Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

How to configure X-Pack secured search service liveness/readiness probes with authentication in Paas

Written By

Sorin Pop

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • We tried to configure in our PAAS environnement the Elasticsearch X-Pack feature.

    When we follow this article and enable X-Pack feature in dev server (with environment variable), the ElasticSearch endpoint used for readiness and liveness are not accessible anymore and return 401 error. So Elasticsearch can’t be reached by Liferay Cloud, and stays unavailable.

Environment

  • PaaS

Resolution

  • The documentation in this article is suitable for Self-Hosted deployments only. Self-Managed (PaaS) deployments require settings on the cloud environment side.
  • Update the liveness and readiness probes within the Elasticsearch service's LCP.json file to incorporate authentication. Since enabling X-Pack security secures Elasticsearch endpoints, the health checks must authenticate to access these endpoints
  • If the basic authentication username and password is elastic and changeme then the base64 value is ZWxhc3RpYzpjaGFuZ2VtZQ== using this 
     
    echo -n "elastic:changeme" | base64
     
     
    So the probe configuration would look something like this:
     
     
        "httpGet": {
          "path": "/",
          "port": 9200,
          "httpHeaders":[
          {
             "name":"Authorization",
             "value":"Basic ZWxhc3RpYzpjaGFuZ2VtZQ=="
          }
       ]
     
    If you prefer to use TLS on top of the basic authentication (from internal discussion I see that this can be quite complex to configure, and it doesn't really provide any great additional benefits) you should use this
     
     "scheme": "HTTPS"
     
    (and of course it also requires additional steps - generating certificates, etc. - as documented in the mentioned article)
     
     
     
        "httpGet": {
          "path": "/",
          "port": 9200,
          "scheme": "HTTPS",
          "httpHeaders":[
          {
             "name":"Authorization",
             "value":"Basic ZWxhc3RpYzpjaGFuZ2VtZQ=="
          }
       ]

  • If additionally you would like to limit the visibility of this authorization by extracting it as a Liferay Cloud Secret. 

    Let's say something like this :

     "httpGet": {
          "path": "/",
          "port": 9200,
          "httpHeaders":[
          {
             "name":"Authorization",
             "value":"@lcp-secret-elasticsearch-authorization"
          }
       ]

          Please note that at the time of writing this article (January 2025) this is not possible. Currently, Liferay Cloud API does not read secrets under probes, so this is not possible yet. However, our cloud engineers have registered now this as a feature request, and hopefully it will be possible in the future.

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?