[[ssl-tls]]
=== Setting Up TLS on a Cluster

{security} enables you to encrypt traffic to, from, and within your {es}
cluster. Connections are secured using Transport Layer Security (TLS), which is
commonly referred to as "SSL".

WARNING: Clusters that do not have encryption enabled send all data in plain text
including passwords and will not be able to install a license that enables {security}.

The following steps describe how to enable encryption across the various
components of the Elastic Stack. You must perform each of the steps that are
applicable to your cluster.

. Generate a private key and X.509 certificate for each of your {es} nodes. See
{ref}/configuring-tls.html#node-certificates[Generating Node Certificates].

. Configure each node in the cluster to identify itself using its signed
certificate and enable TLS on the transport layer. You can also optionally
enable TLS on the HTTP layer. See
{ref}/configuring-tls.html#enable-ssl[Enabling TLS on {es} Nodes].

. Configure {monitoring} to use encrypted connections. See <<secure-monitoring>>.

. Configure {kib} to encrypt communications between the browser and
the {kib} server and to connect to {es} via HTTPS. See
{kibana-ref}/using-kibana-with-security.html[Configuring Security in {kib}].

. Configure Logstash to use TLS encryption. See
{logstash-ref}/ls-security.html[Configuring Security in Logstash].

. Configure Beats to use encrypted connections. See <<beats>>.

. Configure the Java transport client to use encrypted communications.
See <<java-clients>>.

. Configure {es} for Apache Hadoop to use secured transport. See
{hadoop-ref}/security.html[{es} for Apache Hadoop Security].

//The following sections can be removed after we clean up all links to these anchors.

[[installing-node-certificates]]
==== Node Certificates

See {ref}/configuring-tls.html#node-certificates[Generating Node Certificates].

[[enable-ssl]]
==== Enabling TLS in the Node Configuration

See {ref}/configuring-tls.html#enable-ssl[Enabling TLS on {es} Nodes].