Encrypting communications in Kibanaedit

Kibana supports Transport Layer Security (TLS/SSL) encryption for all forms of data-in-transit. Browsers send traffic to Kibana and Kibana sends traffic to Elasticsearch. These communications are configured separately.

Encrypting traffic between the browser and Kibanaedit

You do not need to enable security features for this type of encryption.

  1. Obtain a server certificate and private key for Kibana.

    Kibana supports certificates/keys in both PKCS #12 key stores and PEM format.

    When you obtain a certificate, you must do at least one of the following:

    1. Set the certificate’s subjectAltName to the hostname, fully-qualified domain name (FQDN), or IP address of the Kibana server.
    2. Set the certificate’s Common Name (CN) to the Kibana server’s hostname or FQDN. Using the server’s IP address as the CN does not work.

    You may choose to generate a certificate and private key using the Elasticsearch certutil tool. If you already used certutil to generate a certificate authority (CA), you would generate a certificate/key for Kibana like so (using the --dns param to set the subjectAltName):

    bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --name kibana --dns localhost

    This will generate a certificate and private key in a PKCS #12 keystore named kibana.p12.

  2. Enable TLS/SSL in kibana.yml:

    server.ssl.enabled: true
  3. Specify your server certificate and private key in kibana.yml:

    If your certificate and private key are in a PKCS #12 keystore, specify it like so:

    server.ssl.keystore.path: "/path/to/your/keystore.p12"
    server.ssl.keystore.password: "optional decryption password"

    Otherwise, if your certificate/key are in PEM format, specify them like so:

    server.ssl.certificate: "/path/to/your/server.crt"
    server.ssl.key: "/path/to/your/server.key"
    server.ssl.keyPassphrase: "optional decryption password"

    After making these changes, you must always access Kibana via HTTPS. For example, https://localhost:5601.

    For more information, see Kibana configuration settings.

Encrypting traffic between Kibana and Elasticsearchedit

To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.

  1. Specify the HTTPS URL in the elasticsearch.hosts setting in the Kibana configuration file, kibana.yml:

    elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]

    Using the HTTPS protocol results in a default elasticsearch.ssl.verificationMode option of full, which utilizes hostname verification.

    For more information, see Kibana configuration settings.

  2. Specify the Elasticsearch cluster’s CA certificate chain in kibana.yml:

    If you are using your own CA to sign certificates for Elasticsearch, then you need to specify the CA certificate chain in Kibana to properly establish trust in TLS connections. If your CA certificate chain is contained in a PKCS #12 trust store, specify it like so:

    elasticsearch.ssl.truststore.path: "/path/to/your/truststore.p12"
    elasticsearch.ssl.truststore.password: "optional decryption password"

    Otherwise, if your CA certificate chain is in PEM format, specify each certificate like so:

    elasticsearch.ssl.certificateAuthorities: ["/path/to/your/cacert1.pem", "/path/to/your/cacert2.pem"]

    You can use the elasticsearch-certutil http command to generate a PEM format x.509 certificate for the Elasticsearch CA. It also provides detailed configuration details in readme files.

  3. (Optional) If the Elastic monitoring features are enabled, configure Kibana to connect to the Elasticsearch monitoring cluster via HTTPS. The steps are the same as above, but each setting is prefixed by xpack.monitoring.. For example, xpack.monitoring.elasticsearch.hosts, xpack.monitoring.elasticsearch.ssl.truststore.path, etc.