Docs: Updated kibana.yml settings to match 4.2 changes. Closes elastic/elasticsearch#524.
Original commit: elastic/x-pack-elasticsearch@e305153fe5
This commit is contained in:
debadair
parent
593fc30669
commit
75d8d12c37
|
|
@ -148,8 +148,8 @@ file, `/config/kibana.yml`.
|
|||
+
|
||||
[source,yaml]
|
||||
--------------------------------------------------------------------------------
|
||||
kibana_elasticsearch_username: kibana4-server
|
||||
kibana_elasticsearch_password: password
|
||||
elasticsearch.username: kibana4-server
|
||||
elasticsearch.password: password
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
[[kibana4-roles]]
|
||||
|
|
@ -229,31 +229,31 @@ kibana4_monitoring:
|
|||
|
||||
. If you have enabled SSL encryption in Shield, configure Kibana 4 to connect to Elasticsearch via HTTPS. To do this:
|
||||
|
||||
.. Specify the HTTPS protocol in the `elasticsearch` URL setting in the Kibana configuration file, `kibana.yml`:
|
||||
.. Specify the HTTPS protocol in the `elasticsearch.url` setting in the Kibana configuration file, `kibana.yml`:
|
||||
+
|
||||
[source,yaml]
|
||||
--------------------------------------------------------------------------------
|
||||
elasticsearch: "https://<your_elasticsearch_host>.com:9200"
|
||||
elasticsearch.url: "https://<your_elasticsearch_host>.com:9200"
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
.. If you are using your own CA to sign certificates for Elasticsearch, set the `ca` property in `kibana.yml` to specify the location of the PEM file.
|
||||
.. If you are using your own CA to sign certificates for Elasticsearch, set the `elasticsearch.ssl.ca` setting in `kibana.yml` to specify the location of the PEM file.
|
||||
+
|
||||
[source,yaml]
|
||||
--------------------------------------------------------------------------------
|
||||
ca: /path/to/your/ca/cacert.pem
|
||||
elasticsearch.ssl.ca: /path/to/your/cacert.pem
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
. Configure Kibana 4 to encrypt communications between the browser and the Kibana server. To do this, configure the `ssl_key_file` and `ssl_cert_file` properties in `kibana.yml` and restart Kibana:
|
||||
. Configure Kibana 4 to encrypt communications between the browser and the Kibana server. To do this, configure the `server.ssl.key` and `server.ssl.cert` properties in `kibana.yml`:
|
||||
+
|
||||
[source,yaml]
|
||||
--------------------------------------------------------------------------------
|
||||
ssl_key_file: /path/to/your/server.key
|
||||
ssl_cert_file: /path/to/your/server.crt
|
||||
server.ssl.key: /path/to/your/server.key
|
||||
server.ssl.cert: /path/to/your/server.crt
|
||||
--------------------------------------------------------------------------------
|
||||
+
|
||||
Once you enable SSL encryption between the browser and the Kibana server, access Kibana via HTTPS. For example, `https://localhost:5601`.
|
||||
+
|
||||
NOTE: Enabling browser encryption is required to prevent passing user credentials in the clear in Kibana 4.0 and 4.1.
|
||||
NOTE: Enabling browser encryption is required to prevent passing user credentials in the clear.
|
||||
|
||||
. Restart Kibana and verify that you can sign in as a user. If you are running Kibana locally,
|
||||
go to `localhost:5601` and enter the credentials for a user you've assigned a Kibana user role. For example, you could log in as the `jacknich` user created in step 3.
|
||||
|
|
|
|||
|
|
@ -43,15 +43,17 @@ To install a signed certificate, you need to:
|
|||
===== Creating a Keystore and Generating a Certificate
|
||||
To create a keystore and generate a node certificate:
|
||||
|
||||
. Create a node keystore and import your CA's certificate with https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html[Java Keytool]. This configures the node to trust certificates signed by the CA. For example, the following command creates a keystore for `node01` and and imports the CA certificate `cacert.pem`.
|
||||
. Create a node keystore and import your CA's certificate with https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html[Java Keytool]. This configures the node to trust certificates signed by the CA. For Elasticsearch
|
||||
to access the keystore, it must be located under the Elasticsearch configuration directory. For example, the following command creates a keystore for `node01` and and imports the CA certificate `cacert.pem`.
|
||||
+
|
||||
[source,shell]
|
||||
--------------------------------------------------
|
||||
cd CONFIG_DIR/shield
|
||||
keytool -importcert -keystore node01.jks -file cacert.pem -alias my_ca
|
||||
--------------------------------------------------
|
||||
+
|
||||
The Java keystore file (.jks) securely stores certificates for the node. The CA cert must be a
|
||||
PEM encoded certificate.
|
||||
PEM encoded certificate.
|
||||
+
|
||||
When you create a keystore, you are prompted to set a password. This password protects the
|
||||
integrity of the keystore. You need to provide it whenever you interact with the keystore.
|
||||
|
|
@ -153,6 +155,7 @@ specify the same alias and keystore that you used when you created the node cert
|
|||
|
||||
[source, shell]
|
||||
--------------------------------------------------
|
||||
cd CONFIG_DIR/shield
|
||||
keytool -importcert -keystore node01.jks -file node01-signed.crt -alias node01
|
||||
--------------------------------------------------
|
||||
|
||||
|
|
@ -186,11 +189,12 @@ certificate. For example:
|
|||
+
|
||||
[source, yaml]
|
||||
--------------------------------------------------
|
||||
shield.ssl.keystore.path: /home/es/config/node01.jks <1>
|
||||
shield.ssl.keystore.path: /home/es/config/shield/node01.jks <1>
|
||||
shield.ssl.keystore.password: myPass <2>
|
||||
shield.ssl.keystore.key_password: myKeyPass <3>
|
||||
--------------------------------------------------
|
||||
<1> The full path to the node keystore file.
|
||||
<1> The full path to the node keystore file. This must be a location within the Elasticsearch
|
||||
configuration directory.
|
||||
<2> The password used to access the keystore.
|
||||
<3> The password used to access the certificate. This is only required if you specified a separate
|
||||
certificate password when generating the certificate.
|
||||
|
|
@ -237,7 +241,8 @@ To use a separate truststore:
|
|||
+
|
||||
[source,shell]
|
||||
--------------------------------------------------
|
||||
keytool -importcert -keystore /home/es/config/truststore.jks -file /Users/Download/cacert.pem
|
||||
cd CONFIG_DIR/shield
|
||||
keytool -importcert -keystore truststore.jks -file cacert.pem
|
||||
--------------------------------------------------
|
||||
+
|
||||
When you create a truststore, you are prompted to set a password. This password protects the
|
||||
|
|
@ -248,8 +253,9 @@ access it. For example:
|
|||
+
|
||||
[source, yaml]
|
||||
--------------------------------------------------
|
||||
shield.ssl.truststore.path: /home/es/config/truststore.jks <1>
|
||||
shield.ssl.truststore.path: /home/es/config/shield/truststore.jks <1>
|
||||
shield.ssl.truststore.password: myPass <2>
|
||||
--------------------------------------------------
|
||||
<1> The full path to the truststore file.
|
||||
<1> The full path to the truststore file. This must be a location within the
|
||||
Elasticsearch configuration directory.
|
||||
<2> The password needed to access the truststore.
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ IMPORTANT: Because a Certificate Authority is a central point of trust, the priv
|
|||
To set up a CA:
|
||||
|
||||
. Create the directory structure where the CA configuration and certificates will be stored. You
|
||||
need to create a `ca` directory and three subdirectories: `private`, `certs`, and `conf`:
|
||||
need to create a `ca` directory and three subdirectories: `private`, `certs`, and `conf`.
|
||||
+
|
||||
[source,shell]
|
||||
--------------------------------------------------
|
||||
|
|
@ -33,7 +33,7 @@ echo '01' > serial
|
|||
touch index.txt
|
||||
--------------------------------------------------
|
||||
|
||||
. Create a CA configuration template and store it in `ca/conf/caconfig.cnf`. You use the
|
||||
. Create a CA configuration template and store it in `conf/caconfig.cnf`. You use the
|
||||
configuration template to set options for the CA that cannot be passed in from the
|
||||
command line. The following template defines a basic CA configuration you
|
||||
can use as a starting point.
|
||||
|
|
@ -119,8 +119,7 @@ where you want to store the CA's private key and certificate with the `-keyout`
|
|||
+
|
||||
[source,shell]
|
||||
------------------------------------------------------------------------------
|
||||
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem
|
||||
-out certs/cacert.pem -days 1460 -config conf/caconfig.cnf
|
||||
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 1460 -config conf/caconfig.cnf
|
||||
------------------------------------------------------------------------------
|
||||
+
|
||||
NOTE: When the CA certificate expires, trust in the CA is revoked and you need to generate a new CA certificate and re-sign your node certificates.
|
||||
|
|
@ -179,8 +178,7 @@ your CA's configuration file with the `-config` option.
|
|||
+
|
||||
[source,shell]
|
||||
-----------------------------------------------------------------------------
|
||||
openssl ca -in node01.csr -notext -out node01-signed.crt
|
||||
-config conf/caconfig.cnf -extensions v3_req
|
||||
openssl ca -in node01.csr -notext -out node01-signed.crt -config conf/caconfig.cnf -extensions v3_req
|
||||
-----------------------------------------------------------------------------
|
||||
+
|
||||
The signed certificate contains the node's original unsigned certificate, your CA certificate, and
|
||||
|
|
|
|||
Loading…
Reference in New Issue