Encrypting communications in Kibanaedit

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) provide encryption for data-in-transit. While these terms are often used interchangeably, Kibana supports only TLS, which supersedes the old SSL protocols.

Browsers send traffic to Kibana and Kibana sends traffic to Elasticsearch. These communication channels are configured separately to use TLS.

TLS requires X.509 certificates to authenticate the communicating parties and perform encryption of data-in-transit. Each certificate contains a public key and has an associated — but separate — private key; these keys are used for cryptographic operations. Kibana supports certificates and private keys in PEM format.

Encrypting traffic between the browser and Kibanaedit

You do not need to enable the Elasticsearch security features for this type of encryption.

  1. Obtain a server certificate and private key for Kibana.

    Kibana will need to use this "server certificate" and corresponding private key when receiving connections from web browsers.

    When you obtain a server certificate, you must set its subject alternative name (SAN) correctly to ensure that modern web browsers with hostname verification will trust it. You can set one or more SANs to the Kibana server’s fully-qualified domain name (FQDN), hostname, or IP address. When choosing the SAN, you should pick whichever attribute you will be using to connect to Kibana in your browser, which is likely the FQDN in a production environment.

    You may choose to generate a signed certificate and private key using the elasticsearch-certutil tool. For example:

    bin/elasticsearch-certutil cert -name kibana-server -dns localhost,127.0.0.1

    This will produce a PKCS#12 file named kibana-server.p12, which contains the server certificate and private key.

    In this example, the server certificate is signed by a locally-generated certificate authority (CA). This is not suitable for a production environment, and it will result in warnings in your web browser until you configure your browser to trust the certificate. Steps to configure certificate trust vary depending upon your browser and operating system. If you want to obtain a server certificate for a production environment, you can instead generate a certificate signing request (CSR) with elasticsearch-certutil using CSR mode.

  2. Configure Kibana to access the server certificate and private key.

    1. If your server certificate and private key are contained in a PKCS#12 file:

      You will need to extract the server certificate and private key in PEM format.

      openssl pkcs12 -in kibana-server.p12 -clcerts -nokeys -out kibana-server.crt
      openssl pkcs12 -in kibana-server.p12 -nocerts -nodes -out kibana-server.key

      This will produce a PEM-formatted server certificate (kibana-server.crt) and unencrypted private key (kibana-server.key). Then, specify these files in kibana.yml as described below.

    2. If your server certificate and private key are in PEM format:

      Specify your server certificate and private key in kibana.yml:

      server.ssl.certificate: "/path/to/kibana-server.crt"
      server.ssl.key: "/path/to/kibana-server.key"

      If your private key is encrypted, add the decryption password to your Kibana keystore:

      bin/kibana-keystore add server.ssl.keyPassphrase

    For more information about settings for certificates and keys, see Kibana configuration settings.

  3. Configure Kibana to enable TLS for inbound connections.

    Specify that TLS is used in kibana.yml:

    server.ssl.enabled: true
  4. Restart Kibana.

After making these changes, you must always access Kibana via HTTPS. For example, https://localhost:5601.

Encrypting traffic between Kibana and Elasticsearchedit

To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.

  1. Enable TLS on the HTTP layer in Elasticsearch.
  2. Obtain the certificate authority (CA) certificate chain for Elasticsearch.

    Kibana needs the appropriate CA certificate chain to properly establish trust when connecting to Elasticsearch. If you followed the Elasticsearch documentation for generating node certificates, you likely have a PKCS#12 file for each of your Elasticsearch nodes. You can extract the CA certificate chain from one of these files.

    openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elasticsearch-ca.pem

    This will produce a PEM-formatted file named elasticsearch-ca.pem that contains all CA certificates from the PKCS#12 file.

  3. Configure Kibana to trust the Elasticsearch CA certificate chain for the HTTP layer.

    Specify one or more PEM-formatted CA certificates in kibana.yml:

    elasticsearch.ssl.certificateAuthorities: ["/path/to/elasticsearch-ca.pem"]

    For more information about settings for certificates and keys, see Kibana configuration settings.

  4. Configure Kibana to enable TLS for outbound connections to Elasticsearch.

    Specify the HTTPS URL for Elasticsearch in kibana.yml:

    elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]

    Using the HTTPS protocol results in a default elasticsearch.ssl.verificationMode option of full, which utilizes hostname verification. For more information about this setting, see Kibana configuration settings.

    If the Elastic monitoring features are enabled and you have set up a separate Elasticsearch monitoring cluster, you can also configure Kibana to connect to the monitoring cluster via HTTPS. The steps are the same as above, but each setting is prefixed by xpack.monitoring.. For example, xpack.monitoring.elasticsearch.hosts, xpack.monitoring.elasticsearch.ssl.certificateAuthorities, etc.