Encrypt internode communications

edit

Now that you’ve generated a certificate authority and certificates for each node, you must update your cluster to use these files.

  1. Stop each Elasticsearch node. For example, if you installed Elasticsearch from an archive distribution, enter Ctrl-C on the command line. See Stopping Elasticsearch.
  2. On each node, enable Transport Layer Security (TLS/SSL) for transport (internode) communications. You must also configure each node to identify itself using its signed certificate.

    For example, add the following settings in each ES_PATH_CONF/elasticsearch.yml file:

    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 
    xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12

    If the file name for your certificate does not match the node.name value, you must put the appropriate file name in each elasticsearch.yml file.

    The PKCS#12 keystore that is output by the elasticsearch-certutil can be used as both a keystore and a truststore. If you use other tools to manage and generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial.

    For more information about these settings, see Transport TLS settings.

  3. On each node, store the password for PKCS#12 file in the Elasticsearch keystore.

    For example, run the following commands on each node:

    ./bin/elasticsearch-keystore create 
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

    If the Elasticsearch keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing Elasticsearch keystore.

    You are prompted to supply the password value. As you saw in the previous step, we are using the same file for both the transport TLS keystore and truststore, therefore you supply the same password for both of these settings.

  4. Start each Elasticsearch node. For example, if you installed Elasticsearch with a .tar.gz package, run the following command from each Elasticsearch directory:

    ./bin/elasticsearch

    See Starting Elasticsearch.

  5. (Optional) Restart Kibana. For example, if you installed Kibana with a .tar.gz package, run the following command from the Kibana directory:

    ./bin/kibana

    See Starting and stopping Kibana.

  6. Verify that your cluster is healthy. For example, use the cluster health API:

    GET _cluster/health

    Confirm the status of your cluster is green in the response from this API.

    If you encounter errors, you can see some common problems and solutions in Common SSL/TLS exceptions.

What’s next?

edit

Congratulations! You’ve encrypted communications between the nodes in your cluster and can pass the TLS bootstrap check.

If you want to encrypt communications between other products in the Elastic Stack, see Encrypting communications.