Differences

This shows you the differences between two versions of the page.

--- elasticsearch-tls [2020/11/07 11:45] – baumi
+++ elasticsearch-tls [2020/11/08 12:41] (current) – baumi
@@ Line 1: / Line 1: @@
 ====== Configure Elasticsearch/Kibana for TLS and Authentication ======
+===== Create Certificates =====
   - Shutdown elk-cluster
-  - Add certificate path to elasticsearch config in docker-compose.yml
+  - Add certificate path to elasticsearch config in docker-compose.yml<code>
-    <code>
+services:
-	volumes:
+  elasticsearch:
-          - ./certs:/certs
+    volumes:
-    </code>
+      - ./certs:/certs
-  - Start elasticsearch
+</code>
-    $ docker-compose up -d elasticsearch
+  - Start elasticsearch<code>$ docker-compose up -d elasticsearch</code>
+  - Create certificates<code>
-- Create certificates
-<code>
 $ docker exec -it elk-test-elasticsearch bash
 [root@elk-test-elasticsearch elasticsearch]# bin/elasticsearch-certutil ca -pem -ca-dn "cn=Elastic Stack CA"
 This tool assists you in the generation of X.509 certificates and certificate
@@ Line 24: / Line 23: @@
 Please enter the desired output file [elastic-stack-ca.zip]:
 [root@elk-test-elasticsearch elasticsearch]# unzip -d /certs/ elastic-stack-ca.zip
+Archive:  elastic-stack-ca.zip
+   creating: /certs/ca/
+  inflating: /certs/ca/ca.crt
+  inflating: /certs/ca/ca.key
 [root@elk-test-elasticsearch elasticsearch]# bin/elasticsearch-certutil http
@@ Line 54: / Line 57: @@
 CA Key: /certs/ca/ca.key
-## How long should your certificates be valid?
-[ ... ]
 For how long should your certificate be valid? [5y]
@@ Line 146: / Line 145: @@
   inflating: /certs/kibana/sample-kibana.yml
 </code>
+===== Configure elasticsearch for TLS & X-Pack Security =====
+  - Shutdown elasticsearch<code>
+$ docker-compose down
+Stopping elk-test-elasticsearch ... done
+Removing elk-test-elasticsearch ... done
+Removing network elk-test_default
+</code>
+  - Add certificate mount to docker-compose<code>
+volumes:
+  - ./elasticsearch/config/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
+</code>
+  - Copy P12 file to correct place<code>
+$ cp certs/elasticsearch/http.p12 elasticsearch/config/elasticsearch.p12
+$ sudo chown 1000:1000 elasticsearch/config/elasticsearch.p12
+$ sudo chmod 600 elasticsearch/config/elasticsearch.p12
+</code>
+  - Update elasticsearch.yml<code>
+$ grep xpack elasticsearch/config/elasticsearch.yml
+xpack.security.enabled: true
+xpack.security.http.ssl.enabled: true
+xpack.security.http.ssl.verification_mode: "certificate"
+xpack.security.http.ssl.keystore.path: "elasticsearch.p12"
+</code>
+  - Start elasticsearch<code>
+docker-compose up -d elasticsearch
+Creating network "elk-test_default" with the default driver
+Creating elk-test-elasticsearch ... done
+</code>
+  - Create Users<code>
+$ docker exec -it elk-test-elasticsearch bash
+[root@elk-test-elasticsearch elasticsearch]# bin/elasticsearch-setup-passwords auto
+Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
+The passwords will be randomly generated and printed to the console.
+Please confirm that you would like to continue [y/N]y
+Changed password for user apm_system
+PASSWORD apm_system = ***
+Changed password for user kibana_system
+PASSWORD kibana_system = ***
+Changed password for user kibana
+PASSWORD kibana = ***
+Changed password for user logstash_system
+PASSWORD logstash_system = ***
+Changed password for user beats_system
+PASSWORD beats_system = ***
+Changed password for user remote_monitoring_user
+PASSWORD remote_monitoring_user = ***
+Changed password for user elastic
+PASSWORD elastic = ***
+</code>
+===== Configure Kibana for TLS and User Authentication =====
+  - Copy CA file to correct path<code>
+$ cp certs/kibana/elasticsearch-ca.pem kibana/config/</code>
+  - Add CA file mount do docker-compose.yml<code>
+services:
+  kibana:
+    volumes:
+      - ./kibana/config/elasticsearch-ca.pem:/usr/share/kibana/config/elasticsearch-ca.pem:ro
+</code>
+  - Add TLS & authentication information to kibana.yml<code>
+elasticsearch:
+  hosts: [ "https://elk-test-elasticsearch:9200" ]
+  ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]
+  username: "kibana_system"
+  password: "***"
+</code>
+  - Restart elk-stack<code>
+$ docker-compose up -d && docker-compose logs -f
+</code>
+===== Move username & password from Kibana Config =====
+  - Create Keystore and populate with logon information<code>
+$ docker exec -it elk-test-kibana bash
+bash-4.2$ bin/kibana-keystore create
+Created Kibana keystore in /usr/share/kibana/config/kibana.keystore
+bash-4.2$ bin/kibana-keystore add elasticsearch.username
+Enter value for elasticsearch.username: *************
+bash-4.2$ bin/kibana-keystore add elasticsearch.password
+Enter value for elasticsearch.password: ********************
+</code>
+  - Copy keystore to persistent storage<code>
+$ docker cp elk-test-kibana:/usr/share/kibana/config/kibana.keystore /srv/elk-test/kibana/config/
+</code>
+  - Adjust docker-compose.yml for bind mount of keystore file<code>
+services:
+  kibana:
+    volumes:
+      - ./kibana/config/kibana.keystore:/usr/share/kibana/config/kibana.keystore
+</code>
+  - Remove elasticsearch.username and elasticsearch.username from kibana.yml
+  - Restart kibana
+{{tag>kb elasticsearch}}