Securing Kibana¶
Hint - TLS encryption
For security reasons, we strongly recommend configuring the TLS encryption.
Configuring the TLS Encryption¶
The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Kibana.
-
Get your own TLS certificate:
-
cert.pem
-
key.pem
-
-
Copy your TLS certificate to the following directory:
C:\ProgramData\SEAL Systems\config\tls-external
Hint - changing the TLS directory
We recommend you use a directory different from
tls
for your customer certificates, e. g.tls-external
.This allows you to easily switch back to the included certificates for test purposes.
Also it prevents your certificates from being overwritten during an update.
Make sure you use the new directory in all SEAL products that use TLS encryption.
-
In an editor, open the
kibana.yml
configuration file:C:\ProgramData\SEAL Systems\config\kibana.yml
-
Copy the following lines:
# server.ssl.certificate: C:\ProgramData\SEAL Systems\config\tls\cert.pem # server.ssl.key: C:\ProgramData\SEAL Systems\config\tls\key.pem
-
Change the directory to the one containing your certificate:
# server.ssl.certificate: C:\ProgramData\SEAL Systems\config\tls\cert.pem server.ssl.certificate: C:\ProgramData\SEAL Systems\config\tls-external\cert.pem # server.ssl.key: C:\ProgramData\SEAL Systems\config\tls\key.pem server.ssl.key: C:\ProgramData\SEAL Systems\config\tls-external\key.pem
-
Activate the following lines:
server.ssl.enabled: true server.ssl.certificate: C:\ProgramData\SEAL Systems\config\tls-external\cert.pem server.ssl.key: C:\ProgramData\SEAL Systems\config\tls-external\key.pem
-
Save the file and exit.
-
Restart Kibana:
start-service seal-kibana
-
In Consul set the following key:
dc/home/env/service/any/tag/plossysadmin/KIBANA_LINK
to
https://<management-server>:5601/app/kibana
or use a PLOSSYS CLI command:
plossys config set TLS_EXTERNAL_DIR "https://<management-server>:5601/app/kibana" --service plossysadmin --insecure