94 lines
3.8 KiB
Plaintext
94 lines
3.8 KiB
Plaintext
[role="xpack"]
|
||
[[tls-http]]
|
||
==== Encrypting HTTP Client Communications
|
||
|
||
When {security} is enabled, you can optionally use TLS to ensure that
|
||
communication between HTTP clients and the cluster is encrypted.
|
||
|
||
NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required.
|
||
If you enable TLS on the HTTP layer in {es}, then you might need to make
|
||
configuration changes in other parts of the Elastic Stack and in any {es}
|
||
clients that you use.
|
||
|
||
. If you have not done so already, <<node-certificates,generate node certificates>>.
|
||
|
||
. Enable TLS and specify the information required to access the node’s
|
||
certificate.
|
||
|
||
** If the certificate is in PKCS#12 format, add the following information to the
|
||
`elasticsearch.yml` file on each node:
|
||
+
|
||
--
|
||
[source, yaml]
|
||
--------------------------------------------------
|
||
xpack.security.http.ssl.enabled: true
|
||
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 <1>
|
||
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 <2>
|
||
--------------------------------------------------
|
||
<1> If you created a separate certificate for each node, then you might need to
|
||
customize this path on each node. If the filename matches the node name, you can
|
||
use the `certs/${node.name}.p12` format, for example.
|
||
<2> The `elasticsearch-certutil` output includes the CA certificate inside the
|
||
PKCS#12 keystore, therefore the keystore can also be used as the truststore.
|
||
This name should match the `keystore.path` value.
|
||
--
|
||
|
||
** If the certificate is in PEM format, add the following information to the
|
||
`elasticsearch.yml` file on each node:
|
||
+
|
||
--
|
||
[source, yaml]
|
||
--------------------------------------------------
|
||
xpack.security.http.ssl.enabled: true
|
||
xpack.security.http.ssl.key: /home/es/config/node01.key <1>
|
||
xpack.security.http.ssl.certificate: /home/es/config/node01.crt <2>
|
||
xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3>
|
||
--------------------------------------------------
|
||
<1> The full path to the node key file. This must be a location within the
|
||
{es} configuration directory.
|
||
<2> The full path to the node certificate. This must be a location within the
|
||
{es} configuration directory.
|
||
<3> An array of paths to the CA certificates that should be trusted. These paths
|
||
must be a location within the {es} configuration directory.
|
||
--
|
||
|
||
. If you secured the node's certificate with a password, add the password to
|
||
your {es} keystore:
|
||
|
||
** If the signed certificate is in PKCS#12 format, use the following commands:
|
||
+
|
||
--
|
||
[source,shell]
|
||
-----------------------------------------------------------
|
||
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
|
||
|
||
bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
|
||
-----------------------------------------------------------
|
||
--
|
||
|
||
** If the certificate is in PEM format, use the following commands:
|
||
+
|
||
--
|
||
[source,shell]
|
||
-----------------------------------------------------------
|
||
bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
|
||
-----------------------------------------------------------
|
||
--
|
||
|
||
. Restart {es}.
|
||
|
||
[NOTE]
|
||
===============================
|
||
* All TLS-related node settings are considered to be highly sensitive and
|
||
therefore are not exposed via the
|
||
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API] For more
|
||
information about any of these settings, see <<security-settings>>.
|
||
|
||
* {es} monitors all files such as certificates, keys, keystores, or truststores
|
||
that are configured as values of TLS-related node settings. If you update any of
|
||
these files (for example, when your hostnames change or your certificates are
|
||
due to expire), {es} reloads them. The files are polled for changes at
|
||
a frequency determined by the global {es} `resource.reload.interval.high`
|
||
setting, which defaults to 5 seconds.
|
||
===============================
|