103 lines
4.0 KiB
Plaintext
103 lines
4.0 KiB
Plaintext
[[enable-ssl]]
|
|
==== Enabling TLS on {es} Nodes
|
|
|
|
Once you have the signed certificate, private key, and CA certificate you need
|
|
to modify the node configuration to enable Transport Layer Security (TLS/SSL).
|
|
|
|
. Specify the information required to access the node's certificate.
|
|
|
|
** If the certificate is in PKCS#12 format, add the following information to the
|
|
`elasticsearch.yml` file on each node:
|
|
+
|
|
--
|
|
[source,yaml]
|
|
-----------------------------------------------------------
|
|
xpack.ssl.keystore.path: certs/elastic-certificates.p12 <1>
|
|
xpack.ssl.truststore.path: certs/elastic-certificates.p12 <2>
|
|
-----------------------------------------------------------
|
|
<1> If you created a separate certificate for each node, then you might need to
|
|
customize this path on each node. If the filename matches the node name, you can
|
|
use the `certs/${node.name}.p12` format, for example.
|
|
<2> The `certutil` output includes the CA certificate inside the PKCS#12
|
|
keystore, therefore the keystore can also be used as the truststore. This name
|
|
should match the `keystore.path` value.
|
|
--
|
|
|
|
** If the certificate is in PEM format, add the following information to the
|
|
`elasticsearch.yml` file on each node:
|
|
+
|
|
--
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
xpack.ssl.key: /home/es/config/x-pack/node01.key <1>
|
|
xpack.ssl.certificate: /home/es/config/x-pack/node01.crt <2>
|
|
xpack.ssl.certificate_authorities: [ "/home/es/config/x-pack/ca.crt" ] <3>
|
|
--------------------------------------------------
|
|
<1> The full path to the node key file. This must be a location within the
|
|
{es} configuration directory.
|
|
<2> The full path to the node certificate. This must be a location within the
|
|
{es} configuration directory.
|
|
<3> An array of paths to the CA certificates that should be trusted. These paths
|
|
must be a location within the {es} configuration directory.
|
|
--
|
|
|
|
. If you secured the node's certificate with a password, add the password to
|
|
your {es} keystore:
|
|
+
|
|
--
|
|
[source,shell]
|
|
-----------------------------------------------------------
|
|
bin/elasticsearch-keystore add xpack.ssl.keystore.secure_password
|
|
|
|
bin/elasticsearch-keystore add xpack.ssl.truststore.secure_password
|
|
-----------------------------------------------------------
|
|
--
|
|
|
|
. Enable TLS on the transport networking layer to ensure that communication
|
|
between nodes is encrypted. Make the following changes in `elasticsearch.yml`:
|
|
+
|
|
--
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
xpack.security.transport.ssl.enabled: true
|
|
xpack.security.transport.ssl.verification_mode: certificate <1>
|
|
--------------------------------------------------
|
|
<1> If you used the `--dns` or `--ip` options with the `certutil cert` command
|
|
and you want to enable strict hostname checking, set the verification mode to
|
|
`full`.
|
|
--
|
|
|
|
. Optional: Enable TLS on the HTTP layer to ensure that communication between HTTP clients
|
|
and the cluster is encrypted.
|
|
+
|
|
--
|
|
NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required.
|
|
If you enable TLS on the HTTP layer in {es}, then you might need to make
|
|
configuration changes in other parts of the Elastic Stack and in any {es}
|
|
clients that you use.
|
|
|
|
Make the following changes in `elasticsearch.yml`:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
xpack.security.http.ssl.enabled: true
|
|
--------------------------------------------------
|
|
--
|
|
|
|
. Restart {es}.
|
|
+
|
|
--
|
|
You must perform a full cluster restart. Nodes which are configured to use TLS
|
|
cannot communicate with nodes that are using unencrypted networking (and
|
|
vice-versa). After enabling TLS you must restart all nodes in order to maintain
|
|
communication across the cluster.
|
|
--
|
|
|
|
NOTE: All TLS-related node settings are considered to be highly sensitive and
|
|
therefore are not exposed via the
|
|
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API] For more
|
|
information about any of these settings, see <<security-settings>>.
|
|
|
|
For information about configuring other products in the Elastic Stack, see
|
|
{xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].
|