I am using elasticsearch & kibana oss distributions with searchguard plugins (ELK 7.0.1).
Within the cluster when kibana talks to elasticsearch, we do not want tls,
Is there a way to disable node-to-node encryption and TLS while still having authentication for elasticsearch?
If yes, could you please help me with the required configurations for this?
no, TLS on the transport layer is one of the main building blocks regarding the Search Guard security architecture and thus cannot be disabled. Disabling inter-node TLS would open the Elasticsearch cluster to all sorts of attack scenarios.
It would be really helpful for us to understand what your concerns are regarding inter-node TLS. Why don’t you want to enable it for your use case?
I have the same problem with shivani.aggarwal2195, while using tls, happens to get a problem of ‘javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure’, that will cause to loss nodes, then the cluster will be unstable, that’s a bug or other problems, we just want to use the base Auth, so, is any way to modify this problem, a similar error like ‘http://xwiz.cn/2018-05-09-java-ssl-ciphersuite’, expired to get your reply
Thank you so much for your replies, we exactly to use the TLS offline tool to geneate certificates, and search-guard also has tooken effect, and cluster also run well, but this problem appears accidentally, may be once a day or once two days, the trace is like below:
So if you have used the TLS tool, and the cluster also runs fine, and the exception only happens every one or two days, I think it cannot be a general configuration problem. If it would be, you would see more exceptions, most probably already on node startup.
My best guess at the moment is that this is due to network issues, probably latency or a timeout. See also here:
Do you see any load spikes on the machine(s) when this happens? Any network issues?
Yea, Some ‘ping Time_out’ exactly occurred at that time, but after removing SG, so far cluster has no problems, so we think that if TLS has some Potential problems, may be short time network issues will cause a serious problem, we will also study the suggests above,
Yea, Some ‘ping Time_out’ exactly occurred at that time, but after removing SG, so far cluster has no problems, so we think that if TLS has some Potential problems, may be short time network issues will cause a serious problem, we will also study the suggests above, as a temporary solution is using SG without tls and only use baseauth, any suggestions?
This suggests that your cluster/network is probably already working on it’s limits? TLS adds some performance overhead of course, the amount varies depending on your machines (e.g. hardware support for encryption or not) and the chosen ciphers and encryption algorithms. It’s probably anywhere between 5% and 15%.
As with other security solutions for ES, TLS on transport layer is a central point in the security infrastructure and cannot be turned off.