Encrypt internode communications
editEncrypt internode communications
editNow that you’ve generated a certificate authority and certificates for each node, you must update your cluster to use these files.
-
Stop each Elasticsearch node. For example, if you installed Elasticsearch from an archive
distribution, enter
Ctrl-C
on the command line. See Stopping Elasticsearch. -
On each node, enable Transport Layer Security (TLS/SSL) for transport (internode) communications. You must also configure each node to identify itself using its signed certificate.
For example, add the following settings in each
ES_PATH_CONF/elasticsearch.yml
file:xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12
If the file name for your certificate does not match the
node.name
value, you must put the appropriate file name in eachelasticsearch.yml
file.The PKCS#12 keystore that is output by the
elasticsearch-certutil
can be used as both a keystore and a truststore. If you use other tools to manage and generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial.For more information about these settings, see Transport TLS/SSL Settings.
-
On each node, store the password for PKCS#12 file in the Elasticsearch keystore.
For example, run the following commands on each node:
./bin/elasticsearch-keystore create ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
If the Elasticsearch keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing Elasticsearch keystore.
You are prompted to supply the password value. As you saw in the previous step, we are using the same file for both the transport TLS keystore and truststore, therefore you supply the same password for both of these settings.
-
Start each Elasticsearch node. For example, if you installed Elasticsearch with a
.tar.gz
package, run the following command from each Elasticsearch directory:./bin/elasticsearch
-
(Optional) Restart Kibana. For example, if you installed Kibana with a
.tar.gz
package, run the following command from the Kibana directory:./bin/kibana
-
Verify that your cluster is healthy. For example, use the cluster health API:
GET _cluster/health
Confirm the
status
of your cluster isgreen
in the response from this API.If you encounter errors, you can see some common problems and solutions in Common SSL/TLS exceptions.
What’s next?
editCongratulations! You’ve encrypted communications between the nodes in your cluster and can pass the TLS bootstrap check.
If you want to encrypt communications between other products in the Elastic Stack, see Encrypting communications.