Search Tutorials


Elasticsearch 8 Security Tutorial - Store credentials using keystore | JavaInUse

Elasticsearch 8 Security Tutorial - Store credentials using keystore

In previous tutorials we configured security for making all elasticsearch communications secure using ssl. In previous tutorial we had configured elasticsearch.yml which stores sensitive information like keystore password in clear text. Such configurations require extra security measures, as standard filesystem permissions alone may not be enough. To address this, Elasticsearch offers a keystore feature along with the elasticsearch-keystore tool. It serves as a secure repository for sensitive configuration settings like passwords, API keys, and certificates. Operating like a vault, the keystore securely stores sensitive information in an encrypted format, protecting it from unauthorized access. This capability reduces the risk of accidental exposure or malicious exploitation of critical credentials. Elasticsearch uses the Java Cryptography Extension to encrypt the keystore, ensuring the highest level of data security. By utilizing the keystore, administrators can easily manage and update sensitive settings without having to modify configuration files directly. This approach reduces the likelihood of unintentional exposure, such as mistakenly committing secrets to version control systems or logs. One of the key advantages of Elasticsearch keystore is its ability to segregate sensitive information from the rest of the system. It compartmentalizes credentials in a dedicated location, minimizing the chances of leakage through inadvertent configuration errors or mismanagement.

Spring Boot 3 Security

Elasticsearch 8 Security Tutorial - Set password Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS Elasticsearch 8 Security Tutorial - Store credentials using keystore

Video

This tutorial is explained in the below Youtube Video.

Implementation

In previous tutorial, we created the elasticsearch.yml as follows-
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required 

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: javainuse
xpack.security.transport.ssl.client_authentication: required
Not all properties mentioned above can be moved to elasticsearch keystore. Only the properties mentioned in the Security settings in Elasticsearch. In the security settings page, the property xpack.security.http.ssl.keystore.password is not mentioned as secure. There is another similar property xpack.security.http.ssl.keystore.secure_password which is mentioned as secure and so can be moved to keystore. The elasticsearch.yml will be as follows -
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.secure_password: javainuse
xpack.security.http.ssl.client_authentication: required 

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.secure_password: javainuse
xpack.security.transport.ssl.client_authentication: required
Open the command prompt as an admin. Go to the elasticsearch bin folder and type the following command
elasticsearch.bat




We get the exception as follows which suggests us to move the secure properties to the keystore -
elasticsearch 8 keystore exception
Let us add the secure property - xpack.security.http.ssl.keystore.secure_password to elasticsearch keystore
elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
Similarly add the secure property - xpack.security.transport.ssl.keystore.secure_password to elasticsearch keystore
elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
We can list the available properties stored in the keystore
elasticsearch-keystore list

elasticsearch-keystore list
Also now the elasticsearch.yml will not have the password properties. So they will be as follows-
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional 

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.client_authentication: optional
If we now start elasticsearch instance as follows it start good.
elasticsearch.bat