178 lines
6.1 KiB
Plaintext
178 lines
6.1 KiB
Plaintext
|
[role="xpack"]
|
||
|
[testenv="trial"]
|
||
|
[[encrypting-internode]]
|
||
|
=== Encrypt internode communications
|
||
|
|
||
|
Now that we've generated a certificate authority and certificates, let's update
|
||
|
the cluster to use these files.
|
||
|
|
||
|
IMPORTANT: When you enable {es} {security-features}, unless you have a trial
|
||
|
license, you must use Transport Layer Security (TLS) to encrypt internode
|
||
|
communication. By following the steps in this tutorial tutorial, you learn how
|
||
|
to meet the minimum requirements to pass the
|
||
|
{ref}/bootstrap-checks-xpack.html#bootstrap-checks-tls[TLS bootstrap check].
|
||
|
|
||
|
. (Optional) Name the cluster.
|
||
|
+
|
||
|
--
|
||
|
For example, add the {ref}/cluster.name.html[cluster.name] setting in the
|
||
|
`ES_PATH_CONF/elasticsearch.yml` file:
|
||
|
|
||
|
[source,yaml]
|
||
|
----
|
||
|
cluster.name: test-cluster
|
||
|
----
|
||
|
|
||
|
TIP: The `ES_PATH_CONF` environment variable contains the path for the {es}
|
||
|
configuration files. If you installed {es} using archive distributions (`zip` or
|
||
|
`tar.gz`), it defaults to `ES_HOME/config`. If you used package distributions
|
||
|
(Debian or RPM), it defaults to `/etc/elasticsearch`. For more information, see
|
||
|
{ref}/settings.html[Configuring {es}].
|
||
|
|
||
|
The default cluster name is `elasticsearch`. You should choose a unique name,
|
||
|
however, to ensure that your nodes join the right cluster.
|
||
|
--
|
||
|
|
||
|
. (Optional) Name the {es} node.
|
||
|
+
|
||
|
--
|
||
|
For example, add the {ref}/node.name.html[node.name] setting in the
|
||
|
`ES_PATH_CONF/elasticsearch.yml` file:
|
||
|
|
||
|
[source,yaml]
|
||
|
----
|
||
|
node.name: node-1
|
||
|
----
|
||
|
|
||
|
In this tutorial, the cluster will consist of three nodes that exist on the same
|
||
|
machine and share the same (loopback) IP address and hostname. Therefore, we
|
||
|
must give each node a unique name.
|
||
|
|
||
|
This step is also necessary if you want to use the `node.name` value to define
|
||
|
the location of certificates in subsequent steps.
|
||
|
--
|
||
|
|
||
|
. Disable single-node discovery.
|
||
|
+
|
||
|
--
|
||
|
To enable {es} to form a multi-node cluster, use the default value for the
|
||
|
`discovery.type` setting. If that setting exists in your
|
||
|
`ES_PATH_CONF/elasticsearch.yml` file, remove it.
|
||
|
--
|
||
|
|
||
|
. (Optional) If you are starting the cluster for the first time, specify the
|
||
|
initial set of master-eligible nodes.
|
||
|
+
|
||
|
--
|
||
|
For example, add the following setting in the `ES_PATH_CONF/elasticsearch.yml`
|
||
|
file:
|
||
|
|
||
|
[source,yaml]
|
||
|
----
|
||
|
cluster.initial_master_nodes: ["node-1"]
|
||
|
----
|
||
|
|
||
|
If you start an {es} node without configuring this setting or any other
|
||
|
discovery settings, it will start up in development mode and auto-bootstrap
|
||
|
itself into a new cluster.
|
||
|
|
||
|
TIP: If you are starting a cluster with multiple master-eligible nodes for the
|
||
|
first time, add all of those node names to the `cluster.initial_master_nodes`
|
||
|
setting.
|
||
|
|
||
|
See {ref}/modules-discovery-bootstrap-cluster.html[Bootstrapping a cluster] and
|
||
|
{ref}/discovery-settings.html[Important discovery and cluster formation settings].
|
||
|
--
|
||
|
|
||
|
. Enable Transport Layer Security (TLS/SSL) for transport (internode)
|
||
|
communications.
|
||
|
+
|
||
|
--
|
||
|
// tag::enable-tls[]
|
||
|
For example, add the following settings in the `ES_PATH_CONF/elasticsearch.yml`
|
||
|
file:
|
||
|
|
||
|
[source,yaml]
|
||
|
----
|
||
|
xpack.security.enabled: true
|
||
|
xpack.security.transport.ssl.enabled: true
|
||
|
xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 <1>
|
||
|
xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12
|
||
|
----
|
||
|
<1> If the file name for your certificate does not match the `node.name` value,
|
||
|
you must put the appropriate file name in the `elasticsearch.yml` file.
|
||
|
// end::enable-tls[]
|
||
|
|
||
|
NOTE: The PKCS#12 keystore that is output by the `elasticsearch-certutil` can be
|
||
|
used as both a keystore and a truststore. If you use other tools to manage and
|
||
|
generate your certificates, you might have different values for these settings,
|
||
|
but that scenario is not covered in this tutorial.
|
||
|
|
||
|
For more information, see <<get-started-enable-security>> and
|
||
|
{ref}/security-settings.html#transport-tls-ssl-settings[Transport TLS settings].
|
||
|
--
|
||
|
|
||
|
. Store the password for the PKCS#12 file in the {es} keystore.
|
||
|
+
|
||
|
--
|
||
|
// tag::secure-passwords[]
|
||
|
For example, run the following commands:
|
||
|
|
||
|
["source","sh",subs="attributes,callouts"]
|
||
|
----------------------------------------------------------------------
|
||
|
./bin/elasticsearch-keystore create <1>
|
||
|
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
|
||
|
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
|
||
|
----------------------------------------------------------------------
|
||
|
<1> If the {es} keystore already exists, this command asks whether you want to
|
||
|
overwrite it. You do not need to overwrite it; you can simply add settings to
|
||
|
your existing {es} keystore.
|
||
|
// end::secure-passwords[]
|
||
|
|
||
|
You are prompted to supply the password that you created for the `node-1.p12`
|
||
|
file. We are using this file for both the transport TLS keystore and truststore,
|
||
|
therefore supply the same password for both of these settings.
|
||
|
--
|
||
|
|
||
|
. {ref}/starting-elasticsearch.html[Start {es}].
|
||
|
+
|
||
|
--
|
||
|
For example, if you installed {es} with a `.tar.gz` package, run the following
|
||
|
command from the {es} directory:
|
||
|
|
||
|
["source","sh",subs="attributes,callouts"]
|
||
|
----------------------------------------------------------------------
|
||
|
./bin/elasticsearch
|
||
|
----------------------------------------------------------------------
|
||
|
--
|
||
|
|
||
|
. Create passwords for the built-in users and configure {kib} to use them.
|
||
|
+
|
||
|
--
|
||
|
NOTE: If you already configured passwords for these users in other tutorials,
|
||
|
you can skip this step.
|
||
|
|
||
|
include::{stack-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users]
|
||
|
|
||
|
After you setup the password for the `kibana` built-in user,
|
||
|
<<get-started-kibana-user,configure {kib} to use it>>.
|
||
|
|
||
|
For example, run the following commands to create the {kib} keystore and add the
|
||
|
`kibana` built-in user and its password in secure settings:
|
||
|
|
||
|
include::{stack-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user]
|
||
|
--
|
||
|
|
||
|
. Start {kib}.
|
||
|
+
|
||
|
--
|
||
|
For example, if you installed {kib} with a `.tar.gz` package, run the following
|
||
|
command from the {kib} directory:
|
||
|
["source","sh",subs="attributes,callouts"]
|
||
|
----------------------------------------------------------------------
|
||
|
./bin/kibana
|
||
|
----------------------------------------------------------------------
|
||
|
|
||
|
See {kibana-ref}/start-stop.html[Starting and stopping {kib}].
|
||
|
--
|