Skip to content

Securing Elasticsearch


Hint - TLS encryption

For security reasons, we strongly recommend configuring the TLS encryption.

Caution - Minimal Security

The TLS encryption of Elasticsearch requires database protection by user and password. Therefore you must have activated the Minimal Security of Elastic Stack.


Configuring the TLS Encryption

The TLS encryption of Elasticsearch secures the data transfer from the servers to Elasticsearch via Filebeat and the communication between Kibana and the Elasticsearch database.

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Kibana.

  1. Get your own TLS certificate:

    • cert.pem

    • key.pem

  2. On the management server, copy your TLS certificate to the following directory:

    /opt/seal/etc/seal-elasticsearch
    

    Hint - only own directory

    The internal security module of Elasticsearch only allows the reading of files in its own configuration directory.

  3. In an editor, open the elasticsearch.yml configuration file:

    /opt/seal/etc/elasticsearch.yml
    
  4. Add the following lines:

    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.key: "/opt/seal/etc/seal-elasticsearch/key.pem"
    xpack.security.http.ssl.certificate: "/opt/seal/etc/seal-elasticsearch/cert.pem"
    
  5. Save the file and exit.

  6. Restart Elasticsearch:

    sudo systemctl restart seal-elasticsearch
    
  7. Copy the ca.pem certificate to the following directory:

    /opt/seal/etc/tls-external
    

    If Kibana is installed on a different server than the management server, you have to repeat this step on this server.

  8. In an editor, open the kibana.yml configuration file:

    /opt/seal/etc/kibana.yml
    
  9. Activate the following lines and specify the server:

    elasticsearch.hosts: [ "https://<management-server>:9200" ]
    elasticsearch.ssl.certificateAuthorities: [ "/opt/seal/etc/tls-external/ca.pem" ]
    

    with : FQDN of the Server, on which Elasticserch is installed.

  10. Save the file and exit.

  11. Restart Kibana:

    sudo systemctl restart seal-kibana
    
  12. In an editor, open the filebeat.yml configuration file:

    /opt/seal/etc/filebeat.yml
    
  13. In the following line, change the URL to the Elasticsearch Server from http:// to https://:

    output:
      elasticsearch:
        hosts:
          # - http://localhost:9200
          - "https://localhost:9200"
    

    all Filebeat installations

    Repeat this step on all servers, on which Filebeat is installed.

  14. Save the file and exit.

  15. Restart Filebeat:

    sudo systemctl restart seal-filebeat
    

Back to top