Encrypting communications in Kibana
editEncrypting communications in Kibana
editKibana supports Transport Layer Security (TLS/SSL) encryption for client requests.
If you are using X-Pack security or a proxy that provides an HTTPS endpoint for Elasticsearch, you can configure Kibana to access Elasticsearch via HTTPS. Thus, communications between Kibana and Elasticsearch are also encrypted.
-
Configure Kibana to encrypt communications between the browser and the Kibana server:
You do not need to enable X-Pack security for this type of encryption.
-
Generate a server certificate for Kibana.
You must either set the certificate’s
subjectAltName
to the hostname, fully-qualified domain name (FQDN), or IP address of the Kibana server, or set the CN to the Kibana server’s hostname or FQDN. Using the server’s IP address as the CN does not work. -
Set the
server.ssl.enabled
,server.ssl.key
, andserver.ssl.certificate
properties inkibana.yml
:server.ssl.enabled: true server.ssl.key: /path/to/your/server.key server.ssl.certificate: /path/to/your/server.crt
After making these changes, you must always access Kibana via HTTPS. For example, https://localhost:5601.
For more information, see Kibana configuration settings.
-
-
Configure Kibana to connect to Elasticsearch via HTTPS:
To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.
-
Specify the HTTPS protocol in the
elasticsearch.hosts
setting in the Kibana configuration file,kibana.yml
:elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]
-
If you are using your own CA to sign certificates for Elasticsearch, set the
elasticsearch.ssl.certificateAuthorities
setting inkibana.yml
to specify the location of the PEM file.elasticsearch.ssl.certificateAuthorities: /path/to/your/cacert.pem
Setting the
certificateAuthorities
property lets you use the defaultverificationMode
option offull
.For more information, see Kibana configuration settings.
-
-
(Optional) If the Elastic monitoring features are enabled, configure Kibana to connect to the Elasticsearch monitoring cluster via HTTPS:
To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.
-
Specify the HTTPS URL in the
xpack.monitoring.elasticsearch.hosts
setting in the Kibana configuration file,kibana.yml
xpack.monitoring.elasticsearch.hosts: ["https://<your_monitoring_cluster>:9200"]
-
Specify the
xpack.monitoring.elasticsearch.ssl.*
settings in thekibana.yml
file.For example, if you are using your own certificate authority to sign certificates, specify the location of the PEM file in the
kibana.yml
file:xpack.monitoring.elasticsearch.ssl.certificateAuthorities: /path/to/your/cacert.pem
-