How to enable https using keystore between ES/SG and KIbana instead of PEM using demo script!

I have installed
SG 5.6.3-16
ES 5.6.3
on one server.

Kibana and logstach on another server.

Logstash on using https with truststore.jks from the demo install with searchguard and logs look good and

Kibaina on another server is configured using this article: https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

However I am not sure KIbana is using SSL/TLS, how can I verify that?
I see in the article I can provide root CA in PEM format!
Can I provide it in trustore.jks like I did with logstash?

so idea is self-signed certs with demo script and have all communication secure between servers in POC.

Then replace all self-signed with PKI from our infrastructure.

I am close but not ascertain on kibana and elasticsearch communication security!

So my question is on following settings, can I insert jks from demo scripts in kibana config instead of PEM?

Optional settings that provide the paths to the PEM-format SSL certificate and key files.

These files validate that your Elasticsearch backend uses the same key files.

#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

Optional setting that enables you to specify a path to the PEM file for the certificate

authority for your Elasticsearch instance.

#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]

So, just to make sure I understood correctly: You want to make sure / be certain that the communication between Kibana and Elastic is TLS secured, is that correct?

So if you followed the docs, then you already enabled HTTPS on Elasticsearch side by adding:

searchguard.ssl.http.enabled: true

to elasticsearch.yml. This makes sure that ES does not accept plain HTTP calls anymore.

Second, you’ve set your ES url to HTTPS in kibana.yml like:

elasticsearch.url: “https://:9200”

This makes sure KI uses HTTPS to talk to ES. If Kibana would use plain HTTP, you would see error messages in the ES log and Kibana would not start.

You can further decide whether to ceck the certs that ES uses, by validating them against the root cert.

For that, instead of

elasticsearch.ssl.verificationMode: none

use either “certificate” or “full”. Certificate validates the cert (only), and full does hostname verification in addition.

For this to work you need to configure the root CA in kibana.yml:

elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]

Only PEM is supported, but you can always export certificates in PEM from your truststore.

These keys here:

elasticsearch.ssl.certificate: /path/to/your/client.crt
elasticsearch.ssl.key: /path/to/your/client.key

work the other way round: If you set these, Kibana sends a certificate to ES with every call, which would then get validated by ES / SG.

···

On Thursday, November 2, 2017 at 4:32:51 PM UTC-7, Ben Fallah wrote:

I have installed
SG 5.6.3-16
ES 5.6.3
on one server.

Kibana and logstach on another server.

Logstash on using https with truststore.jks from the demo install with searchguard and logs look good and

Kibaina on another server is configured using this article: https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

However I am not sure KIbana is using SSL/TLS, how can I verify that?
I see in the article I can provide root CA in PEM format!
Can I provide it in trustore.jks like I did with logstash?

so idea is self-signed certs with demo script and have all communication secure between servers in POC.

Then replace all self-signed with PKI from our infrastructure.

I am close but not ascertain on kibana and elasticsearch communication security!

So my question is on following settings, can I insert jks from demo scripts in kibana config instead of PEM?

Optional settings that provide the paths to the PEM-format SSL certificate and key files.

These files validate that your Elasticsearch backend uses the same key files.

#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

Optional setting that enables you to specify a path to the PEM file for the certificate

authority for your Elasticsearch instance.

#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]