Encrypt internode communications
editEncrypt internode communications
editNow that we’ve generated a certificate authority and certificates, let’s update the cluster to use these files.
When you enable Elasticsearch security features, unless you have a trial license, you must use Transport Layer Security (TLS) to encrypt internode communication. By following the steps in this tutorial, you learn how to meet the minimum requirements to pass the TLS bootstrap check.
-
(Optional) Name the cluster.
For example, add the cluster name setting in the
ES_PATH_CONF/elasticsearch.yml
file:cluster.name: test-cluster
The
ES_PATH_CONF
environment variable contains the path for the Elasticsearch configuration files. If you installed Elasticsearch using archive distributions (zip
ortar.gz
), it defaults toES_HOME/config
. If you used package distributions (Debian or RPM), it defaults to/etc/elasticsearch
. For more information, see Configuring Elasticsearch.The default cluster name is
elasticsearch
. You should choose a unique name, however, to ensure that your nodes join the right cluster. -
(Optional) Name the Elasticsearch node.
For example, add the node name setting in the
ES_PATH_CONF/elasticsearch.yml
file:node.name: node-1
In this tutorial, the cluster will consist of three nodes that exist on the same machine and share the same (loopback) IP address and hostname. Therefore, we must give each node a unique name.
This step is also necessary if you want to use the
node.name
value to define the location of certificates in subsequent steps. -
Disable single-node discovery.
To enable Elasticsearch to form a multi-node cluster, use the default value for the
discovery.type
setting. If that setting exists in yourES_PATH_CONF/elasticsearch.yml
file, remove it. -
(Optional) If you are starting the cluster for the first time, specify the initial set of master-eligible nodes.
For example, add the following setting in the
ES_PATH_CONF/elasticsearch.yml
file:cluster.initial_master_nodes: ["node-1"]
If you start an Elasticsearch node without configuring this setting or any other discovery settings, it will start up in development mode and auto-bootstrap itself into a new cluster.
If you are starting a cluster with multiple master-eligible nodes for the first time, add all of those node names to the
cluster.initial_master_nodes
setting.See bootstrapping a cluster and discovery and cluster formation settings.
-
Enable Transport Layer Security (TLS/SSL) for transport (internode) communications.
For example, add the following settings in the
ES_PATH_CONF/elasticsearch.yml
file:xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12
If the file name for your certificate does not match the
node.name
value, you must put the appropriate file name in theelasticsearch.yml
file.The PKCS#12 keystore that is output by the
elasticsearch-certutil
can be used as both a keystore and a truststore. If you use other tools to manage and generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial.For more information, see enable Elasticsearch security features and transport TLS settings.
-
Store the password for the PKCS#12 file in the Elasticsearch keystore.
For example, run the following commands:
./bin/elasticsearch-keystore create ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
If the Elasticsearch keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing Elasticsearch keystore.
You are prompted to supply the password that you created for the
node-1.p12
file. We are using this file for both the transport TLS keystore and truststore, therefore supply the same password for both of these settings. -
For example, if you installed Elasticsearch with a
.tar.gz
package, run the following command from the Elasticsearch directory:./bin/elasticsearch
-
Create passwords for the built-in users and configure Kibana to use them.
If you already configured passwords for these users in other tutorials, you can skip this step.
There are built-in users that you can use for specific administrative purposes:
apm_system
,beats_system
,elastic
,kibana_system
,logstash_system
, andremote_monitoring_user
.Run the following command from the Elasticsearch directory:
./bin/elasticsearch-setup-passwords interactive
After you setup the password for the
kibana_system
built-in user, configure Kibana to use it.For example, run the following commands to create the Kibana keystore and add the
kibana_system
built-in user and its password in secure settings:./bin/kibana-keystore create ./bin/kibana-keystore add elasticsearch.username ./bin/kibana-keystore add elasticsearch.password
When prompted, specify the
kibana_system
built-in user and its password for these setting values. The settings are automatically applied when you start Kibana. To learn more, see Secure settings. -
Start Kibana.
For example, if you installed Kibana with a
.tar.gz
package, run the following command from the Kibana directory:./bin/kibana