If you have a non-trial license and you want to use X-Pack security, you must configure TLS for internode-communication.
Create a Certificate Authority / Signing Authority:
For example, run the following command:
elasticsearch-6.1.2/bin/x-pack/certgen --dn 'CN=MyExample Global CA' --pass --days 3650 --keysize 4096 --out elk_ca/ELK_CA.zipFor more information, see the
When prompted, enter the password you selected or generated.
Save the password because you will not be able to recover it. This password is used to sign certificates.The command outputs a zip file that contains the public certificate and the private key of your root certification authority.
Unzip the zip file generated from the previous step.
Only the ca/ca.crt file will be distributed. The ca/ca.key file should be stored away for safe keeping, along with the password generated earlier. You will need it to decrypt the ca/ca.key.
- For example, run the following command:
Generate the server certificates:
Create a new instance.yml file.
instances: - name: 'node1' dns: [ 'node1.local' ] - name: 'my-kibana' dns: [ 'kibana.local' ] - name: 'logstash' dns: [ 'logstash.local' ]
This example will generate the public certificate and private key for the Elasticsearch node, Kibana and Logstash. Using these certificates will require the DNS name to be properly set up.
You can edit the /etc/hosts file to make the DNS
names valid for testing purposes, as follows:
127.0.0.1 localhost node1.local kibana.local logstash.local
Run the following command to generate certificates that will be valid
for 3 years for each of the instances:
elasticsearch-6.1.2/bin/x-pack/certutil ca elasticsearch-6.1.2/bin/x-pack/certgen --days 1095 --cert elk_ca/ca/ca.crt --key elk_ca/ca/ca.key --pass --in instances.yml --out certs.zipThis command uses the certificate and key required for signing that had been created earlier. The
--passoption will prompt for the password that is required to decrypt the private key of the signing authority.
- Unzip the certs.zip file you generated.
- Create a new instance.yml file.
Enable TLS on the Elasticsearch nodes:
- Create a certs subdirectory in the Elasticsearch config folder.
- Copy the ca/ca.crt, the node's private key and the public certificate to the config/certs directory.
Edit the config/elasticsearch.yml as
node.name: node1 network.host: node1.local xpack.ssl.key: certs/node1.key xpack.ssl.certificate: certs/node1.crt xpack.ssl.certificate_authorities: certs/ca.crt xpack.security.transport.ssl.enabled: true xpack.security.http.ssl.enabled: true discovery.zen.ping.unicast.hosts: [ 'node1.local'] node.max_local_storage_nodes: 1
Run the following command to start the Elasticsearch node:
Run the following command to check the vm.max_map_count
value on your Docker host machine:
If the value is less than
262144, run the following command:
sysctl -w vm.max_map_count=262144
Open a terminal windows and go to the Elasticsearch folder:
cd ~/tmp/cert_blog/elasticsearch-6.0.0-beta2 $ bin/x-pack/setup-passwords auto -u "https://node1.local:9200"
When prompted, type y to continue and save the
generated passwords for the users
Run the following command to check that the nodes are listed in the
curl --cacert elk_ca/ca/ca.crt -u elastic 'https://node1.local:9200/_cat/nodes' 127.0.0.1 42 100 14 1.91 mdi * node1
?vto the end of the URL to get the column names. For more information, see https://www.elastic.co/guide/en/elasticsearch/reference/6.x/cat.html#verbose.