Whilst the world is in Coronavirus lock-down we thought we’d break from the madness to detail how we lock-down our Elasticsearch instances.
At Maluma we secure Elasticsearch on all our installations. Typically our Customers infrastructure runs on Microsoft so these guidelines are focused on Windows although they should read pretty well for Linux users as well.
To configure security for Fusion’s Elasticsearch instance there are a number of command line utilities that need to be run and a couple of .yml config files that need to be edited.
But first a bit of housekeeping…
- These guidelines only define the steps to add authentication and secure the transport layer of DataSync. It is out of scope of this guide to configure SSL on the HTTP layer. We hope to provide an article on this in the not to distant future.
- We recommend backups of files are made at each stage, to make it easy to undo actions, should any problems arise.
- These details are correct at the time of posting but we recommend you read and refer to the latest documentation available on the Elastic website.
and now onto the good stuff…
Using Windows Explorer, open the Elasticsearch installation folder on the Elasticsearch server’s file system.
Open a Powershell or Cmd instance, running as admin, and cd into the root elasticsearch folder (the folder that is a parent of both the bin and config folders).
Create a Certificate Authority
Execute the command below.
- Enter a filename (this is your ca-filename) or hit return to leave the default.
- Enter a password (this is your ca-password) or hit return to leave it blank.
Create the certificate
Execute the command below (replacing elastic-stack-ca.p12 with your ca-filename if you changed it from the default value).
bin\elasticsearch-certutil cert --ca elastic-stack-ca.p12
- Enter the ca-password or hit return if you left it blank.
- Enter a filename (this is your cert-filename) or hit return to leave the default.
- Enter a password (this is your cert-password) or hit return to leave it blank.
Create the default user passwords
Execute the command below:
- There is an option to manually enter these passwords instead of having them auto generated. To do this use the command above but replace auto with interactive. We prefer the inbuilt random password generation offered using auto mode as it provides added security.
This command will output the generated passwords similar to the following:
Changed password for user apm_system
PASSWORD apm_system = VQk5GdAr3Qk4HJfFcfEv
Changed password for user kibana (this is your kibana-password)
PASSWORD kibana = 6AUJOXjcX0FDepzKUXVt
Changed password for user logstash_system
PASSWORD logstash_system = WnSM4fav5So2H2M6eet9
Changed password for user beats_system
PASSWORD beats_system = 7KtHcnF8bmH0TZaUkAVK
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = Hc4nVH3bwdUdr4zoJjux
Changed password for user elastic (this is your elastic-password)
PASSWORD elastic = J6vJCxkfVcb5oDGFdS88
Please note: if you used auto mode, as suggested, then it is important that you take a copy of the passwords at this stage as we’ll need them soon. For Fusion we’re only interested in the kibana and elastic passwords.
Add certificates passswords to the Keystore
If you specified a cert-password value earlier then you will need to execute the following commands to add the password to the keystores. If you left cert-password blank there is no need to do this step.
bin\elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
- When prompted, enter the cert-password you set earlier
bin\elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
- When prompted, enter the cert-password you set earlier
Edit the Elasticsearch Config
Edit config/elasticsearch.yml and add the following lines:
Restart your Elasticsearch windows service or cmd window. All Fusion installations are implemented with Elasticsearch and Kibana running as windows services.
Test the security
When navigating to your Elasticsearch web endpoint you should now be prompted to enter a username and password. Pressing escape will show an exception indicating that you haven’t authenticated
missing authentication credentials for REST request
If you refresh the page and enter the username elastic and your elastic-password you should authenticate successfully and be presented with Elasticsearch’s tagline “You Know, for Search”.
You now need to configure Kibana to authenticate when connecting to Elasticsearch; which is quite simple.
From the Kibana root folder edit config/kibana.yml and add the following lines:
Using Kibana to add users
You should now be able to restart your Kibana instance and it should be able to connect to Elasticsearch and allow you to configure new users. By default we create a Fusion user in order for Fusion to query Elasticsearch so please don’t change any of the Fusion user settings.
You can create/edit users & roles in Kibana via the Management > Security > Users & Management > Security > Roles screens. Please refer to Elastic’s documentation for further guidance on users & roles.
You should now have your Elasticsearch instance secured and also have the ability to create new roles and users to authenticate and authorise users to meet your usage needs.
Elasticsearch has been in the news over the last couple of years regarding various data breaches. There are multiple levels of security that should be applied to ensure your data is safe from nefarious mis-doers. This is just the first step so stay tuned for future articles where we add additional security to the Elasticsearch environment.