Now that we’ve generated a certificate authority and certificates, let’s update the cluster to use these files.
When you enable Elasticsearch security features, unless you have a trial license, you must use Transport Layer Security (TLS) to encrypt internode communication. By following the steps in this tutorial tutorial, you learn how to meet the minimum requirements to pass the TLS bootstrap check.
(Optional) Name the cluster.
For example, add the cluster.name setting in the
ES_PATH_CONFenvironment variable contains the path for the Elasticsearch configuration files. If you installed Elasticsearch using archive distributions (
tar.gz), it defaults to
ES_HOME/config. If you used package distributions (Debian or RPM), it defaults to
/etc/elasticsearch. For more information, see Configuring Elasticsearch.
The default cluster name is
elasticsearch. You should choose a unique name, however, to ensure that your nodes join the right cluster.
(Optional) Name the Elasticsearch node.
For example, add the node.name setting in the
In this tutorial, the cluster will consist of three nodes that exist on the same machine and share the same (loopback) IP address and hostname. Therefore, we must give each node a unique name.
This step is also necessary if you want to use the
node.namevalue to define the location of certificates in subsequent steps.
Disable single-node discovery.
To enable Elasticsearch to form a multi-node cluster, use the default value for the
discovery.typesetting. If that setting exists in your
ES_PATH_CONF/elasticsearch.ymlfile, remove it.
(Optional) If you are starting the cluster for the first time, specify the initial set of master-eligible nodes.
For example, add the following setting in the
If you start an Elasticsearch node without configuring this setting or any other discovery settings, it will start up in development mode and auto-bootstrap itself into a new cluster.
If you are starting a cluster with multiple master-eligible nodes for the first time, add all of those node names to the
Enable Transport Layer Security (TLS/SSL) for transport (internode) communications.
For example, add the following settings in the
If the file name for your certificate does not match the
node.namevalue, you must put the appropriate file name in the
The PKCS#12 keystore that is output by the
elasticsearch-certutilcan be used as both a keystore and a truststore. If you use other tools to manage and generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial.
Store the password for the PKCS#12 file in the Elasticsearch keystore.
For example, run the following commands:
If the Elasticsearch keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing Elasticsearch keystore.
You are prompted to supply the password that you created for the
node-1.p12file. We are using this file for both the transport TLS keystore and truststore, therefore supply the same password for both of these settings.
For example, if you installed Elasticsearch with a
.tar.gzpackage, run the following command from the Elasticsearch directory:
Create passwords for the built-in users and configure Kibana to use them.
If you already configured passwords for these users in other tutorials, you can skip this step.
After you setup the password for the
kibanabuilt-in user, configure Kibana to use it.
For example, run the following commands to create the Kibana keystore and add the
kibanabuilt-in user and its password in secure settings:
./bin/kibana-keystore create ./bin/kibana-keystore add elasticsearch.username ./bin/kibana-keystore add elasticsearch.password
When prompted, specify the
kibanabuilt-in user and its password for these setting values. The settings are automatically applied when you start Kibana. To learn more, see Secure settings.
For example, if you installed Kibana with a
.tar.gzpackage, run the following command from the Kibana directory: