Encrypting communications in Kibanaedit
Kibana supports Transport Layer Security (TLS/SSL) encryption for all forms of data-in-transit. Browsers send traffic to Kibana and Kibana sends traffic to Elasticsearch. These communications are configured separately.
Encrypting traffic between the browser and Kibanaedit
You do not need to enable security features for this type of encryption.
-
Obtain a server certificate and private key for Kibana.
Kibana supports certificates/keys in both PKCS #12 key stores and PEM format.
When you obtain a certificate, you must do at least one of the following:
-
Set the certificate’s
subjectAltNameto the hostname, fully-qualified domain name (FQDN), or IP address of the Kibana server. - Set the certificate’s Common Name (CN) to the Kibana server’s hostname or FQDN. Using the server’s IP address as the CN does not work.
You may choose to generate a certificate and private key using the Elasticsearch certutil tool. If you already used certutil to generate a certificate authority (CA), you would generate a certificate/key for Kibana like so (using the
--dnsparam to set thesubjectAltName):bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --name kibana --dns localhost
This will generate a certificate and private key in a PKCS #12 keystore named
kibana.p12. -
Set the certificate’s
-
Enable TLS/SSL in
kibana.yml:server.ssl.enabled: true
-
Specify your server certificate and private key in
kibana.yml:If your certificate and private key are in a PKCS #12 keystore, specify it like so:
server.ssl.keystore.path: "/path/to/your/keystore.p12" server.ssl.keystore.password: "optional decryption password"
Otherwise, if your certificate/key are in PEM format, specify them like so:
server.ssl.certificate: "/path/to/your/server.crt" server.ssl.key: "/path/to/your/server.key" server.ssl.keyPassphrase: "optional decryption password"
After making these changes, you must always access Kibana via HTTPS. For example, https://localhost:5601.
For more information, see Kibana configuration settings.
Encrypting traffic between Kibana and Elasticsearchedit
To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.
-
Specify the HTTPS URL in the
elasticsearch.hostssetting in the Kibana configuration file,kibana.yml:elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]
Using the HTTPS protocol results in a default
elasticsearch.ssl.verificationModeoption offull, which utilizes hostname verification.For more information, see Kibana configuration settings.
-
Specify the Elasticsearch cluster’s CA certificate chain in
kibana.yml:If you are using your own CA to sign certificates for Elasticsearch, then you need to specify the CA certificate chain in Kibana to properly establish trust in TLS connections. If your CA certificate chain is contained in a PKCS #12 trust store, specify it like so:
elasticsearch.ssl.truststore.path: "/path/to/your/truststore.p12" elasticsearch.ssl.truststore.password: "optional decryption password"
Otherwise, if your CA certificate chain is in PEM format, specify each certificate like so:
elasticsearch.ssl.certificateAuthorities: ["/path/to/your/cacert1.pem", "/path/to/your/cacert2.pem"]
You can use the
elasticsearch-certutil httpcommand to generate a PEM format x.509 certificate for the Elasticsearch CA. It also provides detailed configuration details in readme files. -
(Optional) If the Elastic monitoring features are enabled, configure Kibana to
connect to the Elasticsearch monitoring cluster via HTTPS. The steps are the same as
above, but each setting is prefixed by
xpack.monitoring.. For example,xpack.monitoring.elasticsearch.hosts,xpack.monitoring.elasticsearch.ssl.truststore.path, etc.