Configuring Transport Layer Security (TLS/SSL) in Elasticsearch - 7.0

Talend ESB Installation Guide for Windows

EnrichVersion
7.0
EnrichProdName
Talend ESB
task
Installation and Upgrade
EnrichPlatform
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend ESB
Talend Identity and Access Management
Talend Installer
Talend Log Server
Talend Runtime
Talend Studio

If you have a non-trial license and you want to use X-Pack security, you must configure TLS for internode-communication.

Procedure

  1. Create a Certificate Authority / Signing Authority:
    1. For example, run the following command:
      elasticsearch-6.1.2/bin/x-pack/certgen --dn 'CN=MyExample Global CA' --pass --days 3650 --keysize 4096 --out elk_ca/ELK_CA.zip
      For more information, see the certgen documentation: https://www.elastic.co/guide/en/elasticsearch/reference/6.x/certgen.html.
    2. When prompted, enter the password you selected or generated.
      Save the password because you will not be able to recover it. This password is used to sign certificates.
      The command outputs a zip file that contains the public certificate and the private key of your root certification authority.
    3. Unzip the zip file generated from the previous step.

      Only the ca/ca.crt file will be distributed. The ca/ca.key file should be stored away for safe keeping, along with the password generated earlier. You will need it to decrypt the ca/ca.key.

  2. Generate the server certificates:
    1. Create a new instance.yml file.
      instances:
        - name: 'node1'
          dns: [ 'node1.local' ]
        - name: 'my-kibana'
          dns: [ 'kibana.local' ]
        - name: 'logstash'
          dns: [ 'logstash.local' ]

      This example will generate the public certificate and private key for the Elasticsearch node, Kibana and Logstash. Using these certificates will require the DNS name to be properly set up.

    2. You can edit the /etc/hosts file to make the DNS names valid for testing purposes, as follows:
      127.0.0.1 localhost node1.local  kibana.local logstash.local
    3. Run the following command to generate certificates that will be valid for 3 years for each of the instances:
      elasticsearch-6.1.2/bin/x-pack/certutil ca elasticsearch-6.1.2/bin/x-pack/certgen --days 1095 --cert elk_ca/ca/ca.crt --key elk_ca/ca/ca.key --pass --in  instances.yml --out certs.zip
      This command uses the certificate and key required for signing that had been created earlier. The --pass option will prompt for the password that is required to decrypt the private key of the signing authority.
    4. Unzip the certs.zip file you generated.
  3. Enable TLS on the Elasticsearch nodes:
    1. Create a certs subdirectory in the Elasticsearch config folder.
    2. Copy the ca/ca.crt, the node's private key and the public certificate to the config/certs directory.
    3. Edit the config/elasticsearch.yml as follows:
      node.name: node1
      network.host: node1.local
      xpack.ssl.key: certs/node1.key
      xpack.ssl.certificate: certs/node1.crt
      xpack.ssl.certificate_authorities: certs/ca.crt
      xpack.security.transport.ssl.enabled: true
      xpack.security.http.ssl.enabled: true
      discovery.zen.ping.unicast.hosts: [ 'node1.local']
      node.max_local_storage_nodes: 1
    4. Run the following command to start the Elasticsearch node:
      ES_PATH_CONF=config ./bin/elasticsearch
    5. Run the following command to check the vm.max_map_count value on your Docker host machine:
      sysctl vm.max_map_count
    6. If the value is less than 262144, run the following command:
      sysctl -w vm.max_map_count=262144
    7. Open a terminal windows and go to the Elasticsearch folder:
      cd ~/tmp/cert_blog/elasticsearch-6.0.0-beta2
      $ bin/x-pack/setup-passwords auto -u "https://node1.local:9200"
    8. When prompted, type y to continue and save the generated passwords for the users elastic, kibana, logstash_system.
  4. Run the following command to check that the nodes are listed in the cluster:
    curl --cacert elk_ca/ca/ca.crt -u elastic 'https://node1.local:9200/_cat/nodes'
    127.0.0.1 42 100 14 1.91   mdi * node1

    Add ?v to the end of the URL to get the column names. For more information, see https://www.elastic.co/guide/en/elasticsearch/reference/6.x/cat.html#verbose.