Search Tutorials


Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS | JavaInUse

Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS

In previous tutorials we configured security for elasticsearch by setting the password. As data security becomes paramount, it is crucial to configure Elasticsearch with SSL/TLS encryption and enable HTTPS for secure communication. This comprehensive tutorial will guide you through the process of setting up SSL/TLS encryption, generating digital certificates, and enabling HTTPS, ensuring the utmost security for your Elasticsearch deployment. By following this tutorial, you will gain the necessary skills to protect your sensitive data and successfully implement essential security measures in your Elasticsearch infrastructure.

Spring Boot 3 Security

Elasticsearch 8 Security Tutorial - Set password Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS Elasticsearch 8 Security Tutorial - Store credentials using keystore

Video

This tutorial is explained in the below Youtube Video.

Implementation

Elasticsearch has two levels of communications, transport communications and http communications. We will look at the security of the two levels of communications in detail.

Create and use PKCS12 certificate for http communications

Http communication is the communication between elasticsearch and various clients like browser, postman, spring boot client applications.
elasticsearch security http communications
We will be using the elasticsearch-certutil command for the creation of certificates. This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack.
  • Generate new certificate authority
    elasticsearch-certutil ca
    
    The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode.
    elasticsearch 8 certificate authority
  • Generate X.509 certificate
    We make use of the above created certificate authority to generate the certificate.
    elasticsearch-certutil cert --ca elastic-stack-ca.p12
    




The 'cert' mode generates X.509 certificate and private keys. By default, this generates a single certificate and key for use on a single instance.
elasticsearch 8 X.509 certificate
Copy the elastic-certificates.p12 to the elasticsearch config folder. Modify the elasticsearch.yml as follows -
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
Open the command prompt as an admin. Go to the elasticsearch bin folder and type the following command
elasticsearch.bat
If we now go to https://localhost:9200 we can access elasticsearch cluster.
elasticsearch https ssl

SSL Certificate setting

We may want to controls the server's behavior in regard to requesting a certificate from client connections. We may want to make it compulsory for the client to provide a certificate if it wants to access the elasticsearch cluster. Without certificate the client will not be able to access the elasticsearch cluster. In the current elasticsearch configuration we have not specified any client certificate requirement. So currently client can access the elasticsearch without providing any certificate.
xpack.security.http.ssl.client_authentication
Valid values are required, optional, and none. required forces a client to present a certificate, while optional requests a client certificate but the client is not required to present one. Defaults to none.
Modify the elasticsearch.yml as follows -
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required
If we now try to access https://localhost:9200 using the browser we cannot and get the error as follows
elasticsearch https client_authentication required
So the client will need to provide the certificate and only then it will be able to access the elasticsearch cluster. To do this we make use of Postman as the client. We configure the certificate in the Postman settings.
elasticsearch Postman configure certificate
If we now access elasticsearch - https://localhost:9200 using Postman we will be able to access it.
elasticsearch Postman security

Configure TLS for Elasticsearch

The transport protocol is used for internal communications between Elasticsearch nodes.
elasticsearch security transport communications
We will be configuring TLS for elasticsearch as follows -
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: javainuse
xpack.security.transport.ssl.client_authentication: required
So now any node that needs to join the elasticsearch cluster will need to be configured using the PKCS12 certificate i.e. elastic-certificates.p12.