Configuring the TLS Encryption¶

Hint - TLS encryption

For security reasons, we strongly recommend configuring the TLS encryption.

Caution - Minimal Security

The TLS encryption of Elasticsearch requires database protection by user and password. Therefore you must have activated the Minimal Security of Elastic Stack.

Elasticsearch¶

The TLS encryption of Elasticsearch secures the data transfer from the servers to Elasticsearch via Filebeat and the communication between Kibana and the Elasticsearch database.

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Kibana.

Get your own TLS certificate:
- cert.pem
- key.pem
On the management server, copy your TLS certificate to the following directory:
```
/opt/seal/etc/seal-elasticsearch
```
Hint - only own directory

The internal security module of Elasticsearch only allows the reading of files in its own configuration directory.
In an editor, open the elasticsearch.yml configuration file:
```
/opt/seal/etc/elasticsearch.yml
```

Add the following lines:

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "/opt/seal/etc/seal-elasticsearch/key.pem"
xpack.security.http.ssl.certificate: "/opt/seal/etc/seal-elasticsearch/cert.pem"

Save the file and exit.

Restart Elasticsearch:

sudo systemctl restart seal-elasticsearch

Copy the ca.pem certificate to the following directory:
```
/opt/seal/etc/tls-external
```
If Kibana is installed on a different server than the management server, you have to repeat this step on this server.
In an editor, open the kibana.yml configuration file:
```
/opt/seal/etc/kibana.yml
```

Activate the following lines and specify the server:

elasticsearch.hosts: [ "https://<management-server>:9200" ]
elasticsearch.ssl.certificateAuthorities: [ "/opt/seal/etc/tls-external/ca.pem" ]

with : FQDN of the Server, on which Elasticserch is installed.

Save the file and exit.
Restart Kibana:
```
sudo systemctl restart seal-kibana
```
In an editor, open the filebeat.yml configuration file:
```
/opt/seal/etc/filebeat.yml
```
In the following line, change the URL to the Elasticsearch Server from http:// to https://:
```
output:
  elasticsearch:
    hosts:
      # - http://localhost:9200
      - "https://localhost:9200"
```
all Filebeat installations

Repeat this step on all servers, on which Filebeat is installed.
Save the file and exit.
Restart Filebeat:
```
sudo systemctl restart seal-filebeat
```

Kibana¶

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Kibana.

Hint - certificate as fingerprint

You can use the auto-generated CA certificate of Elasticsearch as a fingerprint or copy in clients, e. g. Filebeat.

For details on this see, Connect Clients to Elasticsarch.

Get your own TLS certificate:
- cert.pem
- key.pem
Copy your TLS certificate to the following directory:
```
/opt/seal/etc/tls-external
```
Hint - changing the TLS directory

We recommend you use a directory different from tls for your customer certificates, e. g. tls-external.

This allows you to easily switch back to the included certificates for test purposes.

Also it prevents your certificates from being overwritten during an update.

Make sure you use the new directory in all SEAL products that use TLS encryption.
In an editor, open the kibana.yml configuration file:
```
/opt/seal/etc/kibana.yml
```

Copy the following lines:

# server.ssl.certificate: /opt/seal/etc/tls/cert.pem
# server.ssl.key: /opt/seal/etc/tls/key.pem

Change the directory to the one containing your certificate:

# server.ssl.certificate: /opt/seal/etc/tls/cert.pem
server.ssl.certificate: /opt/seal/etc/tls-external/cert.pem
# server.ssl.key: /opt/seal/etc/tls/key.pem
server.ssl.key: /opt/seal/etc/tls-external/key.pem

Activate the following lines:

server.ssl.enabled: true
server.ssl.certificate: /opt/seal/etc/tls-external/cert.pem
server.ssl.key: /opt/seal/etc/tls-external/key.pem

Save the file and exit.
Restart Kibana:
```
sudo systemctl restart seal-kibana
```

In Consul, set the following keys:

KIBANA_LINK

dc/home/env/service/any/tag/plossysadmin/KIBANA_LINK

to

https://<management-server>:5601/app/kibana

or use a PLOSSYS CLI command:

plossys config set TLS_EXTERNAL_DIR "https://<management-server>:5601/app/kibana" --service plossysadmin --insecure

NODE_TLS_REJECT_UNAUTHORIZED
```
dc/home/env/service/plossysadmin/tag/any/NODE_TLS_REJECT_UNAUTHORIZED
```
to 0.

For details on this setting, see NODE_TLS_REJECT_UNAUTHORIZED.

Encrypting the Traffic Between the Browser and Kibana¶

Literature

For details on securing the HTTPS traffic, see Encrypt Kibana Browser.

We recommend setting 3 special encryption keys. If you do not specify them, they are set automatically, which may limit the corresponding functionality.

You can

specify any key that is at least 32 characters long or
use the kibana-encryption-keys.bat to create the keys.

In a new installation, the keys are created automatically by this Tool and added in the kibana.yml configuration file.

In case of an Update you have to do this manually.

Create encryption Keys for Kibana:
```
$env:KBN_PATH_CONF="$env:ProgramData\SEAL Systems\config"; & "$env:ProgramFiles\SEAL Systems\seal-kibana\bin\kibana-encryption-keys.bat" generate
```
```
sudo KBN_PATH_CONF=/opt/seal/etc /opt/seal/seal-kibana/bin/kibana-kibana-encryption-keys generate
```
This command will only offer encyption keys that do not have a defined value yet. If you want to renew all encryption keys, you have to add the --force option to the command.

Commands for the Enrollment Token of Kibana¶

If you configure Kibana via enrollment token, seal-elasticsearch needs to be running, whereas seal-kibana needs to be stopped.

Then use the following commands and restart :

Create a new Enrollment tokens for Kibana:

sudo ES_PATH_CONF=/opt/seal/etc/seal-elasticsearch /opt/seal/seal-elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana --force

Use the new enrollment token:

sudo KBN_PATH_CONF=/opt/seal/etc /opt/seal/seal-kibana/bin/kibana-setup --silent --enrollment-token <enrollment-token>

Restart Kibana:
```
sudo systemctl restart seal-kibana
```
Restart Filebeat:
```
sudo systemctl restart seal-filebeat
```

Hint - Deactivating SSL in SEAL Elastic Stack 8.x

If you set back your Elasticsearch server from HTTPS to HTTP, you have to change the connection data in kibana.yml and filebeat.yml.

In this case you cannot use the cofiguration via enrollment token until you reactivate SSL.

Filebeat¶

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Filebeat.

Get your own TLS certificate:
- cert.pem
- key.pem
Copy your TLS certificate to the following directory:
```
/opt/seal/etc/tls-external
```
Hint - changing the TLS directory

We recommend you use a directory different from tls for your customer certificates, e. g. tls-external.

This allows you to easily switch back to the included certificates for test purposes.

Also it prevents your certificates from being overwritten during an update.

Make sure you use the new directory in all SEAL products that use TLS encryption.

Configuring the TLS Encryption in a Cluster¶

If you run PLOSSYS Output Engine in a cluster, replace the TLS certificate as described above on each PLOSSYS Output Engine server separately.

Specifying a CA Certificate¶

If a CA certificate has been specified, Filebeat requires a client certificate from each client. This requires corresponding properties of the certificate.

Configure a CA certificate as follows:

On the PLOSSYS Output Engine server, open the Filebeat configuration file:
```
/opt/seal/etc/filebeat.yml
```

Replace the line:

insecure: true

by the follwing line:

certificate_authorities: ["/opt/seal/etc/tls/ca.pem"]

Save the configuration file.
Restart Filebeat:
```
sudo systemctl restart seal-filebeat
```

For details on self-signed certificates, see Self-signed Certificates.