2018-02-15 14:41:01 -05:00
|
|
|
|
[role="xpack"]
|
|
|
|
|
|
[[tls-http]]
|
2020-02-21 13:04:29 -05:00
|
|
|
|
==== Encrypting HTTP client communications
|
2018-01-12 14:35:16 -05:00
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
|
When {security-features} are enabled, you can optionally use TLS to ensure that
|
2018-02-15 14:41:01 -05:00
|
|
|
|
communication between HTTP clients and the cluster is encrypted.
|
2018-01-12 14:35:16 -05:00
|
|
|
|
|
2020-09-08 10:23:43 -04:00
|
|
|
|
Enabling TLS on the HTTP layer is strongly recommended, but is not required.
|
|
|
|
|
|
|
|
|
|
|
|
IMPORTANT: In a <<dev-vs-prod-mode,production environment>>, some {es} features
|
|
|
|
|
|
such as tokens and API keys will be disabled unless you enable TLS on the HTTP
|
|
|
|
|
|
layer.
|
|
|
|
|
|
|
|
|
|
|
|
If you enable TLS on the HTTP layer in {es}, you might need to make
|
|
|
|
|
|
configuration changes in other parts of the Elastic Stack and in any {es}
|
|
|
|
|
|
clients that you use. For example, the following changes are typically
|
|
|
|
|
|
necessary:
|
|
|
|
|
|
|
|
|
|
|
|
* Update all clients, tools, and applications that connect to {es} to use the
|
|
|
|
|
|
`https` protocol in their configuration URL. For example, {kib}, {beats}, {ls},
|
|
|
|
|
|
language clients, and custom applications.
|
|
|
|
|
|
* Set trusted certificate authorities. This change is typically required only
|
|
|
|
|
|
if the {es} server certificate is issued by a certificate authority that is not
|
|
|
|
|
|
automatically trusted by the clients, tools, and applications that connect to
|
|
|
|
|
|
{es}.
|
|
|
|
|
|
|
|
|
|
|
|
If you enable advanced TLS features on {es} (such as
|
|
|
|
|
|
`ssl.client_authentication`), additional
|
|
|
|
|
|
configuration could be necessary, but is not typically required in most {es}
|
|
|
|
|
|
deployments.
|
2018-02-15 14:41:01 -05:00
|
|
|
|
|
|
|
|
|
|
. If you have not done so already, <<node-certificates,generate node certificates>>.
|
2020-02-21 13:04:29 -05:00
|
|
|
|
+
|
|
|
|
|
|
--
|
|
|
|
|
|
In particular, you need the files that are generated by the following command:
|
|
|
|
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
|
bin/elasticsearch-certutil http
|
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
This command generates a zip file that contains certificates and keys for use in
|
|
|
|
|
|
{es} and {kib}. Each folder contains a readme that explains how to use the files.
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
|
|
. Verify that you've copied the output files to the appropriate locations, as
|
|
|
|
|
|
specified in the readme files.
|
|
|
|
|
|
+
|
|
|
|
|
|
--
|
|
|
|
|
|
For example, copy the `http.p12` file from the `elasticsearch` folder into a
|
|
|
|
|
|
directory within the {es} configuration directory on each node. If you chose to
|
|
|
|
|
|
generate one certificate per node, copy the appropriate `http.p12` file to each
|
|
|
|
|
|
node. If you want to use {kib} to access this cluster, copy the
|
|
|
|
|
|
`elasticsearch-ca.pem` file from the `kibana` folder into the {kib}
|
|
|
|
|
|
configuration directory.
|
|
|
|
|
|
--
|
2018-02-15 14:41:01 -05:00
|
|
|
|
|
|
|
|
|
|
. Enable TLS and specify the information required to access the node’s
|
2020-02-21 13:04:29 -05:00
|
|
|
|
certificate. For example:
|
2018-01-12 14:35:16 -05:00
|
|
|
|
|
2020-02-21 13:04:29 -05:00
|
|
|
|
.. Update the `elasticsearch.yml` file on each node with the location of the
|
|
|
|
|
|
certificates.
|
2018-01-12 14:35:16 -05:00
|
|
|
|
+
|
|
|
|
|
|
--
|
2020-02-21 13:04:29 -05:00
|
|
|
|
If the certificates are in PKCS#12 format:
|
|
|
|
|
|
|
2018-02-15 14:41:01 -05:00
|
|
|
|
[source, yaml]
|
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
xpack.security.http.ssl.enabled: true
|
2020-02-21 13:04:29 -05:00
|
|
|
|
xpack.security.http.ssl.keystore.path: "http.p12"
|
2018-02-15 14:41:01 -05:00
|
|
|
|
--------------------------------------------------
|
2018-01-12 14:35:16 -05:00
|
|
|
|
|
2020-02-21 13:04:29 -05:00
|
|
|
|
If you have certificates in PEM format:
|
|
|
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
|
[source, yaml]
|
|
|
|
|
|
--------------------------------------------------
|
2018-02-15 14:41:01 -05:00
|
|
|
|
xpack.security.http.ssl.enabled: true
|
2020-02-21 13:04:29 -05:00
|
|
|
|
xpack.security.http.ssl.key: /home/es/config/node1_http.key <1>
|
|
|
|
|
|
xpack.security.http.ssl.certificate: /home/es/config/node1_http.crt <2>
|
2018-05-14 16:07:27 -04:00
|
|
|
|
xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3>
|
2018-01-12 14:35:16 -05:00
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
<1> The full path to the node key file. This must be a location within the
|
|
|
|
|
|
{es} configuration directory.
|
|
|
|
|
|
<2> The full path to the node certificate. This must be a location within the
|
|
|
|
|
|
{es} configuration directory.
|
|
|
|
|
|
<3> An array of paths to the CA certificates that should be trusted. These paths
|
|
|
|
|
|
must be a location within the {es} configuration directory.
|
|
|
|
|
|
--
|
|
|
|
|
|
|
2020-02-21 13:04:29 -05:00
|
|
|
|
.. If you secured the keystore or the private key with a password, add that password to a secure
|
|
|
|
|
|
setting in {es}.
|
2018-01-12 14:35:16 -05:00
|
|
|
|
+
|
|
|
|
|
|
--
|
2020-02-21 13:04:29 -05:00
|
|
|
|
If the certificates are in PKCS#12 format:
|
|
|
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
|
[source,shell]
|
|
|
|
|
|
-----------------------------------------------------------
|
2018-02-15 14:41:01 -05:00
|
|
|
|
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
|
2018-01-12 14:35:16 -05:00
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
|
2020-02-21 13:04:29 -05:00
|
|
|
|
If the certificates are in PEM format:
|
|
|
|
|
|
|
2018-02-15 14:41:01 -05:00
|
|
|
|
[source,shell]
|
|
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
|
|
|
|
|
|
-----------------------------------------------------------
|
2018-01-12 14:35:16 -05:00
|
|
|
|
--
|
|
|
|
|
|
|
2020-02-21 13:04:29 -05:00
|
|
|
|
. Optional: If you want to use {kib}, follow the instructions in the readme
|
|
|
|
|
|
provided by the `elasticsearch-certutil http` command or see
|
|
|
|
|
|
{kibana-ref}/configuring-tls.html[Encrypting communications in {kib}].
|
|
|
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
|
. Restart {es}.
|
|
|
|
|
|
|
2018-08-30 06:59:19 -04:00
|
|
|
|
[NOTE]
|
|
|
|
|
|
===============================
|
|
|
|
|
|
* All TLS-related node settings are considered to be highly sensitive and
|
2018-01-12 14:35:16 -05:00
|
|
|
|
therefore are not exposed via the
|
|
|
|
|
|
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API] For more
|
|
|
|
|
|
information about any of these settings, see <<security-settings>>.
|
2018-08-30 06:59:19 -04:00
|
|
|
|
|
|
|
|
|
|
* {es} monitors all files such as certificates, keys, keystores, or truststores
|
|
|
|
|
|
that are configured as values of TLS-related node settings. If you update any of
|
|
|
|
|
|
these files (for example, when your hostnames change or your certificates are
|
|
|
|
|
|
due to expire), {es} reloads them. The files are polled for changes at
|
|
|
|
|
|
a frequency determined by the global {es} `resource.reload.interval.high`
|
|
|
|
|
|
setting, which defaults to 5 seconds.
|
|
|
|
|
|
===============================
|
