Enabling TLS on Elastic Cluster
Elasticsearch uses two levels of communications: transport and http communications. The transport protocol is used for internal communications between Elasticsearch nodes, and the http protocol is used for communications from clients to the Elasticsearch cluster.
Transport TLS/SSL encryption
The transport protocol is used for communication between nodes within an Elasticsearch cluster. Each node in an Elasticsearch cluster is both a client and a server to other nodes in the cluster, all transport certificates must be both client and server certificates. Elasticsearch comes with a utility called elasticsearch-certutil that can be used for generating self-signed certificates that can be used for encrypting internal communications.
Following elaborates the process to create certs for Java Transport Client and enable xpack security on each node:
1.Create Certifying authority for the self-signed certificates
bin/elasticsearch-certutil ca — pem,
a new elastic-stack-ca.zip file will be created, unzip the file:
unzip elastic-stack-ca.zip
The ca folder contains the crt and key files for your Certificate Authority. Every node would have its certificates signed by this new CA.
2. For each of your nodes, generate a certificate and private key that satisfies the following criteria:
bin/elasticsearch-certutil cert — ca-cert ca/ca.crt — ca-key ca/ca.key — pem
The ca folder should be copied to config folder(neccessary)
3. Generate another certificate in similar manner for your java client using step 2. Rename the certificate key and certificate as client.key and client.crt
4. Update your elasticsearch.yml file :
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: ca/ca.key
xpack.security.transport.ssl.certificate: ca/ca.crt
xpack.security.transport.ssl.certificate_authorities: [ “ca/ca.crt” ]
5. JAVA Transport Client
Settings.Builder settings = Settings.builder();
settings.put("cluster.name",getClusterName())
.put("client.transport.ignore_cluster_name", false)
.put("client.transport.sniff", true)
.put("xpack.security.user", "username:password")
.put("xpack.ssl.key", "pathto/client.key")
.put("xpack.ssl.certificate", "pathto/client.crt")
.put("xpack.ssl.certificate_authorities", "CertificateIssuingAuthority/ca.crt")
.put("xpack.security.transport.ssl.enabled", "true") .put("xpack.security.transport.ssl.verification_mode","certificate");
TransportClient client = new PreBuiltXPackTransportClient(settings.build());
6. Default elastic stack user password is username:elastic ;password : “changeme”
7. Change elastic stack password using:
bin/elasticsearch-setup-passwords interactive
Make sure to keep a copy of the passwords you set. Another way is you can create a custom super user and this new super user can be further used. First stop the elastic cluster and run the following command:
bin/elasticsearch-users useradd my_admin -p my_password -r superuser
8. Test if the password has been successfully set. Incase, something went wrong, you will get the error “failed to authenticate user [my_admin]”
curl -X GET “localhost:9202/_cluster/health” -u my_admin:my_password
NOTE : If you encounter “NoNodeAvailableException”[None of the configured nodes are available: Cluster client did not trust this server’s certificate, closing connection Netty4TcpChannel] In this case you missed to specify the property xpack.security.transport.ssl.verification_mode.
Will be posting Github link for the complete project soon! Feel free to reach out and give any feedback.
References:
https://www.elastic.co/blog/getting-started-with-elasticsearch-security
Thank you!
Shubhmeet