Activating the Minimal Security of SEAL Elastic Stack¶

If you wish to activate the minimal security level of SEAL Elastic Stack, follow the instructions below.

Hint - automatic security configuration

SEAL Elastic Stack 8.x provides an automatic configuration during the installation, which includes Minimal and Basic Security, see Automatic Configuration.

Instead of setting up security manually after the installation as described below, you may perform a new installation on another a different computer and transfer the data.

If you wish to secure Kibana with certificates as described in TLS Encrytion for Kibana, you have to do it manually in both cases.

Stopping All Services of SEAL Elastic Stack¶

On the PLOSSYS Output Engine server, stop Filebeat:
```
stop-service seal-filebeat
```

On the PLOSSYS 4 server, stop Filebeat:

stop-service seal-p4-accounting-filebeat

On the management server, stop Elasticsearch and Kibana:

stop-service seal-elasticsearch

stop-service seal-kibana

Configuring Elasticsearch¶

Hint - system user passwords

In case of a new installation, the minimal security is set up automatically.

In case of an update, you need to set up the minimal security manually as described below.

In an editor, open the following configuration file:

"C:\ProgramData\SEAL Systems\config\seal-elasticsearch\elasticsearch.yml"

Add or adjust the following lines:

xpack.security.enabled: true
discovery.type: single-node

Restart Elasticsearch:
```
start-service seal-elasticsearch
```
Interactively set the passwords:
```
$env:ES_PATH_CONF="C:\ProgramData\SEAL Systems\config\seal-elasticsearch"
cmd /c "C:\Program Files\SEAL Systems\seal-elasticsearch\bin\elasticsearch-setup-passwords.bat" interactive
```
You will need the kibana_system password in the next step.
Hint - identical passwords

Use identical passwords for the following users:
- apm_system
- beats_system
- elastic
- kibana_system
- logstash_system
- remote_monitoring_user
Caution - one execution only

You can execute the above command to set the passwords only once.

If you need to execute it once more, you have to specify the bootstrap.password key as seal user in the Elasticsearch keystore:
```
$env:ES_PATH_CONF="C:\ProgramData\SEAL Systems\config\seal-elasticsearch"
cmd /c "C:\Program Files\SEAL Systems\seal-elasticsearch\bin\elasticsearch-keystore.bat" add bootstrap.password
```
Enter the current password for the elastic user.

You can have the current bootstrap password displayed with the following command:
```
$env:ES_PATH_CONF="C:\ProgramData\SEAL Systems\config\seal-elasticsearch"
cmd /c "C:\Program Files\SEAL Systems\seal-elasticsearch\bin\elasticsearch-keystore.bat" show bootstrap.password
```
If you use the bootstrap password, we strongly recommend you either protect the Elasticsearch keystore with a password or delete the bootstrap password afterwards:
```
$env:ES_PATH_CONF="C:\ProgramData\SEAL Systems\config\seal-elasticsearch"
cmd /c "C:\Program Files\SEAL Systems\seal-elasticsearch\bin\elasticsearch-keystore.bat" remove bootstrap.password
```
Hint - change passwords

You can change passwords of individual users and the elastic user as described in Resetting Passwords.

Configuring Kibana¶

In an editor, open the following configuration file:
```
"C:\ProgramData\SEAL Systems\config\kibana.yml"
```

Add or adjust the following lines:

elasticsearch.username: "kibana_system"
elasticsearch.password: "Pa$$w0rd"

Replace Pa$$w0rd by your real password.

Restart Kibana:
```
start-service seal-kibana
```

Hint - separate Kibana users

If you log on to the Kibana user interface, the elastic user is used by default.

You may define a separate user for the Kibana user interface. For details on this, refer to the original documentation of the software producer:

Create Roles and Users

Alternative: Using Kibana Keystore to Manage Passwords for Kibana¶

Create the Kibana keystore, if necessary:

$env:KBN_PATH_CONF="C:\ProgramData\SEAL Systems\config"
cmd /c "C:\Program Files\SEAL Systems\seal-kibana\bin\kibana-keystore.bat" create

In a PowerShell (Administrator), add the corresponding password under the key elasticsearch.password to the kibana keystore:

$env:KBN_PATH_CONF="C:\ProgramData\SEAL Systems\config"
cmd /c "C:\Program Files\SEAL Systems\seal-kibana\bin\kibana-keystore.bat" add elasticsearch.password

According to the above example, you would specify Pa$$w0rd here in the command line.

You can have the current keys without their current values listed with the following command:

$env:KBN_PATH_CONF="C:\ProgramData\SEAL Systems\config"
cmd /c "C:\Program Files\SEAL Systems\seal-kibana\bin\kibana-keystore.bat" list elasticsearch.password

Configuring Filebeat¶

In an editor, open the following configuration file:
```
"C:\ProgramData\SEAL Systems\config\filebeat.yml"
```

Add or adjust the following lines:

output.elasticsearch.username: elastic
output.elasticsearch.password: Pa$$w0rt

Restart Filebeat:
```
start-service seal-filebeat
```

Hint - separate Filebeat user

In the Kibana user Interface, you may define a special filebeat_writer user, who needs a Setupand a Publishing role. For details on this, refer to the original documentation of the software producer:

Create roles and users

Alternative: Using Filebeat Keystore to Manage Passwords for Filebeat¶

In a PowerShell (Administrator), add the corresponding password, e.g. under the key ES_PWD, to the filebeat keystore:

cd "C:\Program Files\SEAL Systems\seal-filebeat"
.\filebeat.exe -c "C:\ProgramData\SEAL Systems\config\filebeat.yml" keystore add ES_PWD

Check the stored keys:

cd "C:\Program Files\SEAL Systems\seal-filebeat"
.\filebeat.exe -c "C:\ProgramData\SEAL Systems\config\filebeat.yml" keystore list

In an editor, open the following configuration file:
```
"C:\ProgramData\SEAL Systems\config\filebeat.yml"
```
Add or adjust the following lines and use the key instead of the password:
```
output.elasticsearch.password: "${ES_PWD}"
```
Restart Filebeat:
```
start-service seal-filebeat
```

Adjusting Environment Variables in Consul¶

Add user and password to the SEAL REST service URL:

ELASTICSEARCH_REST_URL = http://elastic:<password>@<management_server>:9200

Hint - PLOSSYS Administrator Configuration

Leave the KIBANA_LINK item unchanged. User and password are requested interactively in the browser. You can configure the validation period of the password in Kibana.