Blog Content

Home – Blog Content

Enabling Elasticsearch Xpack Security on an Unsecured Cluster

High-Level Steps:

  1. Create SSL Elastic Certificates
  2. Copy the SSL Certificate to All Nodes
  3. Update the elasticsearch.yml
  4. Stop All Elasticsearch Nodes
  5. Start All Elasticsearch Nodes
  6. Create/Reset the Built-In Users’ Passwords

To enhance the security of your Elasticsearch cluster, you will need to perform a FULL CLUSTER RESTART, as well as make some changes on the client side. Once authentication is enabled, all requests to index and search data will require a username and password or a token.

Here are the high-level steps to achieve this:

1. Create SSL Elastic Certificates

  • To enable TLS communication, SSL certificates are necessary. Begin by creating an SSL certificate. Note: Create the certificate only once and copy it to all nodes.
  • Create the CA certificate.

./bin/elasticsearch-certutil ca –days 3650
[Press Enter]
[Press Enter]

  • The ‘elastic-stack-ca.p12’ file must be generated under ‘/usr/share/elasticsearch’.
  • On a single node, generate a certificate and a private key for all nodes in your cluster.

./bin/elasticsearch-certutil cert –ca elastic-stack-ca.p12 –days 3650
[Press Enter]
[Press Enter]

2. Copy the SSL Certificate to All Nodes

The ‘elastic-certificates.p12’ file must be created under ‘/usr/share/elasticsearch’. After creating the SSL certificate (elastic-certificates.p12), copy it and paste it onto all nodes.mv /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/
chown elasticsearch:elasticsearch /etc/elasticsearch/ -R

3. Update the elasticsearch.yml

  • Edit the elasticsearch.yml file and add or update the following settings:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Note: The default path for the certificate is ‘/etc/elasticsearch/elastic-certificates.p12’. Note 2: Ensure there is no duplication of settings.

4. Stop All Elasticsearch Nodes

service elasticsearch stop

5. Start All Elasticsearch Nodes

Start all Elasticsearch nodes, beginning with the master nodes.service elasticsearch start

Starting with the master nodes ensures that the core of your Elasticsearch cluster is up and running before the data nodes come online. This sequence is important to maintain cluster stability and data integrity.

6. Create/Reset the Built-In Users’ Passwords

bin/elasticsearch-reset-password -u -i elastic

This command will reset the password for the “elastic” user automatically. You should replace “-i” to “auto” with the actual password if you want to set a the password automatically. After running this command, the new password for the “elastic” user will be displayed in the terminal. Make sure to securely store this password as it’s crucial for authentication.

Common Problems and Solutions:

  • SSL Certificate Path: Ensure the ‘elastic-certificates.p12’ path is correct. The default path is ‘/etc/elasticsearch’ in Debian or RPM installations.
  • SSL Certificate Permissions: Verify that all Elasticsearch nodes have the SSL certificate and sufficient access permissions.
  • SSL Certificate Password: During certificate creation, no password is defined, but Elasticsearch v8 may have a default password. Check ‘./bin/elasticsearch-keystore list’ and remove any passwords defined for ‘xpack.security.transport.ssl.*’.
  • Elasticsearch-Reset-Password Command (1): Ensure you can access Elasticsearch via localhost. If not, add ‘ — url’ to the end of the command. Check for any proxy issues.
  • Elasticsearch-Reset-Password Command (2): This command requires data nodes to be connected to the cluster because it needs to add the elastic user password to the ‘.security’ index. Ensure data nodes are connected before running the command.
  • Kibana Is Not Working: After Elasticsearch v8, you can’t use the elastic superuser in Kibana. Use the ‘kibana_system’ user.
  • Kibana System Can’t Login: To log in to Kibana, use the elastic user; the ‘kibana_system’ user is reserved for communication between Kibana and Elasticsearch.

Official Documentations:

Official Notes:

  • The minimal security scenario is not sufficient for production mode clusters. If your cluster has multiple nodes, you must enable minimal security and then configure Transport Layer Security (TLS) between nodes.

Leave a Reply

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Consulting and support services for Elasticsearch and Opensearch

Services

Automated Chatbot

Data Security

Virtual Reality

Communication

Support

Company

Features

Our Pricing

Latest News

© 2024 Created with Ubn-Jr