Encrypting communications in Kibana

edit

Kibana supports Transport Layer Security (TLS/SSL) encryption for client requests.

If you are using X-Pack security or a proxy that provides an HTTPS endpoint for Elasticsearch, you can configure Kibana to access Elasticsearch via HTTPS. Thus, communications between Kibana and Elasticsearch are also encrypted.

  1. Configure Kibana to encrypt communications between the browser and the Kibana server:

    You do not need to enable X-Pack security for this type of encryption.

    1. Generate a server certificate for Kibana.

      You must either set the certificate’s subjectAltName to the hostname, fully-qualified domain name (FQDN), or IP address of the Kibana server, or set the CN to the Kibana server’s hostname or FQDN. Using the server’s IP address as the CN does not work.

    2. Set the server.ssl.enabled, server.ssl.key, and server.ssl.certificate properties in kibana.yml:

      server.ssl.enabled: true
      server.ssl.key: /path/to/your/server.key
      server.ssl.certificate: /path/to/your/server.crt

      After making these changes, you must always access Kibana via HTTPS. For example, https://localhost:5601.

      For more information, see Kibana configuration settings.

  2. Configure Kibana to connect to Elasticsearch via HTTPS:

    To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.

    1. Specify the HTTPS protocol in the elasticsearch.hosts setting in the Kibana configuration file, kibana.yml:

      elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]
    2. If you are using your own CA to sign certificates for Elasticsearch, set the elasticsearch.ssl.certificateAuthorities setting in kibana.yml to specify the location of the PEM file.

      elasticsearch.ssl.certificateAuthorities: /path/to/your/cacert.pem

      Setting the certificateAuthorities property lets you use the default verificationMode option of full.

      For more information, see Kibana configuration settings.

  3. (Optional) If the Elastic monitoring features are enabled, configure Kibana to connect to the Elasticsearch monitoring cluster via HTTPS:

    To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.

    1. Specify the HTTPS URL in the xpack.monitoring.elasticsearch.hosts setting in the Kibana configuration file, kibana.yml

      xpack.monitoring.elasticsearch.hosts: ["https://<your_monitoring_cluster>:9200"]
    2. Specify the xpack.monitoring.elasticsearch.ssl.* settings in the kibana.yml file.

      For example, if you are using your own certificate authority to sign certificates, specify the location of the PEM file in the kibana.yml file:

      xpack.monitoring.elasticsearch.ssl.certificateAuthorities: /path/to/your/cacert.pem