Encrypting communications in Kibana
editEncrypting communications in Kibana
editKibana supports Transport Layer Security (TLS/SSL) encryption for client requests.
If you are using X-Pack security or a proxy that provides an HTTPS endpoint for Elasticsearch, you can configure Kibana to access Elasticsearch via HTTPS. Thus, communications between Kibana and Elasticsearch are also encrypted.
-
Configure Kibana to encrypt communications between the browser and the Kibana server:
You do not need to enable X-Pack security for this type of encryption.
-
Generate a server certificate for Kibana.
You must either set the certificate’s
subjectAltNameto the hostname, fully-qualified domain name (FQDN), or IP address of the Kibana server, or set the CN to the Kibana server’s hostname or FQDN. Using the server’s IP address as the CN does not work. -
Set the
server.ssl.enabled,server.ssl.key, andserver.ssl.certificateproperties inkibana.yml:server.ssl.enabled: true server.ssl.key: /path/to/your/server.key server.ssl.certificate: /path/to/your/server.crt
After making these changes, you must always access Kibana via HTTPS. For example, https://localhost:5601.
For more information, see Kibana configuration settings.
-
-
Configure Kibana to connect to Elasticsearch via HTTPS:
To perform this step, you must enable the X-Pack security feature in Elasticsearch or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.
-
Specify the HTTPS protocol in the
elasticsearch.urlsetting in the Kibana configuration file,kibana.yml:elasticsearch.url: "https://<your_elasticsearch_host>.com:9200"
-
If you are using your own CA to sign certificates for Elasticsearch, set the
elasticsearch.ssl.certificateAuthoritiessetting inkibana.ymlto specify the location of the PEM file.elasticsearch.ssl.certificateAuthorities: /path/to/your/cacert.pem
Setting the
certificateAuthoritiesproperty lets you use the defaultverificationModeoption offull.For more information, see Kibana configuration settings.
-