[role="xpack"] [testenv="trial"] [[encrypting-internode]] === Encrypt internode communications Now that we've generated a certificate authority and certificates, let's update the cluster to use these files. IMPORTANT: When you enable {es} {security-features}, unless you have a trial license, you must use Transport Layer Security (TLS) to encrypt internode communication. By following the steps in this tutorial tutorial, you learn how to meet the minimum requirements to pass the {ref}/bootstrap-checks-xpack.html#bootstrap-checks-tls[TLS bootstrap check]. . (Optional) Name the cluster. + -- For example, add the {ref}/cluster.name.html[cluster.name] setting in the `ES_PATH_CONF/elasticsearch.yml` file: [source,yaml] ---- cluster.name: test-cluster ---- TIP: The `ES_PATH_CONF` environment variable contains the path for the {es} configuration files. If you installed {es} using archive distributions (`zip` or `tar.gz`), it defaults to `ES_HOME/config`. If you used package distributions (Debian or RPM), it defaults to `/etc/elasticsearch`. For more information, see <>. The default cluster name is `elasticsearch`. You should choose a unique name, however, to ensure that your nodes join the right cluster. -- . (Optional) Name the {es} node. + -- For example, add the {ref}/node.name.html[node.name] setting in the `ES_PATH_CONF/elasticsearch.yml` file: [source,yaml] ---- node.name: node-1 ---- In this tutorial, the cluster will consist of three nodes that exist on the same machine and share the same (loopback) IP address and hostname. Therefore, we must give each node a unique name. This step is also necessary if you want to use the `node.name` value to define the location of certificates in subsequent steps. -- . Disable single-node discovery. + -- To enable {es} to form a multi-node cluster, use the default value for the `discovery.type` setting. If that setting exists in your `ES_PATH_CONF/elasticsearch.yml` file, remove it. -- . (Optional) If you are starting the cluster for the first time, specify the initial set of master-eligible nodes. + -- For example, add the following setting in the `ES_PATH_CONF/elasticsearch.yml` file: [source,yaml] ---- cluster.initial_master_nodes: ["node-1"] ---- If you start an {es} node without configuring this setting or any other discovery settings, it will start up in development mode and auto-bootstrap itself into a new cluster. TIP: If you are starting a cluster with multiple master-eligible nodes for the first time, add all of those node names to the `cluster.initial_master_nodes` setting. See {ref}/modules-discovery-bootstrap-cluster.html[Bootstrapping a cluster] and {ref}/discovery-settings.html[Important discovery and cluster formation settings]. -- . Enable Transport Layer Security (TLS/SSL) for transport (internode) communications. + -- // tag::enable-tls[] For example, add the following settings in the `ES_PATH_CONF/elasticsearch.yml` file: [source,yaml] ---- xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 <1> xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12 ---- <1> If the file name for your certificate does not match the `node.name` value, you must put the appropriate file name in the `elasticsearch.yml` file. // end::enable-tls[] NOTE: The PKCS#12 keystore that is output by the `elasticsearch-certutil` can be used as both a keystore and a truststore. If you use other tools to manage and generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial. For more information, see <> and {ref}/security-settings.html#transport-tls-ssl-settings[Transport TLS settings]. -- . Store the password for the PKCS#12 file in the {es} keystore. + -- // tag::secure-passwords[] For example, run the following commands: ["source","sh",subs="attributes,callouts"] ---------------------------------------------------------------------- ./bin/elasticsearch-keystore create <1> ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password ---------------------------------------------------------------------- <1> If the {es} keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing {es} keystore. // end::secure-passwords[] You are prompted to supply the password that you created for the `node-1.p12` file. We are using this file for both the transport TLS keystore and truststore, therefore supply the same password for both of these settings. -- . {ref}/starting-elasticsearch.html[Start {es}]. + -- For example, if you installed {es} with a `.tar.gz` package, run the following command from the {es} directory: ["source","sh",subs="attributes,callouts"] ---------------------------------------------------------------------- ./bin/elasticsearch ---------------------------------------------------------------------- -- . Create passwords for the built-in users and configure {kib} to use them. + -- NOTE: If you already configured passwords for these users in other tutorials, you can skip this step. include::{xes-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users] After you setup the password for the `kibana_system` built-in user, <>. For example, run the following commands to create the {kib} keystore and add the `kibana_system` built-in user and its password in secure settings: include::{xes-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user] -- . Start {kib}. + -- For example, if you installed {kib} with a `.tar.gz` package, run the following command from the {kib} directory: ["source","sh",subs="attributes,callouts"] ---------------------------------------------------------------------- ./bin/kibana ---------------------------------------------------------------------- See {kibana-ref}/start-stop.html[Starting and stopping {kib}]. --