searchguard.ssl.transport.enabled must be set to 'true'

I am using ES 5.0.2 and SG 5.0.2-11.

I am installing Search Guard for security purpose. I am trying to skip configuring transport layer security but got error message searchguard.ssl.transport.enabled must be set to ‘true’. I don’t think it necessary for me to make transport layer secure, because our system only uses HTTP to communicate with ES cluster. Transport layer is only used between ES nodes.

We decide to disable 9300 ports from outside of cluster. So any communication with ES cluster is always through HTTP, and HTTP is secured by SG. Clients can not use transport protocol, because it’s blocked by iptables. In this way, ES cluster is secure enough even if transport layer SSL is disabled.

So the question is:

  1. Is it secure when I disable transport layer SSL and block 9300 ports?

  2. How to disable transport layer SSL?

https://groups.google.com/forum/#!topic/search-guard/TBV7XHLNrf8

···

On Tuesday, 28 February 2017 08:57:08 UTC+1, pc c wrote:

I am using ES 5.0.2 and SG 5.0.2-11.

I am installing Search Guard for security purpose. I am trying to skip configuring transport layer security but got error message searchguard.ssl.transport.enabled must be set to ‘true’. I don’t think it necessary for me to make transport layer secure, because our system only uses HTTP to communicate with ES cluster. Transport layer is only used between ES nodes.

We decide to disable 9300 ports from outside of cluster. So any communication with ES cluster is always through HTTP, and HTTP is secured by SG. Clients can not use transport protocol, because it’s blocked by iptables. In this way, ES cluster is secure enough even if transport layer SSL is disabled.

So the question is:

  1. Is it secure when I disable transport layer SSL and block 9300 ports?
  1. How to disable transport layer SSL?