Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS

In previous tutorials we configured security for elasticsearch by setting the password. As data security becomes paramount, it is crucial to configure Elasticsearch with SSL/TLS encryption and enable HTTPS for secure communication. This comprehensive tutorial will guide you through the process of setting up SSL/TLS encryption, generating digital certificates, and enabling HTTPS, ensuring the utmost security for your Elasticsearch deployment. By following this tutorial, you will gain the necessary skills to protect your sensitive data and successfully implement essential security measures in your Elasticsearch infrastructure.

Elasticsearch 8 Security Tutorials
Elasticsearch 8 Security Tutorial - Set password
Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS 
Elasticsearch 8 Security Tutorial - Store credentials using keystore
Elasticsearch 8 Tutorial - Configuring Elasticsearch and Kibana with Credentials and SSL
Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana
Elasticsearch 8 Tutorial - Configuring Elasticsearch SSL/HTTPS with CA issued Digital Certificate

Implementation

Elasticsearch has two levels of communications, transport communications and http communications. We will look at the security of the two levels of communications in detail.

Create and use PKCS12 certificate for http communications

Http communication is the communication between elasticsearch and various clients like browser, postman, spring boot client applications.

We will be using the elasticsearch-certutil command for the creation of certificates. This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack.

• Generate new certificate authority
  

  elasticsearch-certutil ca
  

  The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode.
  
  
• Generate X.509 certificate
  We make use of the above created certificate authority to generate the certificate.

  elasticsearch-certutil cert --ca elastic-stack-ca.p12
  

The 'cert' mode generates X.509 certificate and private keys. By default, this generates a single certificate and key for use on a single instance.

Copy the elastic-certificates.p12 to the elasticsearch config folder. Modify the elasticsearch.yml as follows -

# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse

Open the command prompt as an admin. Go to the elasticsearch bin folder and type the following command

elasticsearch.bat

If we now go to https://localhost:9200 we can access elasticsearch cluster.

SSL Certificate setting

We may want to controls the server's behavior in regard to requesting a certificate from client connections. We may want to make it compulsory for the client to provide a certificate if it wants to access the elasticsearch cluster. Without certificate the client will not be able to access the elasticsearch cluster. In the current elasticsearch configuration we have not specified any client certificate requirement. So currently client can access the elasticsearch without providing any certificate.

xpack.security.http.ssl.client_authentication

Valid values are required, optional, and none. required forces a client to present a certificate, while optional requests a client certificate but the client is not required to present one. Defaults to none.
Modify the elasticsearch.yml as follows -

# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required

If we now try to access https://localhost:9200 using the browser we cannot and get the error as follows

So the client will need to provide the certificate and only then it will be able to access the elasticsearch cluster. To do this we make use of Postman as the client. We configure the certificate in the Postman settings.

If we now access elasticsearch - https://localhost:9200 using Postman we will be able to access it.

Configure TLS for Elasticsearch

The transport protocol is used for internal communications between Elasticsearch nodes.

We will be configuring TLS for elasticsearch as follows -

# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required

# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: javainuse
xpack.security.transport.ssl.client_authentication: required

So now any node that needs to join the elasticsearch cluster will need to be configured using the PKCS12 certificate i.e. elastic-certificates.p12.