Securing Fusion’s Elasticsearch Instance

Whilst the world is in Coronavirus lock-down we thought we’d break from the madness to detail how we lock-down our Elasticsearch instances.

At Maluma we secure Elasticsearch on all our installations.  Typically our Customers infrastructure runs on Microsoft so these guidelines are focused on Windows although they should read pretty well for Linux users as well.

To configure security for Fusion’s Elasticsearch instance there are a number of command line utilities that need to be run and a couple of .yml config files that need to be edited.

But first a bit of housekeeping…

  • These guidelines only define the steps to add authentication and secure the transport layer of DataSync. It is out of scope of this guide to configure SSL on the HTTP layer. We hope to provide an article on this in the not to distant future.
  • We recommend backups of files are made at each stage, to make it easy to undo actions, should any problems arise.
  • These details are correct at the time of posting but we recommend you read and refer to the latest documentation available on the Elastic website.

and now onto the good stuff…


Using Windows Explorer, open the Elasticsearch installation folder on the Elasticsearch server’s file system.

Open a Powershell or Cmd instance, running as admin, and cd into the root elasticsearch folder (the folder that is a parent of both the bin and config folders).


Create a Certificate Authority

Execute the command below.
bin\elasticsearch-certutil ca

  • Enter a filename (this is your ca-filename) or hit return to leave the default.
  • Enter a password (this is your ca-password) or hit return to leave it blank.


Create the certificate

Execute the command below (replacing elastic-stack-ca.p12 with your ca-filename if you changed it from the default value).
bin\elasticsearch-certutil cert --ca elastic-stack-ca.p12

  • Enter the ca-password or hit return if you left it blank.
  • Enter a filename (this is your cert-filename) or hit return to leave the default.
  • Enter a password (this is your cert-password) or hit return to leave it blank.


Add certificates passswords to the Keystore

If you specified a cert-password value earlier then you will need to execute the following commands to add the password to the keystores. If you left cert-password blank there is no need to do this step.
bin\elasticsearch-keystore add

  • When prompted, enter the cert-password you set earlier

bin\elasticsearch-keystore add

  • When prompted, enter the cert-password you set earlier


Edit the Elasticsearch Config

Edit config/elasticsearch.yml and add the following lines: true true PKCS12 certificate cert-filename cert-filename PKCS12

Default values:
cert-filename: elastic-certificates.p12


Restart Elasticsearch

Restart your Elasticsearch windows service or cmd window. All Fusion installations are implemented with Elasticsearch and Kibana running as windows services.


Create the default user passwords

Execute the command below:
bin\elasticsearch-setup-passwords auto

  • There is an option to manually enter these passwords instead of having them auto generated. To do this use the command above but replace auto with interactive. We prefer the inbuilt random password generation offered using auto mode as it provides added security.

This command will output the generated passwords similar to the following:

Changed password for user apm_system
PASSWORD apm_system = VQk5GdAr3Qk4HJfFcfEv

Changed password for user kibana
(this is your kibana-password)

Changed password for user logstash_system
PASSWORD logstash_system = WnSM4fav5So2H2M6eet9

Changed password for user beats_system
PASSWORD beats_system = 7KtHcnF8bmH0TZaUkAVK

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = Hc4nVH3bwdUdr4zoJjux

Changed password for user elastic
PASSWORD elastic = J6vJCxkfVcb5oDGFdS88
(this is your elastic-password)

Please note: if you used auto mode, as suggested, then it is important that you take a copy of the passwords at this stage as we’ll need them soon. For Fusion we’re only interested in the kibana and elastic passwords.


Test the security

When navigating to your Elasticsearch web endpoint you should now be prompted to enter a username and password. Pressing escape will show an exception indicating that you haven’t authenticated
missing authentication credentials for REST request

If you refresh the page and enter the username elastic and your elastic-password you should authenticate successfully and be presented with Elasticsearch’s tagline “You Know, for Search”.


Configuring Kibana

You now need to configure Kibana to authenticate when connecting to Elasticsearch; which is quite simple.

From the Kibana root folder edit config/kibana.yml and add the following lines:
elasticsearch.username: kibana
elasticsearch.password: kibana-password


Using Kibana to add users

You should now be able to restart your Kibana instance and it should be able to connect to Elasticsearch and allow you to configure new users. By default we create a Fusion user in order for Fusion to query Elasticsearch so please don’t change any of the Fusion user settings.

You can create/edit users & roles in Kibana via the Management > Security > Users & Management > Security > Roles screens. Please refer to Elastic’s documentation for further guidance on users & roles.


Setting up https

You can follow the online Elasticsearch documentation for details on how to set up HTTPS.


In Conclusion

You should now have your Elasticsearch instance secured and also have the ability to create new roles and users to authenticate and authorise users to meet your usage needs.
Elasticsearch has been in the news over the last couple of years regarding various data breaches. There are multiple levels of security that should be applied to ensure your data is safe from nefarious mis-doers. This is just the first step so stay tuned for future articles where we add additional security to the Elasticsearch environment.

Leave a Comment