How to Configure SearchGuard on Elasticsearch Cluster

**

Here is the elasticsearch.yml configuration:

searchguard.ssl.transport.keystore_filepath: /etc/elasticsearch/ssl/elastic.server.keystore.jks

searchguard.ssl.transport.keystore_password: changeme

searchguard.ssl.transport.truststore_filepath: /etc/elasticsearch/ssl/elastic.server.truststore.jks

searchguard.ssl.transport.truststore_password: changeme

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: /etc/elasticsearch/ssl/elastic.server.keystore.jks

searchguard.ssl.http.keystore_password: changeme

searchguard.ssl.http.truststore_filepath: /etc/elasticsearch/ssl/elastic.server.truststore.jks

searchguard.ssl.http.truststore_password: changeme

searchguard.nodes_dn:

- CN=elasticnonprod-0.vpc.example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-1.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-2.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-3.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

searchguard.authcz.admin_dn:

- CN=nonprod-elastic-client.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

what ever i have provided in admin section is it correct?, how does it work, i have client keys placed in ssl folder are those going to be used if i want to access through admin?

searchguard.authcz.admin_dn:

- CN=nonprod-elastic-client.vpc. example.net,OU=Corp,O= example, Inc.,DC= example*,DC=net***

What are the changes needs to be done from Kibana to access Elasticsearch, do i need to please admin/client keystore and trustore in kibana server and access it?

i have multiple sources to get logs into Elasticsearch like Kubernetes, Nginx, Kafka and so on…, every where do i need to place client keystore and trustore to access elasticsearch to push logs?

On Thursday, January 31, 2019 at 3:09:12 AM UTC+5:30, Krishna G wrote:

Hi,

I have installed Elasticsearch, kibana and SearchGuard version: 6.5.4 on 4 node cluster.

i have created 2 keystore and truststore jks one for nodes and one for admin using some offline tool. (if my understanding is correct).

placed all the 4 certificates on all 4 nodes under /etc/elasticsearch/ssl directory

-rw-r-----. 1 root elasticsearch 1573 Jan 30 17:55 elastic.server.truststore.jks

-rw-r-----. 1 root elasticsearch 6773 Jan 30 17:55 elastic.server.keystore.jks

-rw-r-----. 1 root elasticsearch 1573 Jan 30 17:55 elastic.client.truststore.jks

-rw-r-----. 1 root elasticsearch 6773 Jan 30 17:55 elastic.client.keystore.jks

**

Here is the elasticsearch.yml configuration:

searchguard.ssl.transport.keystore_filepath: /etc/elasticsearch/ssl/elastic.server.keystore.jks

searchguard.ssl.transport.keystore_password: changeme

searchguard.ssl.transport.truststore_filepath: /etc/elasticsearch/ssl/elastic.server.truststore.jks

searchguard.ssl.transport.truststore_password: changeme

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: /etc/elasticsearch/ssl/elastic.server.keystore.jks

searchguard.ssl.http.keystore_password: changeme

searchguard.ssl.http.truststore_filepath: /etc/elasticsearch/ssl/elastic.server.truststore.jks

searchguard.ssl.http.truststore_password: changeme

searchguard.nodes_dn:

- CN=elasticnonprod-0.vpc.example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-1.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-2.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-3.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

searchguard.authcz.admin_dn:

- CN=nonprod-elastic-client.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

what ever i have provided in admin section is it correct?, how does it work, i have client keys placed in ssl folder are those going to be used if i want to access through admin?

searchguard.authcz.admin_dn:

- CN=nonprod-elastic-client.vpc. example.net,OU=Corp,O= example, Inc.,DC= example*,DC=net***

What are the changes needs to be done from Kibana to access Elasticsearch, do i need to please admin/client keystore and trustore in kibana server and access it?

i have multiple sources to get logs into Elasticsearch like Kubernetes, Nginx, Kafka and so on…, every where do i need to place client keystore and trustore to access elasticsearch to push logs?

On Thursday, January 31, 2019 at 1:07:59 AM UTC-8, Kasinaat Selvi Sukesh wrote:

The filepath that you have mentioned should be relative to the config folder in elasticsearch

searchguard.ssl.transport.keystore_filepath: /etc/elasticsearch/ssl/elastic.server.keystore.jks

So the above should be like

searchguard.ssl.transport.keystore_filepath: …/ssl/elastic.server.keystore.jks

In all places where you mention certificates It should be relative path to config folder

On Thursday, January 31, 2019 at 3:09:12 AM UTC+5:30, Krishna G wrote:

Hi,

I have installed Elasticsearch, kibana and SearchGuard version: 6.5.4 on 4 node cluster.

i have created 2 keystore and truststore jks one for nodes and one for admin using some offline tool. (if my understanding is correct).

placed all the 4 certificates on all 4 nodes under /etc/elasticsearch/ssl directory

-rw-r-----. 1 root elasticsearch 1573 Jan 30 17:55 elastic.server.truststore.jks

-rw-r-----. 1 root elasticsearch 6773 Jan 30 17:55 elastic.server.keystore.jks

-rw-r-----. 1 root elasticsearch 1573 Jan 30 17:55 elastic.client.truststore.jks

-rw-r-----. 1 root elasticsearch 6773 Jan 30 17:55 elastic.client.keystore.jks

**

Here is the elasticsearch.yml configuration:

searchguard.ssl.transport.keystore_filepath: /etc/elasticsearch/ssl/elastic.server.keystore.jks

searchguard.ssl.transport.keystore_password: changeme

searchguard.ssl.transport.truststore_filepath: /etc/elasticsearch/ssl/elastic.server.truststore.jks

searchguard.ssl.transport.truststore_password: changeme

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: /etc/elasticsearch/ssl/elastic.server.keystore.jks

searchguard.ssl.http.keystore_password: changeme

searchguard.ssl.http.truststore_filepath: /etc/elasticsearch/ssl/elastic.server.truststore.jks

searchguard.ssl.http.truststore_password: changeme

searchguard.nodes_dn:

- CN=elasticnonprod-0.vpc.example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-1.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-2.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

- CN=elasticnonprod-3.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

searchguard.authcz.admin_dn:

- CN=nonprod-elastic-client.vpc. example.net,OU=Corp,O= example, Inc.,DC= example,DC=net

what ever i have provided in admin section is it correct?, how does it work, i have client keys placed in ssl folder are those going to be used if i want to access through admin?

searchguard.authcz.admin_dn:

- CN=nonprod-elastic-client.vpc. example.net,OU=Corp,O= example, Inc.,DC= example*,DC=net***

What are the changes needs to be done from Kibana to access Elasticsearch, do i need to please admin/client keystore and trustore in kibana server and access it?

i have multiple sources to get logs into Elasticsearch like Kubernetes, Nginx, Kafka and so on…, every where do i need to place client keystore and trustore to access elasticsearch to push logs?