top of page

4. Security: â€‹

  • Configure mtls​

    Step 1. Generate CA cert

  • # Generate CA private key

openssl genrsa -out /etc/elasticsearch/certs/ca.key 2048

 

  • # Generate CA certificate

openssl req -x509 -new -nodes -key /etc/elasticsearch/certs/ca.key -sha256 -days 3650 -out /etc/elasticsearch/certs/ca.crt -subj "/C=US/ST=State/L=City/O=My Company/CN=Elasticsearch CA"


Prepare openssl.conf config
 

Create a separate openssl.cnf file for each node, ensuring the CN and subjectAltName are correctly set.

openssl-es01.cnf

​

es01:

cat openssl-es01.cnf

 

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

 

[req_distinguished_name]

C = US

ST = State

L = City

O = My Company

CN = es01

 

[v3_req]

keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = @alt_names

 

[alt_names]

DNS.1 = es01

IP.1 = 192.168.56.81

  • Step 2: Generate Private Key and CSR for Each Node es01:

# Generate es01 private key

openssl genrsa -out /etc/elasticsearch/certs/es01.key 2048

​

# Generate CSR for es01

openssl req -new -key /etc/elasticsearch/certs/es01.key -out /etc/elasticsearch/certs/es01.csr -config /etc/elasticsearch/certs/openssl-es01.cnf

  • es02:

# Generate es02 private key

openssl genrsa -out /etc/elasticsearch/certs/es02.key 2048

# Generate CSR for es02

openssl req -new -key /etc/elasticsearch/certs/es02.key -out /etc/elasticsearch/certs/es02.csr -config /etc/elasticsearch/certs/openssl-es02.cnf​

  • es03

# Generate es03 private key

openssl genrsa -out /etc/elasticsearch/certs/es03.key 2048

# Generate CSR for es03

openssl req -new -key /etc/elasticsearch/certs/es03.key -out /etc/elasticsearch/certs/es03.csr -config /etc/elasticsearch/certs/openssl-es03.cnf

​

  • Step 3: Sign the Certificate for Each Node

# Sign the certificate for es01

openssl x509 -req -in /etc/elasticsearch/certs/es01.csr -CA /etc/elasticsearch/certs/ca.crt -CAkey /etc/elasticsearch/certs/ca.key -CAcreateserial -out /etc/elasticsearch/certs/es01.crt -days 3650 -sha256 -extfile /etc/elasticsearch/certs/openssl-es01.cnf -extensions v3_req

 

  • # Sign the certificate for es02

openssl x509 -req -in /etc/elasticsearch/certs/es02.csr -CA /etc/elasticsearch/certs/ca.crt -CAkey /etc/elasticsearch/certs/ca.key -CAcreateserial -out /etc/elasticsearch/certs/es02.crt -days 3650 -sha256 -extfile /etc/elasticsearch/certs/openssl-es02.cnf -extensions v3_req

  • # Sign the certificate for es03

openssl x509 -req -in /etc/elasticsearch/certs/es03.csr -CA /etc/elasticsearch/certs/ca.crt -CAkey /etc/elasticsearch/certs/ca.key -CAcreateserial -out /etc/elasticsearch/certs/es03.crt -days 3650 -sha256 -extfile /etc/elasticsearch/certs/openssl-es03.cnf -extensions v3_req

  • Step 4: Update Elasticsearch Configuration

  • es01:

  • # Elasticsearch configuration for es01

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.key: /etc/elasticsearch/certs/es01.key

xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/es01.crt

xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca.crt"]

 

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.key: /etc/elasticsearch/certs/es01.key

xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/es01.crt

xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca.crt"]

Step 5: Restart Elasticsearch Nodes

  • Step 6: Verify

After updating the certificates and restarting the nodes, run the elasticsearch-setup-passwords command again:

 

[root@es01 certs]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

******************************************************************************

Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This       command will be removed in a future release.

******************************************************************************

 

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.

You will be prompted to enter passwords as the process progresses.

Please confirm that you would like to continue [y/N]y

 

 

Enter password for [elastic]:

Reenter password for [elastic]:

Enter password for [apm_system]:

Reenter password for [apm_system]:

Enter password for [kibana_system]:

Reenter password for [kibana_system]:

Enter password for [logstash_system]:

Reenter password for [logstash_system]:

Enter password for [beats_system]:

Reenter password for [beats_system]:

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]:

Passwords do not match.

Try again.

Enter password for [remote_monitoring_user]:

Reenter password for [remote_monitoring_user]:

Changed password for user [apm_system]

Changed password for user [kibana_system]

Changed password for user [kibana]

Changed password for user [logstash_system]

Changed password for user [beats_system]

Changed password for user [remote_monitoring_user]

Changed password for user [elastic]

 

Verify Certificates

You can verify the keyUsage and extendedKeyUsage settings in the generated certificate using the following command:

 

 

[root@es01 certs]# openssl x509 -in /etc/elasticsearch/certs/es01.crt -text -noout | grep -A 1 "X509v3 Key Usage"

 

 

            X509v3 Key Usage: critical

                Digital Signature, Key Encipherment, Data Encipherment

[root@es01 certs]# openssl x509 -in /etc/elasticsearch/certs/es01.crt -text -noout | grep -A 1 "X509v3 Key Usage"

            X509v3 Key Usage: critical

                Digital Signature, Key Encipherment, Data Encipherment

 

 

  • Step 7: Verify via curl commadn. 

    ​

curl -u elastic:password -k -X GET "https://es01:9200/_cluster/health?pretty"

cat /etc/elasticsearch.yml

[root@es01 elasticsearch]# cat /etc/elasticsearch/elasticsearch.yml

cluster.name: es_cluster

node.name: "es01"

http.port: 9200

network.host: "es01"

path.logs: /var/log/elasticsearch/

path.data: /usr/share/elasticsearch/data/directory

discovery.seed_hosts:

  - es01

  - es02

  - es03

 

cluster.initial_master_nodes:

  - es01

  - es02

  - es03

 

xpack.security.enabled: true

# Transport Layer SSL/TLS

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.key: /etc/elasticsearch/certs/es.key

xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/es.crt

xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca.crt"]

 

# HTTP Layer SSL/TLS

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.client_authentication: required

xpack.security.http.ssl.verification_mode: full

xpack.security.http.ssl.key: /etc/elasticsearch/certs/es.key

xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/es.crt

xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca.crt"]

 

xpack.security.enrollment.enabled: true

path.repo: ["/tmp/repo"]

 

## Configure from target cluster

cluster.remote.source_cluster.seeds:

  - 192.168.56.81:9300

​

Connect from client:

 curl --cacert ca.crt --cert client.crt --key client.key https://192.168.56.81:9200 -u elastic:password

 

 

 

 

 

 

 

 

 

 

 

​

bottom of page