000037380 - How to install and configure Elasticsearch with RSA Archer 6.5 and later

Document created by RSA Customer Support Employee on May 1, 2019Last modified by RSA Customer Support Employee on Mar 11, 2020
Version 35Show Document
  • View in full screen mode

Article Content

Article Number000037380
Applies ToRSA Product Set: Archer
RSA Product/Service Type: Searching, Indexing, Platform, Archer Control Panel
RSA Version/Condition: 6.5, 6.6.x, 6.7.x
Platform:  Elasticsearch
IssueRSA Archer 6.5 and 6.6 introduce support for Elasticsearch. The intent of this guide is to provide some instructions for setting up Elasticsearch with Archer. 
Resolution

Install Elasticsearch



  1. First, install Elasticsearch.  Downloads links are included in the Notes section below. 
    1. For Locations, it is fine to take the default directory options. Click Next when done.

User-added image


  1. For Services, it is fine to take the default options. Click Next when done.

User-added image


  1. For Configuration, change the Network Host address to match the IP that external connections will be made over, then click Next when done. 

User-added image


  1. Under Plugins, you can take the defaults, then click Next when done.

User-added image


  1. For X-Pack, once again, it is fine to take the defaults.  Click Install when ready.

User-added image


  1. At this screen, the install is complete.

User-added image


Verify the install



  1. Verify that the Elasticsearch service is started in Windows services.   

User-added image


  1. Verify the install by connecting to the server with a web browser or by using the Chrome plug-in, Elasticsearch Head.  This shows much more info about the server, including cluster health.

User-added image

User-added image



Add the job-search plug-in



  1. Install the join-search-plugin, which can be found in the tools folder of your RSA Archer install.

User-added image

 

  1. Copy it to every node of your Elasticsearch server and install it as follows.


C:\Program Files\Elastic\Elasticsearch\6.6.1\bin>elasticsearch-plugin install "file:///C:\Users\Administrator\Downloads\join-search-plugin-6.6.1.zip"
-> Downloading file:///C:\Users\Administrator\Downloads\join-search-plugin-6.6.1.zip
[=================================================] 100% 
-> Installed join-search-plugin



Configure RSA Archer to use Elasticsearch



  1. Now it is time to configure RSA Archer to use Elasticsearch.  Open up the Archer Control Panel and go to the Installation Settings General tab and scroll down to the Elasticsearch section.

User-added image


  1. Check the Enable Elasticsearch box, then type in the Cluster Name in the Cluster Name field, then click Add New. The URL will be the same as what was used to connect using the browser. 

User-added image
 


  1. Click OK, then click the blue + to add this as a cluster. It will now appear in the dropdown.

User-added image


  1. Click the Test Availability link.  You should see a success message:

User-added image

 

A failure comes with an error popup.  If you do not see that, then ensure your ACP window is maximized, otherwise, it can get dropped due to browser scaling issues.  Also, check for any firewalls between the Elasticsearch Server and Archer.  The log file has index in the name and is in the log folder that is defined in the ACP.


 

  1. Save the configuration changes, and go to the General tab in your Archer instance.  Scroll down to the Search Index section.

User-added image


  1. Next to Elasticsearch, check the box labeled Check this flag to use Elasticsearch as a search data source.
  2. Select the Indexing Server from the dropdown and the cluster you just added. This indexing server will be the server running the Archer Indexing Service, not the Elasticsearch server.
  3. Check the Enable Authentication box only if you are securing your Elasticsearch Cluster with something like X-pack or Search Guard.  Out of the box, it is not enabled and it is not required here.

User-added image


  1. Click Save and you are prompted to rebuild the index.   

User-added image


 


  1. Press the Rebuild Elasticsearch index button which is located in the upper right-hand corner of the screen.

User-added image

Read the popup message and click yes to continue.
 


User-added image

Click the report link to the right of the Rebuild Elasticsearch Index button to see the progress.

User-added image


User-added image
 



Hit Refresh to update the progress.  Once the rebuild shows completed, you are done.
 


User-added image


  1.  You can also use Elasticsearch Head to view the Indexes.

User-added image
Notes
  • RSA Archer follows a bring-your-own model for Elasticsearch, meaning that we support integrating with the Elasticsearch deployment you already have.  We do work with the basic (free) license and the intent of this guide is not to replace any documentation, guidance, or support provided by the Elastic.
  • RSA Archer 6.5 supports Elasticsearch version 6.2.4, RSA Archer 6.6 supports 6.6.1, RSA Archer 6.7 supports 6.8.3 The plug-in provided for each will only work with that specific version.
  • Cloud-provided Elasticsearch services are currently not supported.
  • Elasticsearch does not require authentication for connections by default, and RSA Archer does not require it.  We have validated that Search-Guard does work and is supported.  Elastic's X-Pack Security has not been tested and is not currently supported. 
  • Elasticsearch hardware recommendations should be followed strictly.  Records are added to a queue in batches of 100 and pulled from the queue to be indexed.  There is a 1,000 record cap to the queue and if the indexing rate is insufficient the overflow records will be rejected, which will show up as errors in the logs and the index rebuild report.  The system does keep track of records that are not indexed and will retry them at the end, but the errors could raise questions, especially during the initial index build.
  • The steps in this guide are for RSA Archer 6.6, but will be similar for 6.5 and 6.7. The Windows version was used in these examples.  Consult with Elastic for detailed instructions.

Attachments

    Outcomes