Skip to content

Configuring the TLS Encryption

Hint - TLS encryption

For security reasons, we strongly recommend configuring the TLS encryption.

Caution - Minimal Security

The TLS encryption of Elasticsearch requires database protection by user and password. Therefore you must have activated the Minimal Security of Elastic Stack.

Elasticsearch

The TLS encryption of Elasticsearch secures the data transfer from the servers to Elasticsearch via Filebeat and the communication between Kibana and the Elasticsearch database.

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Kibana.

  1. Get your own TLS certificate:

    • cert.pem

    • key.pem

  2. On the management server, copy your TLS certificate to the following directory:

    "C:\ProgramData\SEAL Systems\config\seal-elasticsearch"

    Hint - only own directory

    The internal security module of Elasticsearch only allows the reading of files in its own configuration directory.

  3. In an editor, open the elasticsearch.yml configuration file:

    "C:\ProgramData\SEAL Systems\config\seal-elasticsearch\elasticsearch.yml"

  4. Add the following lines:

    xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "${ProgramData}/SEAL Systems/config/seal-elasticsearch/key.pem"
xpack.security.http.ssl.certificate: "${ProgramData}/SEAL Systems/config/seal-elasticsearch/cert.pem"

  5. Save the file and exit.

  6. Restart Elasticsearch:

    start-service seal-elasticsearch

  7. Copy the ca.pem certificate to the following directory:

    "C:\ProgramData\SEAL Systems\config\tls-external"

    If Kibana is installed on a different server than the management server, you have to repeat this step on this server.

  8. In an editor, open the kibana.yml configuration file:

    "C:\ProgramData\SEAL Systems\config\kibana.yml"

  9. Activate the following lines and specify the server:

    elasticsearch.hosts: [ "https://<management-server>:9200" ]
elasticsearch.ssl.certificateAuthorities: [ "${ProgramData}/SEAL Systems/config/tls-external/ca.pem" ]

    with : FQDN of the Server, on which Elasticserch is installed.

  10. Save the file and exit.

  11. Restart Kibana:

    start-service seal-kibana

  12. In an editor, open the filebeat.yml configuration file:

    "C:\ProgramData\SEAL Systems\config\filebeat.yml"

  13. In the following line, change the URL to the Elasticsearch Server from http:// to https://:

    output:
  elasticsearch:
    hosts:
      # - http://localhost:9200
      - "https://localhost:9200"

    all Filebeat installations

    Repeat this step on all servers, on which Filebeat is installed.

  14. Filebeat uses Windows system certificates. If the CA certificate has been imported into the Windows system certificate store or has been distributed to all servers, skip this step.

    Otherwise

    1. Copy the ca.pem certificate into the corresponding directory:

      "C:\ProgramData\SEAL Systems\config\tls-external\"

    2. Add the path to th

      output:
  elasticsearch:
    ssl.certificate_authorities: ["C:\\ProgramData\\SEAL Systems\\config\\tls-external\\ca.pem"]

    all Filebeat installations

    Repeat this step on all servers, on which Filebeat is installed.

  15. Save the file and exit.

  16. Restart Filebeat:

    start-service seal-filebeat

Kibana

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Kibana.

Hint - certificate as fingerprint

You can use the auto-generated CA certificate of Elasticsearch as a fingerprint or copy in clients, e. g. Filebeat.

For details on this see, Connect Clients to Elasticsarch.

  1. Get your own TLS certificate:

    • cert.pem

    • key.pem

  2. Copy your TLS certificate to the following directory:

    "C:\ProgramData\SEAL Systems\config\tls-external"

    Hint - changing the TLS directory

    We recommend you use a directory different from tls for your customer certificates, e. g. tls-external.

    This allows you to easily switch back to the included certificates for test purposes.

    Also it prevents your certificates from being overwritten during an update.

    Make sure you use the new directory in all SEAL products that use TLS encryption.

  3. In an editor, open the kibana.yml configuration file:

    "C:\ProgramData\SEAL Systems\config\kibana.yml"

  4. Copy the following lines:

    # server.ssl.certificate: "C:\ProgramData\SEAL Systems\config\tls\cert.pem"
# server.ssl.key: "C:\ProgramData\SEAL Systems\config\tls\key.pem"

  5. Change the directory to the one containing your certificate:

    # server.ssl.certificate: "C:\ProgramData\SEAL Systems\config\tls\cert.pem"
server.ssl.certificate: "C:\ProgramData\SEAL Systems\config\tls-external\cert.pem"
# server.ssl.key: "C:\ProgramData\SEAL Systems\config\tls\key.pem"
server.ssl.key: "C:\ProgramData\SEAL Systems\config\tls-external\key.pem"

  6. Activate the following lines:

    server.ssl.enabled: true
server.ssl.certificate: "C:\ProgramData\SEAL Systems\config\tls-external\cert.pem"
server.ssl.key: "C:\ProgramData\SEAL Systems\config\tls-external\key.pem"

  7. Save the file and exit.

  8. Restart Kibana:

    start-service seal-kibana

  9. In Consul set the following key:

    • KIBANA_LINK

      dc/home/env/service/any/tag/plossysadmin/KIBANA_LINK

      to

      https://<management-server>:5601/app/kibana

      or use a PLOSSYS CLI command:

      plossys config set TLS_EXTERNAL_DIR "https://<management-server>:5601/app/kibana" --service plossysadmin --insecure

    • NODE_TLS_REJECT_UNAUTHORIZED

      dc/home/env/service/plossysadmin/tag/any/NODE_TLS_REJECT_UNAUTHORIZED

      to 0.

      For details on this setting, see NODE_TLS_REJECT_UNAUTHORIZED.

Encrypting the Traffic Between the Browser and Kibana

Literature

For details on securing the HTTPS traffic, see Encrypt Kibana Browser.

We recommend setting 3 special encryption keys. If you do not specify them, they are set automatically, which may limit the corresponding functionality.

You can

  • specify any key that is at least 32 characters long or

  • use the kibana-encryption-keys.bat to create the keys.

    In a new installation, the keys are created automatically by this Tool and added in the kibana.yml configuration file.

    In case of an Update you have to do this manually.

    Create encryption Keys for Kibana:

    $env:KBN_PATH_CONF="$env:ProgramData\SEAL Systems\config"; & "$env:ProgramFiles\SEAL Systems\seal-kibana\bin\kibana-encryption-keys.bat" generate

    sudo KBN_PATH_CONF=/opt/seal/etc /opt/seal/seal-kibana/bin/kibana-kibana-encryption-keys generate

    This command will only offer encyption keys that do not have a defined value yet. If you want to renew all encryption keys, you have to add the --force option to the command.

Commands for the Enrollment Token of Kibana

If you configure Kibana via enrollment token, seal-elasticsearch needs to be running, whereas seal-kibana needs to be stopped.

Then use the following commands and restart :

  1. Create a new Enrollment tokens for Kibana:

    $env:ES_PATH_CONF="$env:ProgramData\SEAL Systems\config\seal-elasticsearch"; & "$env:ProgramFiles\SEAL Systems\seal-elasticsearch\bin\elasticsearch-create-enrollment-token.bat" --scope kibana --force

  2. Use the new enrollment token:

    $env:KBN_PATH_CONF="$env:ProgramData\SEAL Systems\config"; & "$env:ProgramFiles\SEAL Systems\seal-kibana\bin\kibana-setup.bat" --silent --enrollment-token <enrollment-token>

  3. Restart Kibana:

    start-service seal-kibana

  4. Restart Filebeat:

    start-service seal-filebeat

Hint - Deactivating SSL in SEAL Elastic Stack 8.x

If you set back your Elasticsearch server from HTTPS to HTTP, you have to change the connection data in kibana.yml and filebeat.yml.

In this case you cannot use the cofiguration via enrollment token until you reactivate SSL.

Filebeat

The SEAL Elastic Stack installation includes a self-signed TLS certificate. Replace this certificate by your own certificate to secure the connection to Filebeat.

  1. Get your own TLS certificate.

    • cert.pem

    • key.pem

  2. Copy your TLS certificate to the following directory:

    "C:\ProgramData\SEAL Systems\config\tls-external"

    Hint - changing the TLS directory

    We recommend you use a directory different from tls for your customer certificates, e. g. tls-external.

    This allows you to easily switch back to the included certificates for test purposes.

    Also it prevents your certificates from being overwritten during an update.

    Make sure you use the new directory in all SEAL products that use TLS encryption.

Configuring the TLS Encryption in a Cluster

If you run PLOSSYS Output Engine in a cluster, replace the TLS certificate as described above on each PLOSSYS Output Engine server separately.

Specifying a CA Certificate

If a CA certificate has been specified, Filebeat requires a client certificate from each client. This requires corresponding properties of the certificate.

Configure a CA certificate as follows:

  1. On the PLOSSYS Output Engine server, open the Filebeat configuration file:

    "C:\ProgramData\SEAL Systems\config\filebeat.yml"

  2. Replace the line:

    insecure: true

    by the follwing line:

    certificate_authorities: ["C:\ProgramData\SEAL Systems\config\tls\ca.pem"]

  3. Save the configuration file.

  4. Restart Filebeat:

    start-service seal-filebeat

For details on self-signed certificates, see Self-signed Certificates.

Back to top