks

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Dec 11, 2015 1:12 PM

You're right. The <Username> and <Password> nodes for the Admin Service credentials are only needed when the Coveo Admin Service is secured.

The Sitecore credentials (<SitecoreUsername> and <SitecorePassword>) are needed to store in CES in a User Identity. This user identity is used by the CES Sitecore Security Provider to connect to the Coveo Security Service. The Coveo Security Service is a webservice installed by Coveo for Sitecore inside Sitecore to expand the Sitecore users and roles. This webservice is secured in Sitecore and needs to be accessed with the credentials of a Sitecore administrator. by default, when the <SitecoreUsername> is empty, Coveo for Sitecore uses sitecore\admin. When <SitecorePassword> is empty, Coveo for Sitecore uses "b". This is why those are not needed when you do not change the sitecore\admin password on your Sitecore instance. If you change this user or password, you need to update the Sitecore credentials (see Configuring the Sitecore Credentials).

Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 11, 2015 4:44 PM

Hi @jflheureux ♦♦, great thanks a lot. to clarify what those other passwords means, the description in the documentation https://developers.coveo.com/display/public/SitecoreV3/Installing+Coveo+for+Sitecore

In Admin Service Username, enter the username that you configured in CES to secure the Admin Service.
In Admin Service Password, enter the password that you configured in CES to secure the Admin Service.
In Certificate File, choose the certificate file (.pfx) that was previously generated and exported by the CES installation wizard.
In Private Key Password, enter the certificate's private key password that you configured previously in the CES installation wizard.
In Administrator Username, enter the username of an account that is a member of the Local Administrators group on the Sitecore server.
In Administrator Password, enter the password of the account."

Is a little bit confusing, because the description for "In Administrator Username" looks like it means a Machine username and not a Sitecore CMS Admin user.

Thanks

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Dec 12, 2015 1:36 PM

Oh, now I understand what you were referring to by "Administrator Username" and "Administrator Password". Those are machine credentials as you mentioned. They are not stored by Coveo for Sitecore but only used once to register the certificate in the machine's "Trusted Root Certification Authorities" store. This is needed when CES and Coveo for Sitecore are not installed on the same machine.

Gravatar for juanpablo.albuja@verndale.com

Comment by jpalbuja, Dec 16, 2015 1:35 PM

Hi @jflheureux ♦♦, I am experimenting an issue now. After a couple of days I login into http://:8081/Status/Overview/StatusOverview.aspx with the domain user that I installed coveo and I see that I cannot do anything like delete the indexes from there or change any configuration. Also the indexes are showed as read only.

Do this have to do something with enabling the security or this issue is related to something else?

One heads up, In the 8081 site now I found that the index was in Read only mode and I click on switch to /read/Write mode and all goes well. I guess that someone click that link and went to Read only mode or is possible Coveo went to that mode automatically?

Thanks

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Dec 16, 2015 4:28 PM

Hi @jpalbua, The read-only mode can be triggered manually with this button. It can also be triggered by a system schedule (Configuration > Schedules > System). The third way it can be triggered is when the index hard drive free space drops below 3GB. The index won't switch back to read-write automatically. This protection is in place to avoid corrupting the index files.

Ask a question