Encrypt internode communications

edit

Now that we’ve generated a certificate authority and certificates, let’s update the cluster to use these files.

When you enable Elasticsearch security features, unless you have a trial license, you must use Transport Layer Security (TLS) to encrypt internode communication. By following the steps in this tutorial tutorial, you learn how to meet the minimum requirements to pass the TLS bootstrap check.

  1. (Optional) Name the cluster.

    For example, add the cluster.name setting in the ES_PATH_CONF/elasticsearch.yml file:

    cluster.name: test-cluster

    The ES_PATH_CONF environment variable contains the path for the Elasticsearch configuration files. If you installed Elasticsearch using archive distributions (zip or tar.gz), it defaults to ES_HOME/config. If you used package distributions (Debian or RPM), it defaults to /etc/elasticsearch. For more information, see Configuring Elasticsearch.

    The default cluster name is elasticsearch. You should choose a unique name, however, to ensure that your nodes join the right cluster.

  2. (Optional) Name the Elasticsearch node.

    For example, add the node.name setting in the ES_PATH_CONF/elasticsearch.yml file:

    node.name: node-1

    In this tutorial, the cluster will consist of three nodes that exist on the same machine and share the same (loopback) IP address and hostname. Therefore, we must give each node a unique name.

    This step is also necessary if you want to use the node.name value to define the location of certificates in subsequent steps.

  3. Disable single-node discovery.

    To enable Elasticsearch to form a multi-node cluster, use the default value for the discovery.type setting. If that setting exists in your ES_PATH_CONF/elasticsearch.yml file, remove it.

  4. (Optional) If you are starting the cluster for the first time, specify the initial set of master-eligible nodes.

    For example, add the following setting in the ES_PATH_CONF/elasticsearch.yml file:

    cluster.initial_master_nodes: ["node-1"]

    If you start an Elasticsearch node without configuring this setting or any other discovery settings, it will start up in development mode and auto-bootstrap itself into a new cluster.

    If you are starting a cluster with multiple master-eligible nodes for the first time, add all of those node names to the cluster.initial_master_nodes setting.

    See Bootstrapping a cluster and Important discovery and cluster formation settings.

  5. Enable Transport Layer Security (TLS/SSL) for transport (internode) communications.

    For example, add the following settings in the ES_PATH_CONF/elasticsearch.yml file:

    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 
    xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12

    If the file name for your certificate does not match the node.name value, you must put the appropriate file name in the elasticsearch.yml file.

    The PKCS#12 keystore that is output by the elasticsearch-certutil can be used as both a keystore and a truststore. If you use other tools to manage and generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial.

    For more information, see Enable Elasticsearch security features and Transport TLS settings.

  6. Store the password for the PKCS#12 file in the Elasticsearch keystore.

    For example, run the following commands:

    ./bin/elasticsearch-keystore create 
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

    If the Elasticsearch keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing Elasticsearch keystore.

    You are prompted to supply the password that you created for the node-1.p12 file. We are using this file for both the transport TLS keystore and truststore, therefore supply the same password for both of these settings.

  7. Start Elasticsearch.

    For example, if you installed Elasticsearch with a .tar.gz package, run the following command from the Elasticsearch directory:

    ./bin/elasticsearch
  8. Create passwords for the built-in users and configure Kibana to use them.

    If you already configured passwords for these users in other tutorials, you can skip this step.

    There are built-in users that you can use for specific administrative purposes: apm_system, beats_system, elastic, kibana_system, logstash_system, and remote_monitoring_user.

    Run the following command from the Elasticsearch directory:

    ./bin/elasticsearch-setup-passwords interactive

    After you setup the password for the kibana_system built-in user, configure Kibana to use it.

    For example, run the following commands to create the Kibana keystore and add the kibana_system built-in user and its password in secure settings:

    ./bin/kibana-keystore create
    ./bin/kibana-keystore add elasticsearch.username
    ./bin/kibana-keystore add elasticsearch.password

    When prompted, specify the kibana_system built-in user and its password for these setting values. The settings are automatically applied when you start Kibana. To learn more, see Secure settings.

  9. Start Kibana.

    For example, if you installed Kibana with a .tar.gz package, run the following command from the Kibana directory:

    ./bin/kibana

    See Starting and stopping Kibana.