2017-04-06 21:29:29 -04:00
[[ssl-tls]]
2019-05-20 09:06:42 -04:00
=== Setting up TLS on a cluster
2017-04-06 21:29:29 -04:00
2019-05-20 09:06:42 -04:00
The {stack} {security-features} enable you to encrypt traffic to, from, and
2018-12-19 17:53:37 -05:00
within your {es} cluster. Connections are secured using Transport Layer Security
(TLS), which is commonly referred to as "SSL".
2017-04-06 21:29:29 -04:00
WARNING: Clusters that do not have encryption enabled send all data in plain text
2019-05-20 09:06:42 -04:00
including passwords. If the {es} {security-features} are enabled, unless you have a trial license, you must configure SSL/TLS for internode-communication.
2017-04-06 21:29:29 -04:00
2018-01-12 14:35:16 -05:00
The following steps describe how to enable encryption across the various
2019-05-20 09:06:42 -04:00
components of the {stack}. You must perform each of the steps that are
2018-01-12 14:35:16 -05:00
applicable to your cluster.
2017-04-06 21:29:29 -04:00
2018-01-12 14:35:16 -05:00
. Generate a private key and X.509 certificate for each of your {es} nodes. See
2018-01-12 14:59:15 -05:00
{ref}/configuring-tls.html#node-certificates[Generating Node Certificates].
2017-04-06 21:29:29 -04:00
2018-01-12 14:35:16 -05:00
. Configure each node in the cluster to identify itself using its signed
certificate and enable TLS on the transport layer. You can also optionally
enable TLS on the HTTP layer. See
2018-02-15 15:31:48 -05:00
{ref}/configuring-tls.html#tls-transport[Encrypting Communications Between Nodes in a Cluster] and
{ref}/configuring-tls.html#tls-http[Encrypting HTTP Client Communications].
2017-04-06 21:29:29 -04:00
2019-05-20 09:06:42 -04:00
. Configure the {monitor-features} to use encrypted connections. See <<secure-monitoring>>.
2018-01-12 14:35:16 -05:00
. Configure {kib} to encrypt communications between the browser and
the {kib} server and to connect to {es} via HTTPS. See
2019-05-20 09:06:42 -04:00
{kibana-ref}/using-kibana-with-security.html[Configuring security in {kib}].
2018-01-12 14:35:16 -05:00
. Configure Logstash to use TLS encryption. See
2019-05-20 09:06:42 -04:00
{logstash-ref}/ls-security.html[Configuring security in {ls}].
2018-01-12 14:35:16 -05:00
2019-11-19 12:08:36 -05:00
. Configure Beats to use encrypted connections. For example, see
{filebeat-ref}/securing-beats.html[Configure {filebeat} to use {security-features}].
2018-01-12 14:35:16 -05:00
. Configure the Java transport client to use encrypted communications.
See <<java-clients>>.
. Configure {es} for Apache Hadoop to use secured transport. See
{hadoop-ref}/security.html[{es} for Apache Hadoop Security].