Fortytwo - Answer to the Ultimate Question of Life, the Universe, and Everything

User Tools

Site Tools

Trace:
elasticsearch-tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
elasticsearch-tls [2020/11/07 11:49] baumielasticsearch-tls [2020/11/08 12:41] (current) baumi
Line 1: Line 1:
 ====== Configure Elasticsearch/Kibana for TLS and Authentication ====== ====== Configure Elasticsearch/Kibana for TLS and Authentication ======
 +===== Create Certificates =====
   - Shutdown elk-cluster   - Shutdown elk-cluster
   - Add certificate path to elasticsearch config in docker-compose.yml<code>   - Add certificate path to elasticsearch config in docker-compose.yml<code>
-volumes+services
-  - ./certs:/certs+  elasticsearch: 
 +    volumes: 
 +      - ./certs:/certs
 </code> </code>
   - Start elasticsearch<code>$ docker-compose up -d elasticsearch</code>   - Start elasticsearch<code>$ docker-compose up -d elasticsearch</code>
- 
   - Create certificates<code>   - Create certificates<code>
 $ docker exec -it elk-test-elasticsearch bash $ docker exec -it elk-test-elasticsearch bash
Line 22: Line 23:
 Please enter the desired output file [elastic-stack-ca.zip]: Please enter the desired output file [elastic-stack-ca.zip]:
 [root@elk-test-elasticsearch elasticsearch]# unzip -d /certs/ elastic-stack-ca.zip [root@elk-test-elasticsearch elasticsearch]# unzip -d /certs/ elastic-stack-ca.zip
 +Archive:  elastic-stack-ca.zip
 +   creating: /certs/ca/
 +  inflating: /certs/ca/ca.crt
 +  inflating: /certs/ca/ca.key
  
 [root@elk-test-elasticsearch elasticsearch]# bin/elasticsearch-certutil http [root@elk-test-elasticsearch elasticsearch]# bin/elasticsearch-certutil http
Line 140: Line 145:
   inflating: /certs/kibana/sample-kibana.yml   inflating: /certs/kibana/sample-kibana.yml
 </code> </code>
- +===== Configure elasticsearch for TLS & X-Pack Security ===== 
 + 
 +  - Shutdown elasticsearch<code> 
 +$ docker-compose down 
 +Stopping elk-test-elasticsearch ... done 
 +Removing elk-test-elasticsearch ... done 
 +Removing network elk-test_default 
 +</code> 
 +  - Add certificate mount to docker-compose<code> 
 +volumes: 
 +  - ./elasticsearch/config/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro 
 +</code> 
 +  - Copy P12 file to correct place<code> 
 +$ cp certs/elasticsearch/http.p12 elasticsearch/config/elasticsearch.p12 
 +$ sudo chown 1000:1000 elasticsearch/config/elasticsearch.p12 
 +$ sudo chmod 600 elasticsearch/config/elasticsearch.p12 
 +</code> 
 +  - Update elasticsearch.yml<code> 
 +$ grep xpack elasticsearch/config/elasticsearch.yml 
 +xpack.security.enabled: true 
 +xpack.security.http.ssl.enabled: true 
 +xpack.security.http.ssl.verification_mode: "certificate" 
 +xpack.security.http.ssl.keystore.path: "elasticsearch.p12" 
 +</code> 
 +  - Start elasticsearch<code> 
 +docker-compose up -d elasticsearch 
 +Creating network "elk-test_default" with the default driver 
 +Creating elk-test-elasticsearch ... done 
 +</code> 
 +  - Create Users<code> 
 +$ docker exec -it elk-test-elasticsearch bash 
 +[root@elk-test-elasticsearch elasticsearch]# bin/elasticsearch-setup-passwords auto 
 +Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user. 
 +The passwords will be randomly generated and printed to the console. 
 +Please confirm that you would like to continue [y/N]y 
 + 
 + 
 +Changed password for user apm_system 
 +PASSWORD apm_system = *** 
 + 
 +Changed password for user kibana_system 
 +PASSWORD kibana_system = *** 
 + 
 +Changed password for user kibana 
 +PASSWORD kibana = *** 
 + 
 +Changed password for user logstash_system 
 +PASSWORD logstash_system = *** 
 + 
 +Changed password for user beats_system 
 +PASSWORD beats_system = *** 
 + 
 +Changed password for user remote_monitoring_user 
 +PASSWORD remote_monitoring_user = *** 
 + 
 +Changed password for user elastic 
 +PASSWORD elastic = *** 
 +</code> 
 +===== Configure Kibana for TLS and User Authentication ===== 
 +  - Copy CA file to correct path<code> 
 +$ cp certs/kibana/elasticsearch-ca.pem kibana/config/</code> 
 +  - Add CA file mount do docker-compose.yml<code> 
 +services: 
 +  kibana: 
 +    volumes: 
 +      - ./kibana/config/elasticsearch-ca.pem:/usr/share/kibana/config/elasticsearch-ca.pem:ro 
 +</code> 
 +  - Add TLS & authentication information to kibana.yml<code> 
 +elasticsearch: 
 +  hosts: [ "https://elk-test-elasticsearch:9200"
 +  ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem"
 +  username: "kibana_system" 
 +  password: "***" 
 +</code> 
 +  - Restart elk-stack<code> 
 +$ docker-compose up -d && docker-compose logs -f 
 +</code> 
 + 
 +===== Move username & password from Kibana Config ===== 
 + 
 +  - Create Keystore and populate with logon information<code> 
 +$ docker exec -it elk-test-kibana bash 
 +bash-4.2$ bin/kibana-keystore create 
 +Created Kibana keystore in /usr/share/kibana/config/kibana.keystore 
 +bash-4.2$ bin/kibana-keystore add elasticsearch.username 
 +Enter value for elasticsearch.username: ************* 
 +bash-4.2$ bin/kibana-keystore add elasticsearch.password 
 +Enter value for elasticsearch.password: ******************** 
 +</code> 
 +  - Copy keystore to persistent storage<code> 
 +$ docker cp elk-test-kibana:/usr/share/kibana/config/kibana.keystore /srv/elk-test/kibana/config/ 
 +</code> 
 +  - Adjust docker-compose.yml for bind mount of keystore file<code> 
 +services: 
 +  kibana: 
 +    volumes: 
 +      - ./kibana/config/kibana.keystore:/usr/share/kibana/config/kibana.keystore 
 +</code> 
 +  - Remove elasticsearch.username and elasticsearch.username from kibana.yml 
 +  - Restart kibana 
 + 
 + 
 + 
 +{{tag>kb elasticsearch}} 
elasticsearch-tls.1604746159.txt.gz · Last modified: 2020/11/07 11:49 by baumi
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki