truststore.path: security/elastic-certificates.p12 keystore.path: security/elastic-certificates.p12 There are some options that must be added to all of the nodes for the cluster, such as the following: : true It’s just a matter of remembering when will they expire and renewing them beforehand. I recommend setting the certificates to expire at a future date. (By default, under /usr/share/elasticsearch/, with the names of elastic-stack-ca.p12 (CA) and elastic-certificates.p12 certificates). You can create both certificates on any of the servers and they can be distributed afterward. Then, it’s necessary to create the certificates for the individual components: /usr/share/elasticsearch/bin/elasticsearch-certutil cert -ca elastic-stack-ca.p12 -dns esmaster1,esmaster2,esmaster3,esdata1,esdata2,esdata3,escoord1,escoord2,eslogstash1,eslogstash2 The diagram is just for information purposes.įirst, we need to create the CA for the cluster: /usr/share/elasticsearch/bin/elasticsearch-certutil ca Of course, this will NOT be the case for your deployment, so please adjust the components as necessary. I’ll work on this post under the assumption the architecture is as it is in the following diagram. The good news is we have this blog post as a guide! :) Sample Elastic Stack architecture The bad news is that vendor documentation about securing it is still scarce. Fortunately, this is no more and now we have a way to both quickly deploy and secure our stack. If we needed any secure communications between the components of our cluster, we had to pay. We all heard the great news from the vendor, Elastic, a few months ago - starting with version 6.8.0 and 7.1.0, most of the security features on Elasticsearch are now free! Before this, we had to use X-Pack (paid) features. The truth is, that’s not always the case. All of them should be on a private, secure network. It’s always configured to have all the messages exchanged between the components in the stack in plain text! Of course, we always imagine the components are in a secure channel - the nodes of the cluster, the information shipping to them via Beats, etc. If you need to install an Elasticsearch cluster, please make sure to check out the first post which covered Installing Elasticsearch Using Ansible.Īs I mentioned in the first post, one thing I find disturbing in this day and age is Elastic Stack’s default behavior. In this post, I’ll be focusing on securing your elastic stack (plus Kibana, Logstash and Beats) using HTTPS, SSL and TLS. The final objective is to deploy and secure a production-ready environment using these freely available tools. This is the second of a series of blog posts related to Elastic Stack and the components around it. We originally published today’s post on December 16, 2019. Editor’s Note: Because our bloggers have lots of useful tips, every now and then we bring forward a popular post from the past.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |