IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Encrypt internode communications Troubleshooting security »

› › ›

Add nodes to your cluster

edit

Add nodes to your cluster

edit

You can add more nodes to your cluster and optionally designate specific purposes for each node. For example, you can allocate master nodes, data nodes, ingest nodes, machine learning nodes, and dedicated coordinating nodes. For details about each node type, see Nodes.

Let’s add two nodes to our cluster!

Install two additional copies of Elasticsearch. It’s possible to run multiple Elasticsearch nodes using a shared installation. In this tutorial, however, we’re keeping things simple by using the zip or tar.gz packages and by putting each copy in a separate folder. You can simply repeat the steps that you used to install Elasticsearch in the Getting started with the Elastic Stack tutorial.
Generate certificates for the two new nodes.

For example, run the following command:
```
./bin/elasticsearch-certutil cert \
--ca elastic-stack-ca.p12 \ 
--multiple
```
Use the certificate authority that you created in Generate certificates.

You are prompted for information about each new node. Specify node-2 and node-3 for the instance names. For the purposes of this tutorial, specify the same IP address (127.0.0.1,::1) and DNS name (localhost) for each node.

You are prompted to enter the password for your CA. You are also prompted to create a password for each certificate.

By default, the command produces a zip file named certificate-bundle.zip, which contains the generated certificates and keys.
Decompress the certificate-bundle.zip file. For example:
```
unzip certificate-bundle.zip

Archive:  certificate-bundle.zip
   creating: node-2/
  inflating: node-2/node-2.p12
   creating: node-3/
  inflating: node-3/node-3.p12
```
The certificate-bundle.zip file contains a folder for each of your nodes. Each folder contains a single PKCS#12 keystore that includes a node certificate, node key, and CA certificate.
Create a folder to contain certificates in the configuration directory of each Elasticsearch node. For example, create a certs folder in the config directory.
Copy the appropriate certificate to the configuration directory on each node. For example, copy the node-2.p12 file into the config/certs directory on the second node and the node-3.p12 into the config/certs directory on the third node.
Specify the name of the cluster and give each node a unique name.

For example, add the following settings to the ES_PATH_CONF/elasticsearch.yml file on the second node:
```
cluster.name: test-cluster
node.name: node-2
```
Add the following settings to the ES_PATH_CONF/elasticsearch.yml file on the third node:
```
cluster.name: test-cluster
node.name: node-3
```
In order to join the same cluster as the first node, they must share the same cluster.name value.
(Optional) Provide seed addresses to help your nodes discover other nodes with which to form a cluster.

For example, add the following setting in the ES_PATH_CONF/elasticsearch.yml file:
```
discovery.seed_hosts: ["localhost"]
```
The default value for this setting is 127.0.0.1, [::1], therefore it isn’t actually required in this tutorial. When you want to form a cluster with nodes on other hosts, however, you must use this setting to provide a list of master-eligible nodes to seed the discovery process. For more information, see Discovery.
On each node, enable TLS for transport communications. You must also configure each node to identify itself using its signed certificate.

For example, add the following settings in the ES_PATH_CONF/elasticsearch.yml file:
```
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 
xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12
```
If the file name for your certificate does not match the node.name value, you must put the appropriate file name in the elasticsearch.yml file.

On each node, store the password for the PKCS#12 file in the Elasticsearch keystore.

For example, run the following commands:

./bin/elasticsearch-keystore create 
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

If the Elasticsearch keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing Elasticsearch keystore.

On the second node, supply the password that you created for the node-2.p12 file. On the third node, supply the password that you created for the node-3.p12 file.

Start each Elasticsearch node. For example, if you installed Elasticsearch with a .tar.gz package, run the following command from each Elasticsearch directory:
```
./bin/elasticsearch
```
See Starting Elasticsearch.

If you encounter errors, you can see some common problems and solutions in Common SSL/TLS exceptions.
Verify that your cluster now contains three nodes.

For example, log into Kibana with the elastic built-in user. Go to Dev Tools > Console and run the cluster health API:
```
GET _cluster/health
```
Confirm the number_of_nodes in the response from this API.

You can also use the cat nodes API to identify the master node:
```
GET _cat/nodes?v
```
The node that has an asterisk(*) in the master column is the elected master node.

Now that you have multiple nodes, your data can be distributed across the cluster in multiple primary and replica shards. For more information about the concepts of clusters, nodes, and shards, see Getting started with Elasticsearch.

What’s next?

edit

Congratulations! You’ve encrypted communications between the nodes in your cluster and can pass the TLS bootstrap check.

If you want to encrypt communications between other products in the Elastic Stack, see Encrypting communications.

« Encrypt internode communications Troubleshooting security »