2017-04-06 21:29:29 -04:00
|
|
|
[[ssl-tls]]
|
|
|
|
=== Setting Up SSL/TLS on a Cluster
|
|
|
|
|
2017-09-18 17:22:34 -04:00
|
|
|
{security} enables you to encrypt traffic to, from, and within your Elasticsearch
|
2017-04-06 21:29:29 -04:00
|
|
|
cluster. Connections are secured using Transport Layer Security (TLS), which is
|
|
|
|
commonly referred to as "SSL".
|
|
|
|
|
|
|
|
WARNING: Clusters that do not have encryption enabled send all data in plain text
|
2017-09-15 10:44:03 -04:00
|
|
|
including passwords and will not be able to install a license that enables {security}.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
To enable encryption, you need to perform the following steps on each node in
|
|
|
|
the cluster:
|
|
|
|
|
|
|
|
. <<installing-node-certificates, Generate a private key and X.509 certificate>>.
|
|
|
|
|
|
|
|
. <<configure-ssl, Configure the node>> to:
|
|
|
|
.. Identify itself using its signed certificate.
|
|
|
|
.. Enable SSL on the transport and HTTP layers.
|
|
|
|
|
|
|
|
. Restart Elasticsearch.
|
|
|
|
|
|
|
|
[[installing-node-certificates]]
|
|
|
|
==== Node Certificates
|
|
|
|
|
|
|
|
TLS requires X.509 certificates to perform encryption and authentication of the application
|
|
|
|
that is being communicated with. In order for the communication between nodes to be truly
|
|
|
|
secure, the certificates must be validated. The recommended approach for validating
|
|
|
|
certificate authenticity in a Elasticsearch cluster is to trust the certificate authority (CA)
|
|
|
|
that signed the certificate. By doing this, as nodes are added to your cluster they just need
|
|
|
|
to use a certificate signed by the same CA and the node is automatically allowed to join the
|
|
|
|
cluster. Additionally, it is recommended that the certificates contain subject alternative
|
|
|
|
names (SAN) that correspond to the node's ip address and dns name so that hostname verification
|
|
|
|
can be performed.
|
|
|
|
|
|
|
|
In order to simplify the process of generating certificates for the Elastic Stack, a command
|
|
|
|
line tool, `certgen` has been included with {xpack}. This tool takes care of the generating
|
|
|
|
a CA and signing certificates with the CA. `certgen` can be used interactively or in a silent
|
|
|
|
mode through the use of an input file. The `certgen` tool also supports generation of certificate
|
|
|
|
signing requests (CSR), so that a commercial or organization specific CA may be used to sign
|
2017-09-18 17:22:34 -04:00
|
|
|
the certificates. For more information, see {ref}/certgen.html[certgen].
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2017-09-18 17:22:34 -04:00
|
|
|
NOTE: If you choose not to use `certgen`, the certificates that you obtain must allow for both
|
2017-04-06 21:29:29 -04:00
|
|
|
`clientAuth` and `serverAuth` if the extended key usage extension is present. The certificates
|
|
|
|
need to be in PEM format. Although not required, it is highly recommended that the certificate contain
|
|
|
|
the dns name(s) and/or ip address(es) of the node so that hostname verification may be used.
|
|
|
|
|
|
|
|
[[enable-ssl]]
|
|
|
|
==== Enabling SSL in the Node Configuration
|
|
|
|
|
|
|
|
Once you have the signed certificate, private key, and CA certificate you need to
|
|
|
|
modify the node configuration to enable SSL.
|
|
|
|
|
|
|
|
[[configure-ssl]]
|
|
|
|
To enable SSL, make the following changes in `elasticsearch.yml`:
|
|
|
|
|
|
|
|
. Specify the location of the node's keystore and the password(s) needed to
|
|
|
|
access the node's certificate. For example:
|
|
|
|
+
|
|
|
|
--
|
|
|
|
[source, yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
xpack.ssl.key: /home/es/config/x-pack/node01.key <1>
|
|
|
|
xpack.ssl.certificate: /home/es/config/x-pack/node01.crt <2>
|
|
|
|
xpack.ssl.certificate_authorities: [ "/home/es/config/x-pack/ca.crt" ] <3>
|
|
|
|
--------------------------------------------------
|
|
|
|
<1> The full path to the node key file. This must be a location within the
|
|
|
|
Elasticsearch configuration directory.
|
|
|
|
<2> The full path to the node certificate. This must be a location within the
|
|
|
|
Elasticsearch configuration directory.
|
|
|
|
<3> An array of paths to the CA certificates that should be trusted. These paths
|
|
|
|
must be a location within the Elasticsearch configuration directory.
|
|
|
|
--
|
|
|
|
|
|
|
|
. Enable SSL on the transport networking layer to ensure that communication
|
|
|
|
between nodes is encrypted:
|
|
|
|
+
|
|
|
|
[source, yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
xpack.security.transport.ssl.enabled: true
|
|
|
|
--------------------------------------------------
|
|
|
|
+
|
|
|
|
. Enable SSL on the HTTP layer to ensure that communication between HTTP clients
|
|
|
|
and the cluster is encrypted:
|
|
|
|
+
|
|
|
|
[source, yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
xpack.security.http.ssl.enabled: true
|
|
|
|
--------------------------------------------------
|
|
|
|
+
|
|
|
|
|
|
|
|
. Restart Elasticsearch.
|
2017-07-24 23:03:07 -04:00
|
|
|
+
|
|
|
|
You must perform a full cluster restart. Nodes which are configured to use
|
|
|
|
SSL/TLS cannot communicate with nodes that are using unencrypted networking
|
|
|
|
(and vice-versa). After enabling SSL/TLS you must restart all nodes in order
|
|
|
|
to maintain communication across the cluster.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
NOTE: All SSL related node settings that are considered to be highly sensitive
|
|
|
|
and therefore are not exposed via the
|
|
|
|
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API].
|