SSL Certificate in Elasticsearch
To configure SSL Certificate in Elasticsearch, the following certificates are
needed:
- CA Certificate
- Admin Certificate
- Node Certificate
Prerequisites:
To configure SSL in elasticsearch, CA Certificate and CA Key is mandatory
Note
Contact your organization for a third-party CA Certificate and CA Key, or use the steps below to generate an SSL Certificate.
To run Openssl, go to extracted path and run exe file as an Administrator
Example :C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin\openssl.exe
Steps to generate self-signed CA Certificate
- To generate a private key using the
genrsa
command. As the name suggests, you should keep this file private. - Private keys need to be of sufficient length in order to be secure, so specify
2048
:
openssl genrsa -out root-ca-key.pem 2048
If desired, add the -aes256
option to encrypt the key using the AES-256 standard. This option requires a password.
3. Next, use the key to generate a self-signed certificate for the root CA:
openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem
* The `-x509` option specifies that you want a self-signed certificate rather than a certificate request.
* The `-sha256` option sets the hash algorithm to SHA-256. SHA-256 is the default in newer versions of OpenSSL,
but older versions might use SHA-1.
* Optionally, add` -days 3650` (10 years) or some other number of days to set an expiration date.
- Specify details for your organization as prompted. Together, these details form the Distinguished Name (DN) of your CA.
Steps to generate self-signed Admin certificates:
Run the following commands to generate certificates. Once the certificates are generated, you can find those certificates inside the bin folder.
(Eg: C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin)
-
To Generate Admin/Node certificate
openssl> genrsa -out admin-key-temp.pem 2048
openssl> pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
-
To Generate csr file from admin-key.pem file
openssl> req -new -key adminkey.pem -out admin.csr
-
To Generate admin.pem file
openssl> x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
Note:
root-ca.pem - You can use your CA cert or rename your CA cert file to
root-ca.pem
root-ca-key - You can use your CA key file or rename your CA key file to
root-ca-key.pem
-
Using the following command you can find DN
openssl>x509 -subject -nameopt RFC2253 -noout -in admin.pem
Example : subject= CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA
Note : You can configure the above DN value in elasticsearch.yml
Example : Opendistro_security.authcz.admin_dn:
-CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA
-
Copy all generated certificates [admin.pem, admin-key.pem] to
C:\SearchBloxServer\elasticsearch\config
. -
Provide full permissions for certificates in
C:\SearchBloxServer\elasticsearch\config
Note:
Right click on PEM file-properties-security-edit(give full permissions)
- Go to
C:\SearchBloxServer\elasticsearch\config
and editelasticsearch.yml
and make
sure the pem certificate names are properly given.
Example:
opendistro_security.ssl.transport.pemcert_filepath: admin.pem
opendistro_security.ssl.transport.pemkey_filepath: admin_key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: admin.pem
opendistro_security.ssl.http.pemkey_filepath: admin_key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democetificates: false
opendistro_security.allow_default_init_securiotyindex: true
opendistro_security.authcz.admin_dn:
-CN=elastic,OU=it,O=searchblox,L=V, C=US
opendistro_security.nodes_dn:
-CN=node1.test.com,OU=dev,O=searchblox,L=chennai,ST=tamilnadu,C=in
-
Restart the OpenDistro Elasticsearch service and check for SSL updates.
-
To Check cluster health
https://localhost:9200/_cluster/health?pretty
-
Open command prompt and navigate to
C:\SearchBloxServer\elasticsearch\plugins\opendistro_security\tools
and run the following
command to initialize the security plugins:
securityadmin.bat -cd ../securityconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/admin.pem -key ../../../config/admin-key.pem
-
Start searchblox service.
Updated about 3 years ago