Configure the keystores and enable SSL

Note

All ssl related node settings that are considered to be highly sensitive and therefore are not exposed via the nodes info API.

The next step is to configure the node to enable SSL, to identify itself using its signed certificate, and to verify the identify of incoming connections. The settings below should be added to the main elasticsearch.yml config file.

Node identity

The node01.jks contains the certificate that node01 will use to identify itself to other nodes in the cluster, to transport clients, and to HTTPS clients. Add the following to elasticsearch.yml:

shield.ssl.keystore.path:          /home/es/config/node01.jks 
shield.ssl.keystore.password:      myPass 

The full path to the node keystore file.

The password used to decrypt the node01.jks keystore.

If you specified a different password than the keystore password when executing the keytool -genkey command, you will need to specify that password in the elasticsearch.yml configuration file:

shield.ssl.keystore.key_password:  myKeyPass 

The password entered at the end of the keytool -genkey command

Optional truststore configuration

The truststore holds the trusted CA certificates. Shield will use the keystore as the truststore by default. You can optionally provide a separate path for the truststore. In this case, Shield will use the keystore for the node’s private key and the configured truststore for trusted certificates.

First obtain the CA certificates that will be trusted. Each of these certificates need to be imported into a truststore by running the following command for each CA certificate:

keytool -importcert                              \
        -keystore /home/es/config/truststore.jks \ 
        -file     /Users/Download/cacert.pem  

The full path to the truststore file. If the file does not exist it will be created.

A trusted CA certificate.

The keytool command will prompt you for a password, which will be used to protect the integrity of the truststore. You will need to remember this password as it will be needed for all further interactions with the truststore.

Add the following to elasticsearch.yml:

shield.ssl.truststore.path:          /home/es/config/truststore.jks 
shield.ssl.truststore.password:      myPass 

The full path to the truststore file.

The password used to decrypt the truststore.jks keystore.

Enable SSL on the transport layer

Enable SSL on the transport networking layer to ensure that communication between nodes is encrypted. Add the following value to the elasticsearch.yml configuration file:

shield.transport.ssl: true

Regardless of this setting, transport clients can only connect to the cluster with a valid username and password.

Disable multicast

Multicast discovery is not supported with shield. To properly secure node communications, disable multicast by setting the following values in the elasticsearch.yml configuration file:

discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["node01:9300", "node02:9301"]

You can learn more about unicast configuration in the Zen Discovery documentation.

Enable SSL on the HTTP layer

SSL should be enabled on the HTTP networking layer to ensure that communication between HTTP clients and the cluster is encrypted:

shield.http.ssl: true

Regardless of this setting, HTTP clients can only connect to the cluster with a valid username and password.

Congratulations! At this point, you have a node with encryption enabled for both HTTPS and the transport layers. Your node will correctly present its certificate to other nodes or clients when connecting. There are optional, more advanced features you may use to further configure or protect your node. They are described in the following paragraphs.