Search
Clear search
Close search
Google apps
Main menu
true

Enabling connector security

Enable Connector Security

In secure mode, the connectors communicate with the Google Search Appliance over HTTPS. You can enable security for any connector by configuring certificates and turning on security.

Secure mode supports using either of the following types of certificates:

  1. Certificate Authorities (CA's)
  2. Self-signed certificates

In either case, you can also choose options to enable stricter security.

Certificate Authorities

The GSA and the connector executable both have default Certificate Authorities; public keys are already in the GSA and connector trust stores. For the connector, you can find the default keystore CAs under "jre\lib\security\".

If you are using the default CAs only, complete the tasks in the following sections:

By default, the search appliance alias is gsa and the connector alias is adaptor. Optionally, you can configure either alias.

Self-signed certificates

If you need to create self-signed certificates before turning on security, complete the following tasks:

Exchange certificates between the GSA and the connector

Before exchanging certificates between the GSA and the connector, be sure to complete all steps described in the following instructions:

To allow the connector to trust the search appliance:

  1. On the connector host, run the following command:

    keytool -importcert -keystore cacerts.jks -storepass changeit -file gsa.crt -alias gsa

  2. When prompted, Trust this certificate?, answer yes.

To allow the search appliance to trust the connector:

  1. In the GSA Admin Console, click Administration > Certificate Authorities.

  2. Under Add more Certificate Authorities, click Choose File.
  3. Navigate to the connector’s directory and select adaptor.crt.
  4. Click Save.

  5. Check that the certificate is in the Current Certificate Authorities list.

Turn on security with the server.secure property

You can turn on security for the connector by using the server.secure property, which enables HTTPS and certificate checking. Add the following line to your adaptor-config.properties file:

server.secure=true

When server.secure is enabled, the connector uses the GSA's authentication configuration and HTTPS for all communication. Also, when the value of server.secure is true, the following conditions apply:

  • You need to add the key to the connector keystore with an alias defined in the connector config file, server.keyAlias=adaptor
  • The connector runs on the configured port enforcing SSL.
  • The Connector Dashboard runs on the configured port enforcing SSL.
  • Feeds from the connector are forced to the search appliance's secure Feedergate port (19902), even if the search appliance accepts feeds over HTTP.
  • The connector validates the search appliance’s certificate during the SSL handshake.

Connector Secure Configuration Example File

The following example shows a configuration file with all needed options for secure connections:

gsa.hostname=gsa.example.local
server.hostname=connector.example.local
filesystemadaptor.src=\\\\fs.example.local\\share_to_crawl\\
server.port=12202
server.dashboardPort=12203
feed.name=example-fs-00
server.secure=true
server.keyAlias=adaptor

Run in secure mode with self-signed certificates

If you are using one or more self-signed certificates in your configuration, you must run the connector with SSL settings, as shown in the following command example:

Windows (please note space at the end of each line)

java ^
-Djava.util.logging.config.file=src/logging.properties ^
-Djavax.net.ssl.keyStore=keys.jks ^
-Djavax.net.ssl.keyStoreType=jks ^
-Djavax.net.ssl.keyStorePassword=changeit ^
-Djavax.net.ssl.trustStore=cacerts.jks ^
-Djavax.net.ssl.trustStoreType=jks ^
-Djavax.net.ssl.trustStorePassword=changeit ^
-classpath adaptor-name-4.1.0-withlib.jar ^
com.google.enterprise.adaptor.name.NameAdaptor

Linux / Unix systems (please note space at the end of each line)

java \
-Djava.util.logging.config.file=src/logging.properties \
-Djavax.net.ssl.keyStore=keys.jks \
-Djavax.net.ssl.keyStoreType=jks \
-Djavax.net.ssl.keyStorePassword=changeit \
-Djavax.net.ssl.trustStore=cacerts.jks \
-Djavax.net.ssl.trustStoreType=jks \
-Djavax.net.ssl.trustStorePassword=changeit \
-classpath adaptor-name-4.1.0-withlib.jar \
com.google.enterprise.adaptor.name.NameAdaptor

Enable stricter security

Optionally, you can improve security by choosing stricter security features on the Administration > SSL Settings page in the Admin Console, as described in the following table.

Note that using any of these options requires the connector to be configured for security and to have server.secure=true in its configuration.

Option Setting Description
Enable HTTP (non-SSL) access for Feedergate Uncheck When this option is unchecked, only HTTPS communications will be accepted by feedergate. Connectors send document IDs to feedergate.
Enable Client Certificate Authentication for Feedergate Check When this option is checked, the Feedergate SSL port (19902) only accepts connections from IP addresses in the trusted IP addresses list and clients who present a valid x509 certificate when connecting. Valid means that the certificate is signed by a certificate in the CA keystore on the search appliance (or a certificate in the certificate chain).
Enable Server Certificate Authentication Check When this option is checked, the crawler is required to authenticate certificates presented by servers that contain secure content.

To enable stricter security, perform the following steps in the GSA Admin Console:

You must include server.secure=true in the connector configuration before enabling these stricter features.
To enable stricter security, perform the following steps in the GSA Admin Console:

  1. Click Administration > SSL Settings.
  2. Make the following changes on this page:
    1. Uncheck Enable HTTP (non-SSL) access for Feedergate
    2. Check Enable Client Certificate Authentication for Feedergate
    3. Check Enable Server Certificate Authentication

  3. Click Save
Was this article helpful?
How can we improve it?