Community

Product DocsMenu

About Search Security Certificate

The Coveo Platform 7 uses an X.509 public key infrastructure (PKI) scheme to secure communications between the Coveo Front-End and Back-End processes. A certificate authority (CA), trusted by all Coveo servers, issues signed search security certificates that are made available to all your Coveo servers. A Coveo Back-End service returns query results to a Front-End server only when it trusts the search security certificate used by the Front-End server.

The use of search security certificates allows the Coveo Front-End and Back-End servers to run on servers with various operating systems and not be dependent on a single security provider like Microsoft Active Directory.

A search security certificate can be defined so that the Back-End server accepts impersonation only from specific trusted users and/or groups and from specific Front-End servers. The Coveo Platform comes with a default search security certificate that specifies no user or server restrictions. You can select or create search security certificates at the end of the Coveo .NET Front-End software installation and later from the search interface Do more menu (see Coveo .NET Front-End First Time Setup).

Each Coveo instance has a search security certificate whitelist that contains the search security certificates that are trusted to perform queries. The whitelist can also specify, for each certificate, the users or groups that can be impersonated to perform queries as well as the trusted machines that can send queries (see Editing a Certificate Whitelist).

Deployed Search Security Configuration

The Coveo Back-End and Front-End installers perform the required configurations to implement the search security certificate. The following elements must all be in place to allow communication between Coveo Front-End and Back-End servers.

Creation and deployment of default trusted CA and certificates

On the Coveo Master server, the files for one default trusted CA, one certificate for the CES Service, one certificate for the local Front-End, and one certificate for the Mirrors are created in the [Index_Path]\Certificates folder.

Note: The default search security certificates are created and signed by Coveo.

SSL declaration of the CA and the certificates

On Coveo Master and Mirror servers, an <SSL> section in the [Index_Path]\Config\Config.txt file declares the trusted CA file and the default certificates.

Example: 
<SSL>
    <CACertificatePrivateKey>C:/CES7/Config/Certificates/pk-ca.pem</CACertificatePrivateKey>
    <Certificate>C:/CES7/Config/Certificates/cert-ces.pem</Certificate>
    <CertificatePrivateKey>C:/CES7/Config/Certificates/pk-ces.pem</CertificatePrivateKey>
    <TrustedCAs>C:/CES7/Config/Certificates/cert-ca.pem</TrustedCAs>
</SSL>

The <TrustedCAs> element holds the file path to the file holding all the certificate authorities (CA) the mirror trusts. This trusted CA file contains the CAs in the Privacy Enhanced Mail (PEM) format. On a typical install, the trusted CA contains only one CA that signed all the certificates, including the local front-end search security certificate. There is no need to add a trusted CA on typical install because the front-end search security certificate is already trusted.

Note: You can however add as many trusted CAs as you wish, by simply appending other CAs to this file.

Addition of the search security certificate to the whitelist

On Coveo Master and Mirror servers, the thumbprint and optional restriction information are added to the <CertificateWhitelist> section in the [Index_Path]\Config\Config.txt file, for each search certification that the Coveo instance can trust (see Editing a Certificate Whitelist).

Example: 
<CertificateWhitelist>
	<SearchCertificate ID="28485">
		<Thumbprint>A33AC6887B8B0625656C7ECEC0E3F040AF6DA360</Thumbprint>
	</SearchCertificate>
</CertificateWhitelist>

Identification of search security certificate to use for the Admin Web application

On a Coveo Master server, the Admin web application must identify the search security certificate to use in the <CoveoEnterpriseSearch> section of the [CES_Path]\Web\Admin\web.config file using the sslCertificatePath attribute.

Example: Identifying the C:\CES7\Config\Certificates\cert-iis.p12 certificate file.
<coveoEnterpriseSearch>
	<server hostname="localhost" port="52800" sslCertificatePath="C:\CES7\Config\Certificates\cert-iis.p12"/>
	...
</coveoEnterpriseSearch>

Identification of search security certificate to use for the Front-End server

On each Coveo Front-End server, each Web application must identify the search security certificate to use in the <CoveoEnterpriseSearch> section of the [CES_Path]\Web\web.config file using the sslCertificatePath attribute. The search security certificate file must be available on the Front-End server.

Example: Identifying the C:\CES7\Config\Certificates\cert-iis.p12 certificate file.
<coveoEnterpriseSearch>
	<server hostname="localhost" port="52800" sslCertificatePath="C:\CES7\Config\Certificates\cert-iis.p12"/>
	...
</coveoEnterpriseSearch>

Important: With the Coveo Platform 7 Beta 1, the Coveo .Net Front-End installer does not yet include a first time setup form that allows to easily configure to which Coveo Back-End server the Front-End server connects and what search security certificate it will use. You must do this configuration manually (see Manually Configuring Search Security Certificate).

People who viewed this topic also viewed