2017-04-06 21:29:29 -04:00
|
|
|
[[ssl-tls]]
|
2018-01-12 14:35:16 -05:00
|
|
|
=== Setting Up TLS on a Cluster
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
{security} enables you to encrypt traffic to, from, and within your {es}
|
2017-04-06 21:29:29 -04:00
|
|
|
cluster. Connections are secured using Transport Layer Security (TLS), which is
|
|
|
|
commonly referred to as "SSL".
|
|
|
|
|
|
|
|
WARNING: Clusters that do not have encryption enabled send all data in plain text
|
2017-09-15 10:44:03 -04:00
|
|
|
including passwords and will not be able to install a license that enables {security}.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
The following steps describe how to enable encryption across the various
|
|
|
|
components of the Elastic Stack. You must perform each of the steps that are
|
|
|
|
applicable to your cluster.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
. Generate a private key and X.509 certificate for each of your {es} nodes. See
|
2018-01-12 14:59:15 -05:00
|
|
|
{ref}/configuring-tls.html#node-certificates[Generating Node Certificates].
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
. Configure each node in the cluster to identify itself using its signed
|
|
|
|
certificate and enable TLS on the transport layer. You can also optionally
|
|
|
|
enable TLS on the HTTP layer. See
|
2018-01-12 14:59:15 -05:00
|
|
|
{ref}/configuring-tls.html#enable-ssl[Enabling TLS on {es} Nodes].
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-01-12 14:35:16 -05:00
|
|
|
. Configure {monitoring} to use encrypted connections. See <<secure-monitoring>>.
|
|
|
|
|
|
|
|
. Configure {kib} to encrypt communications between the browser and
|
|
|
|
the {kib} server and to connect to {es} via HTTPS. See
|
|
|
|
{kibana-ref}/using-kibana-with-security.html[Configuring Security in {kib}].
|
|
|
|
|
|
|
|
. Configure Logstash to use TLS encryption. See
|
|
|
|
{logstash-ref}/ls-security.html[Configuring Security in Logstash].
|
|
|
|
|
|
|
|
. Configure Beats to use encrypted connections. See <<beats>>.
|
|
|
|
|
|
|
|
. Configure the Java transport client to use encrypted communications.
|
|
|
|
See <<java-clients>>.
|
|
|
|
|
|
|
|
. Configure {es} for Apache Hadoop to use secured transport. See
|
|
|
|
{hadoop-ref}/security.html[{es} for Apache Hadoop Security].
|