Manually Configuring Search Security Certificate

A Coveo server querying another Coveo instance must use a trusted search security certificate to be able to receive query results from the Coveo Back-End server (see About Search Security Certificate). The search security certificate file used must be available on both servers. On Front-End servers, the search security certificate file must be identified in the web.config file of the web application.

Note: You can select or create search security certificates at the end of the Coveo .NET Front-End software installation and later from the search interface Do more menu (see Coveo .NET Front-End First Time Setup).

The manual search security certificate configuration varies depending on the Coveo instance deployment:

Front-End and Back-End components on the same server (see Local Front-End).
Front-End and Back-End components on different servers (see Remote Front-End).
Front-End querying multiple Back-Ends (see Remote Front-End querying multiple Coveo instances)
Back-End querying another Coveo instance (see Geographically distributed indexing (GDI)).
Coveo search box integrated in SharePoint (see SharePoint integration).

Local Front-End

In a simple one server installation, you install the Coveo Front-End components on the same server as the Back-End components. In this case, the file for the default front-end search security certificate is already available on the server (C:\CES7\Config\Certificates\cert-iis.p12 by default).

Using an administrator account, connect to the Coveo Master server.
Using a text editor:
1. Open the [.Net_Front-End_Path]\Web\web.config file.
2. In the <CoveoEnterpriseSearch> section of the file, add the sslCertificatePath="[Search_Certificate_File]" attribute to the <server> element.
  Example: Identifying the C:\CES7\Config\Certificates\cert-iis.p12 certificate file.
```
<coveoEnterpriseSearch>
	<server hostname="localhost" port="52800" sslCertificatePath="C:\CES7\Config\Certificates\cert-iis.p12"/>
	...
</coveoEnterpriseSearch>  
```
3. Save the file.

Remote Front-End

In a deployment with one or more Coveo Front-End servers and a Back-End server, you must first copy the search security certificate from the Master server to each remote Front-End server.

Using an administrator account, connect to the Coveo Master server, and then copy the [Index_Path]\Config\Certificates\cert-iis.p12 file.
For each Front-End server:
1. Using an administrator account, connect to the Coveo Front-End server.
2. Paste the search security certificate file to a location of your choice.
  
  Example: You can create a C:\Program Files\Coveo .NET Front-End 12\Web\Certificates\ folder in which to paste the search security certificate file.
3. Using a text editor:
  1. Open the [.Net_Front-End_Path]\Web\web.config file.
  2. In the <CoveoEnterpriseSearch> section of the file, add the sslCertificatePath="[Search_Certificate_File]" attribute to the <server> element.
    Example: Identifying the C:\Program Files\Coveo .NET Front-End 12\Web\Certificates\cert-iis.p12 certificate file.
```
<coveoEnterpriseSearch>
	<server hostname="localhost" port="52800" sslCertificatePath="C:\Program Files\Coveo .NET Front-End 12\Web\Certificates\cert-iis.p12"/>
	...
</coveoEnterpriseSearch>  
```
  3. Save the file.

Remote Front-End querying multiple Coveo instances

In a deployment with a Coveo Front-End server sending queries to more than one Coveo instance, the Front-End needs one certificate that is trusted by all the Coveo instances to which it sends queries.

Choose one of the CES instances, as the one holding the search security certificate to be used.
Using an administrator account, connect to the Master server of the reference Coveo instance, and then copy the [Index_Path]\Config\Certificates\cert-iis.p12 file.

This will be the search security certificate the Front-End server will be using.
Using an administrator account, connect to the Coveo Front-End server.
Paste the search security certificate file to a location of your choice.

Example: You can create a C:\Program Files\Coveo .NET Front-End 12\Web\Certificates\ folder in which to paste the search security certificate file.
For all the other Coveo instances that you want to query:
1. Using an administrator account, connect to the Master server of the Coveo instance.
2. In the [Index_Path]\Config\Certificates\ folder, append the content of the [Index_Path]\Config\Certificates\cert-ca.pem found on the reference Coveo instance machine you chose.
3. Add the search security certificate thumbprint to the certificate whitelist (see Editing a Certificate Whitelist).

Geographically distributed indexing (GDI)

In a GDI deployment where one Coveo Back-End server sends queries to another Coveo Back-End server, the Coveo instance receiving the query must trust the CA of the querying Coveo instance.

Using an administrator account, connect to the Master server of the Coveo instance that sends queries.
Using a text editor, open and copy the content of the [Index_Path]\Config\Certificates\cert-ca.pem file.

Using an administrator account, connect to the Master server of the Coveo instance that receives the queries.

Using a text editor:

Open the [Index_Path]\Config\Certificates\cert-ca.pem file.

Paste the copied content at the end of the file.

Example: Two trusted CAs in a cert-ca.pem file.

-----BEGIN CERTIFICATE-----
MIIEDjCCAvagAwIBAgIJAJyezp7873moMA0GCSqGSIb3DQEBBQUAMIGtMR0wGwYD
VQQKExRDb3ZlbyBTb2x1dGlvbnMgaW5jLjE7MDkGA1UEAxQyezg4NDkwMzIxLTY1
...
LFjOsB64Bo4yNrv0o8MCtwKbfBFtjQ0ncMAoVZTDPrW37kUF3mRxwElBafioay5H
hdh9wXKSjBRHS0zpTUwqmHzgYEQ/4/QKQc1iVHaAwyX7xQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
AkNBMSAwHgYJKoZIhvcNAQkBFhFzdXBwb3J0QGNvdmVvLmNvbTEPMA0GA1UEBxMG
UXVlYmVjMQ8wDQYDVQQIEwZRdWViZWMwHhcNMTIwMTIzMTg0NTA0WhcNMjIwMTIw
...
BgkqhkiG9w0BAQUFAAOCAQEApo11dMAxrFkb9/9QE2ZUUeJutoa3LCmbLRbYg3XY
IIH/YLch8S0C1OICGZGKErR8jDQQrjVRnt+1F5VVOj1qZf8QPMDdODkd72IqDF6d
-----END CERTIFICATE-----

Save the file.

Add the search security certificate thumbprint (for the cert-iis.p12 and cert-ces.pem files) to the certificate whitelist (see Editing a Certificate Whitelist).

SharePoint integration

In a deployment where a Coveo search box is integrated with SharePoint, the SharePoint site needs to use the search security certificate of the Coveo instance to which it sends queries.

Using an administrator account, connect to the Coveo Master server, and then copy the [Index_Path]\Config\Certificates\cert-iis.p12 file.
Using an administrator account, connect to the SharePoint server.
Paste the search security certificate file to a location of your choice.
In Internet Information Services (IIS) Manager, right-click on the SharePoint site, and then open the containing folder.
Using a text editor:
1. Open the web.config file.
2. In the <CoveoEnterpriseSearch> section of the file, add the sslCertificatePath="[Search_Certificate_File]" attribute to the <server> element.
3. Save the file.

Ask your questions on connect.coveo.com.

People who viewed this topic also viewed

Community