fix(backend): update OpenSearch connection to use HTTPS with authentication

Kbayero · Kbayero · commit ea7d894763fa · 2026-04-03T05:23:01.000-04:00
diff --git a/backend/src/main/java/com/park/utmstack/checks/ElasticsearchConnectionCheck.java b/backend/src/main/java/com/park/utmstack/checks/ElasticsearchConnectionCheck.java
@@ -1,10 +1,15 @@
 package com.park.utmstack.checks;
 
 import com.park.utmstack.config.Constants;
+import okhttp3.Credentials;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.Response;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
 import java.util.Objects;
 
 public class ElasticsearchConnectionCheck {
@@ -53,17 +58,45 @@ public void connectionCheck(int retries) {
 
     private void pingElasticsearch() {
         try {
-            final String ELASTIC_URL = String.format("http://%1$s:%2$s",
+            final String ELASTIC_URL = String.format("https://%1$s:%2$s",
                 System.getenv(Constants.ENV_ELASTICSEARCH_HOST), System.getenv(Constants.ENV_ELASTICSEARCH_PORT));
 
-            OkHttpClient client = new OkHttpClient().newBuilder().build();
-            Request rq = new Request.Builder().url(ELASTIC_URL).build();
+            String user = System.getenv(Constants.ENV_ELASTICSEARCH_USER);
+            String password = System.getenv(Constants.ENV_ELASTICSEARCH_PASSWORD);
+
+            OkHttpClient client = createTrustAllClient();
+            Request rq = new Request.Builder()
+                .url(ELASTIC_URL)
+                .header("Authorization", Credentials.basic(user, password))
+                .build();
             Response rs = client.newCall(rq).execute();
             Objects.requireNonNull(rs.body()).close();
             if (!rs.isSuccessful())
-                throw new RuntimeException();
+                throw new RuntimeException("HTTP " + rs.code());
         } catch (Exception e) {
             throw new RuntimeException(e.getLocalizedMessage());
         }
     }
+
+    private OkHttpClient createTrustAllClient() {
+        try {
+            TrustManager[] trustAllCerts = new TrustManager[]{
+                new X509TrustManager() {
+                    public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
+                    public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+                    public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+                }
+            };
+
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
+
+            return new OkHttpClient.Builder()
+                .sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0])
+                .hostnameVerifier((hostname, session) -> true)
+                .build();
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to create SSL client: " + e.getMessage());
+        }
+    }
 }
diff --git a/backend/src/main/resources/config/application-dev.yml b/backend/src/main/resources/config/application-dev.yml
@@ -29,7 +29,9 @@ spring:
         database: POSTGRESQL # For Postgresql database
     elasticsearch: # This configuration is for the elasticsearch health indicator, please do not remove
         rest:
-            uris: http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}
+            uris: https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}
+            username: ${ELASTICSEARCH_USER}
+            password: ${ELASTICSEARCH_PASSWORD}
     liquibase:
         contexts: dev
     mail:
diff --git a/backend/src/main/resources/config/application-prod.yml b/backend/src/main/resources/config/application-prod.yml
@@ -22,7 +22,9 @@ spring:
         database-platform: tech.jhipster.domain.util.FixedPostgreSQL10Dialect
     elasticsearch: # This configuration is for the elasticsearch health indicator, please do not remove
         rest:
-            uris: http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}
+            uris: https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}
+            username: ${ELASTICSEARCH_USER}
+            password: ${ELASTICSEARCH_PASSWORD}
     liquibase:
         contexts: prod
     mail:
diff --git a/installer/docker/compose.go b/installer/docker/compose.go
@@ -355,7 +355,6 @@ func (c *Compose) Populate(conf *config.Config, stack *StackConfig) error {
 			"cluster.initial_master_nodes=node1",
 			"bootstrap.memory_lock=false",
 			"OPENSEARCH_INITIAL_ADMIN_PASSWORD=" + conf.OpenSearchPassword,
-			"DISABLE_INSTALL_DEMO_CONFIG=true",
 			"JAVA_HOME=/usr/share/opensearch/jdk",
 			"action.auto_create_index=true",
 			"compatibility.override_main_response_version=true",
diff --git a/user-auditor/src/main/java/com/utmstack/userauditor/checks/ElasticsearchConnectionCheck.java b/user-auditor/src/main/java/com/utmstack/userauditor/checks/ElasticsearchConnectionCheck.java
@@ -1,11 +1,16 @@
 package com.utmstack.userauditor.checks;
 
 import com.utmstack.userauditor.service.elasticsearch.Constants;
+import okhttp3.Credentials;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.Response;
 import org.springframework.util.Assert;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
 import java.util.Objects;
 
 public class ElasticsearchConnectionCheck {
@@ -46,21 +51,49 @@ private void pingElasticsearch() {
         try {
             String elasticHost = System.getenv(Constants.ENV_ELASTICSEARCH_HOST);
             String elasticPort = System.getenv(Constants.ENV_ELASTICSEARCH_PORT);
+            String user = System.getenv(Constants.ENV_ELASTICSEARCH_USER);
+            String password = System.getenv(Constants.ENV_ELASTICSEARCH_PASSWORD);
 
             Assert.hasText(elasticHost, "Missing elasticsearch host configuration value");
             Assert.hasText(elasticPort, "Missing elasticsearch port configuration value");
+            Assert.hasText(user, "Missing elasticsearch user configuration value");
+            Assert.hasText(password, "Missing elasticsearch password configuration value");
 
-            final String ELASTIC_URL = String.format("http://%1$s:%2$s",
-                System.getenv(Constants.ENV_ELASTICSEARCH_HOST), System.getenv(Constants.ENV_ELASTICSEARCH_PORT));
+            final String ELASTIC_URL = String.format("https://%1$s:%2$s", elasticHost, elasticPort);
 
-            OkHttpClient client = new OkHttpClient().newBuilder().build();
-            Request rq = new Request.Builder().url(ELASTIC_URL).build();
+            OkHttpClient client = createTrustAllClient();
+            Request rq = new Request.Builder()
+                .url(ELASTIC_URL)
+                .header("Authorization", Credentials.basic(user, password))
+                .build();
             Response rs = client.newCall(rq).execute();
             Objects.requireNonNull(rs.body()).close();
             if (!rs.isSuccessful())
-                throw new RuntimeException();
+                throw new RuntimeException("HTTP " + rs.code());
         } catch (Exception e) {
             throw new RuntimeException(ctx + ": " + e.getLocalizedMessage());
         }
     }
+
+    private OkHttpClient createTrustAllClient() {
+        try {
+            TrustManager[] trustAllCerts = new TrustManager[]{
+                new X509TrustManager() {
+                    public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
+                    public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+                    public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+                }
+            };
+
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
+
+            return new OkHttpClient.Builder()
+                .sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0])
+                .hostnameVerifier((hostname, session) -> true)
+                .build();
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to create SSL client: " + e.getMessage());
+        }
+    }
 }
diff --git a/user-auditor/src/main/java/com/utmstack/userauditor/service/elasticsearch/Constants.java b/user-auditor/src/main/java/com/utmstack/userauditor/service/elasticsearch/Constants.java
@@ -18,6 +18,8 @@ public final class Constants {
      */
     public static final String ENV_ELASTICSEARCH_HOST = "ELASTICSEARCH_HOST";
     public static final String ENV_ELASTICSEARCH_PORT = "ELASTICSEARCH_PORT";
+    public static final String ENV_ELASTICSEARCH_USER = "ELASTICSEARCH_USER";
+    public static final String ENV_ELASTICSEARCH_PASSWORD = "ELASTICSEARCH_PASSWORD";
     public static final String ENV_DB_HOST = "DB_HOST";
     public static final String ENV_DB_PORT = "DB_PORT";
     public static final String ENV_DB_NAME = "DB_NAME";
