How to Configure Searchguard on Elasticsearch Cluster with multiple nodes

Hi,

I am trying to configure Searchguard plugin for our Elasticsearch 4 node cluster.

Basically my goal is to forward logs to Elasticsearch through HTTPS from all the sources like Kubernetes, Nginx and Jenkins machines, and also access Elasticsearch from kibana with HTTPS.

How many certificates it’s needed? and what kind of certificates its needed?

We have our own SSL tool to generate certificates., i have created 2 DNS names one for nodes and another one for admin (elastic-server.example.com and elastic-elient.example.com).

by using our SSL tool create total 4 keys and 2 root certs(elastic-server.example.com.key, elastic-server.example.com.pem, rootca.pem and elastic-elient.example.com.key, elastic-client.example.com.pem, rootca-client.pem)

elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.pem

searchguard.ssl.transport.pemkey_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.key

searchguard.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/ssl/rootca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.pem

searchguard.ssl.http.pemkey_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.key

searchguard.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/ssl/rootca.pem

searchguard.nodes_dn:

- CN=elastic1-0.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

- CN= elastic1-1.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

- CN= elastic1-2.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

- CN= elastic1-3.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

searchguard.authcz.admin_dn:

- CN=elastic-client.example.com,OU=Corp,O= example EX, Inc.,DC= example,DC=net

i am not able to connect to elastic cluster from outside through HTTPS and also getting below error.

./sgadmin.sh -cd …/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/ssl/root-client.pem -cert /etc/elasticsearch/ssl/elastic-client.example.com.pem -key /etc/elasticsearch/ssl/elastic-client.example.com.key

WARNING: JAVA_HOME not set, will use /bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=elastic-client.example.com,OU=IT,O=example,L=ss,ST=wa,C=US

ERR: CN=elastic-client.example.com,OU=IT,O=Example,L=ss,ST=WA,C=US is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

*- “CN=elastic-client.example.com,OU=IT,O=example,L=ss,ST=wa,C=US” *

Elasticsearch service is running on all the nodes, please someone suggest me whether am following correct procedure or not, Thanks.

Could someone please give me some idea what are/kind the certificates needs to generate for Elastic Cluster to access Elastic cluster from outside through HTTPs and also node to node communication through HTTPS.

I have installed Elastic and kibana 6.5.4 versions.

Thats all pretty well documented here: Security for Elasticsearch | Search Guard Documentation

You can also have a look on our blogs posts: Official Search Guard blog - news about security for Elasticsearch or on this articles:

https://gryzli.info/2018/12/01/elasticsearchelk-stack-security-howto/

For generating certificates see Offline TLS Tool | Security for Elasticsearch | Search Guard