Skip to content

Securing Kibana


Hint - TLS encryption

For security reasons, we strongly recommend configuring the TLS encryption.


Configuring the TLS Encryption

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Kibana.

Hint - certificate as fingerprint

You can use the auto-generated CA certificate of Elasticsearch as a fingerprint or copy in clients, e. g. Filebeat.

For details on this see, Connect Clients to Elasticsarch.

  1. Get your own TLS certificate:

    • cert.pem

    • key.pem

  2. Copy your TLS certificate to the following directory:

    /opt/seal/etc/tls-external
    

    Hint - changing the TLS directory

    We recommend you use a directory different from tls for your customer certificates, e. g. tls-external.

    This allows you to easily switch back to the included certificates for test purposes.

    Also it prevents your certificates from being overwritten during an update.

    Make sure you use the new directory in all SEAL products that use TLS encryption.

  3. In an editor, open the kibana.yml configuration file:

    /opt/seal/etc/kibana.yml
    
  4. Copy the following lines:

    # server.ssl.certificate: /opt/seal/etc/tls/cert.pem
    # server.ssl.key: /opt/seal/etc/tls/key.pem
    
  5. Change the directory to the one containing your certificate:

    # server.ssl.certificate: /opt/seal/etc/tls/cert.pem
    server.ssl.certificate: /opt/seal/etc/tls-external/cert.pem
    # server.ssl.key: /opt/seal/etc/tls/key.pem
    server.ssl.key: /opt/seal/etc/tls-external/key.pem
    
  6. Activate the following lines:

    server.ssl.enabled: true
    server.ssl.certificate: /opt/seal/etc/tls-external/cert.pem
    server.ssl.key: /opt/seal/etc/tls-external/key.pem
    
  7. Save the file and exit.

  8. Restart Kibana:

    sudo systemctl restart seal-kibana
    
  9. In Consul, set the following keys:

    • KIBANA_LINK

      dc/home/env/service/any/tag/plossysadmin/KIBANA_LINK
      

      to

      https://<management-server>:5601/app/kibana
      

      or use a PLOSSYS CLI command:

      plossys config set TLS_EXTERNAL_DIR "https://<management-server>:5601/app/kibana" --service plossysadmin --insecure
      
    • NODE_TLS_REJECT_UNAUTHORIZED

      dc/home/env/service/plossysadmin/tag/any/NODE_TLS_REJECT_UNAUTHORIZED
      

      to 0.

      For details on this setting, see NODE_TLS_REJECT_UNAUTHORIZED.


Encrypting the Traffic Between the Browser and Kibana

Literature

For details on securing the HTTPS traffic, see Encrypt Kibana Browser.

We recommend setting 3 special encryption keys. If you do not specify them, they are set automatically, which may limit the corresponding functionality.

You can

  • specify any key that is at least 32 characters long or

  • use the kibana-encryption-keys.bat to create the keys.

    In a new installation, the keys are created automatically by this Tool and added in the kibana.yml configuration file.

    In case of an Update you have to do this manually.

    Create encryption Keys for Kibana:

    $env:KBN_PATH_CONF="$env:ProgramData\SEAL Systems\config"; & "$env:ProgramFiles\SEAL Systems\seal-kibana\bin\kibana-encryption-keys.bat" generate
    
    sudo KBN_PATH_CONF=/opt/seal/etc /opt/seal/seal-kibana/bin/kibana-kibana-encryption-keys generate
    

    This command will only offer encyption keys that do not have a defined value yet. If you want to renew all encryption keys, you have to add the --force option to the command.


Commands for the Enrollment Token of Kibana

If you configure Kibana via enrollment token, seal-elasticsearch needs to be running, whereas seal-kibana needs to be stopped.

Then use the following commands and restart :

  1. Create a new Enrollment tokens for Kibana:

    sudo ES_PATH_CONF=/opt/seal/etc/seal-elasticsearch /opt/seal/seal-elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana --force
    
  2. Use the new enrollment token:

    sudo KBN_PATH_CONF=/opt/seal/etc /opt/seal/seal-kibana/bin/kibana-setup --silent --enrollment-token <enrollment-token>
    
  3. Restart Kibana:

    sudo systemctl restart seal-kibana
    
  4. Restart Filebeat:

    sudo systemctl restart seal-filebeat
    

Hint - Deactivating SSL in SEAL Elastic Stack 8.x

If you set back your Elasticsearch server from HTTPS to HTTP, you have to change the connection data in kibana.yml and filebeat.yml.

In this case you cannot use the cofiguration via enrollment token until you reactivate SSL.


Back to top