Search Tutorials


Elasticsearch 8 Tutorial - Configuring Elasticsearch and Kibana with Credentials and SSL | JavaInUse

Elasticsearch 8 Tutorial - Configuring Elasticsearch and Kibana with Credentials and SSL

In this tutorial, we will look at the process of setting up Elasticsearch 8 and Kibana with proper security measures, including user authentication and SSL encryption. This configuration ensures that your Elastic Stack is protected against unauthorized access and that data transmission is secure. In next tutorial we will be further modifying this example to integrate Azure AD OIDC in Elasticsearch and Kibana.

Elasticsearch 8 Security Tutorials

Elasticsearch 8 Security Tutorial - Set password Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS Elasticsearch 8 Security Tutorial - Store credentials using keystore Elasticsearch 8 Tutorial - Configuring Elasticsearch and Kibana with Credentials and SSL Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana Elasticsearch 8 Tutorial - Configuring Elasticsearch SSL/HTTPS with CA issued Digital Certificate

Video

This tutorial is explained in the below Youtube Video.

Explanation

Certificate Authorities (CAs) like Comodo, DigiCert, and Let's Encrypt are trusted organizations that issue digital certificates (.crt) and private keys (.key) after verifying the identity of website owners. These certificates enable secure SSL/TLS connections between clients and servers, ensuring encrypted data transmission and authenticity through a handshake process where the server presents its CA-verified certificate to establish a trusted connection.
We will be making use of the CA provided by elasticsearch to get the digital certificates (.crt) and private keys (.key) for elasticsearch and kibana.

Configuring Elasticsearch and Kibana with Credentials and SSL




Explanation of the handshake process:

SSL/TLS Handshake Flow: Browser, Kibana, and Elasticsearch

1. Browser to Kibana Handshake

  1. Browser initiates connection to Kibana (Client Hello)
  2. Kibana responds with Server Hello and sends its certificate (kibana.crt)
  3. Kibana proves its identity:
    • Creates a summary of all handshake messages so far
    • Signs this summary with its private key (kibana.key)
    • Sends the signed summary to Browser
  4. Browser verifies the signature using Kibana's public key (from kibana.crt)
  5. If signature is valid, Browser confirms it's talking to the real Kibana
  6. Browser generates a pre-master secret
  7. Browser encrypts the pre-master secret with Kibana's public key
  8. Browser sends the encrypted pre-master secret to Kibana
  9. Kibana decrypts the pre-master secret using its private key
  10. Both Browser and Kibana independently generate session keys from the pre-master secret
  11. They exchange "Finished" messages to establish a secure connection

2. Kibana to Elasticsearch Handshake

  1. Kibana initiates connection to Elasticsearch (Client Hello)
  2. Elasticsearch responds with Server Hello and sends its certificate (elastic.crt)
  3. Elasticsearch proves its identity:
    • Creates a summary of all handshake messages so far
    • Signs this summary with its private key (elastic.key)
    • Sends the signed summary to Kibana
  4. Kibana verifies the signature using Elasticsearch's public key (from elastic.crt)
  5. If signature is valid, Kibana confirms it's talking to the real Elasticsearch
  6. Kibana generates a pre-master secret
  7. Kibana encrypts the pre-master secret with Elasticsearch's public key
  8. Kibana sends the encrypted pre-master secret to Elasticsearch
  9. Elasticsearch decrypts the pre-master secret using its private key
  10. Both Kibana and Elasticsearch independently generate session keys from the pre-master secret
  11. They exchange "Finished" messages to establish a secure connection

3. Secure Communication

  • Browser sends HTTPS requests to Kibana
  • Kibana forwards HTTPS requests to Elasticsearch
  • Elasticsearch sends HTTPS responses to Kibana
  • Kibana forwards HTTPS responses to Browser
  • All communication is end-to-end encrypted using the established session keys

Key Points:

  • Private keys (kibana.key and elastic.key) are used for decryption and signing
  • Public keys (from certificates) are used for encryption and signature verification
  • Pre-master secrets are used to generate session keys for ongoing encrypted communication
  • The process ensures authentication of servers and secure key exchange

Prerequisites

Step 1: Initial Elasticsearch Setup

  1. Unzip the Elasticsearch installation.
  2. Navigate to the bin folder and start Elasticsearch by running elasticsearch.bat
    Elasticsearch installation
  3. Access https://localhost:9200. You'll be prompted for credentials:
    • Username: elastic
    • Password: (found in the command line console when Elasticsearch starts)
      Start Kibana

Note: By default, Elasticsearch creates http.p12, http_ca.crt, and transport.p12 for us.

Step 2: Reset Passwords

Reset passwords for the elastic and kibana users:


Elasticsearch reset password


Kibana reset password
.\elasticsearch-reset-password -u elastic --interactive
.\elasticsearch-reset-password -u kibana --interactive

Set both passwords to their respective usernames for this tutorial.

Step 3: Create SSL Certificates

  1. Create a Certificate Authority (CA):
    .\elasticsearch-certutil ca --pem
    

    elasticsearch-certutil ca --pem

    This generates ca.crt and ca.key.

  2. Create Elasticsearch certificate:
    .\elasticsearch-certutil cert --name elastic --ca-cert D:\elk\ad\elasticsearch-8.15.2\config\certs\ca\ca.crt --ca-key D:\elk\ad\elasticsearch-8.15.2\config\certs\ca\ca.key --dns javainuse.com --pem
    

    \elasticsearch-certutil cert --name elastic

    This creates elastic.crt and elastic.key.

  3. Create Kibana certificate:
    .\elasticsearch-certutil cert --name kibana --ca-cert D:\elk\ad\elasticsearch-8.15.2\config\certs\ca\ca.crt --ca-key D:\elk\ad\elasticsearch-8.15.2\config\certs\ca\ca.key --dns javainuse.com --pem
    

    \elasticsearch-certutil cert --name elastic

    This creates kibana.crt and kibana.key.

Step 4: Configure Elasticsearch

Modify the elasticsearch.yml configuration file:

# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  certificate: certs/elastic/elastic.crt
  key: certs/elastic/elastic.key

cluster.initial_master_nodes: ["LAPTOP-0ELSI3NO"]
http.host: 0.0.0.0

Start Elasticsearch. Access https://localhost:9200 and enter the credentials (elastic/elastic).

Step 5: Configure Kibana

Modify the Kibana configuration file:

server.host: "0.0.0.0"
server.ssl.enabled: true
server.ssl.certificate: D:\elk\ad\elasticsearch-8.15.2\config\certs\kibana\kibana.crt
server.ssl.key: D:\elk\ad\elasticsearch-8.15.2\config\certs\kibana\kibana.key
elasticsearch.ssl.verificationMode: none
elasticsearch.hosts: ["https://127.0.0.1:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

Start Kibana. Access https://localhost:5601 and enter the elastic user credentials.


Start Kibana

Conclusion

You have now successfully set up Elasticsearch and Kibana with proper security measures, including user authentication and SSL encryption. This configuration ensures that your Elastic Stack is protected against unauthorized access and that data transmission is secure.

Remember to keep your certificates and passwords safe, and consider implementing more advanced security measures for production environments.