Elastic SSL turn on

[root@ip-172-31-**** bin]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost6 localhost6.localdomain6
[root@ip-172-31-**** bin]# cd /home/ec2-user/elasticKey
[root@ip-172-31-11-193 elasticKey]# vi instance.yml


instances:
  - name: 'node1'
    dns: [ 'localhost' ]
  - name: 'my-kibana'
    dns: [ 'localhost' ]
  - name: 'logstash'
    dns: [ 'localhost' ]
    
    
Save file

run command:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --keep-ca-key --pem --in /home/ec2-user/elasticKey/instance.yml --out /home/ec2-user/elasticKey/certs.zip

[root@ip-172-31-11-193 elasticKey]# unzip certs.zip -d ./certs
Archive:  certs.zip
   creating: ./certs/ca/
  inflating: ./certs/ca/ca.crt
  inflating: ./certs/ca/ca.key
   creating: ./certs/node1/
  inflating: ./certs/node1/node1.crt
  inflating: ./certs/node1/node1.key
   creating: ./certs/my-kibana/
  inflating: ./certs/my-kibana/my-kibana.crt
  inflating: ./certs/my-kibana/my-kibana.key
   creating: ./certs/logstash/
  inflating: ./certs/logstash/logstash.crt
  inflating: ./certs/logstash/logstash.key
  
[root@ip-172-31-11-193 elasticKey]# cd /etc/elasticsearch/
[root@ip-172-31-11-193 elasticsearch]# mkdir certs
[root@ip-172-31-11-193 elasticsearch]# cp /home/ec2-user/elasticKey/certs/ca/ca* /home/ec2-user/elasticKey/certs/node1/* /etc/elasticsearch/certs
[root@ip-172-31-11-193 elasticsearch]# cd certs/
[root@ip-172-31-11-193 certs]# ll
total 16
-rw-r--r-- 1 root elasticsearch 1200 Oct 12 15:02 ca.crt
-rw-r--r-- 1 root elasticsearch 1675 Oct 12 15:02 ca.key
-rw-r--r-- 1 root elasticsearch 1172 Oct 12 15:02 node1.crt
-rw-r--r-- 1 root elasticsearch 1675 Oct 12 15:02 node1.key

[root@ip-172-31-11-193 certs]# vi elasticsearch.yml
insert at last file
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/node1.key
xpack.security.http.ssl.certificate: certs/node1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/node1.key
xpack.security.transport.ssl.certificate: certs/node1.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
discovery.seed_hosts: [ "localhost" ]
cluster.initial_master_nodes: [ "node1" ]


restart elastic and check status:

[root@ip-172-31-11-193 elasticsearch]# systemctl restart elasticsearch.service
[root@ip-172-31-11-193 elasticsearch]# systemctl status elasticsearch.service -l

curl -k -XGET -u elastic:password "https://localhost:9200"

SET up KIBANA

[root@ip-172-31-11-193 elasticsearch]# vi /etc/kibana/kibana.yml
[root@ip-172-31-11-193 elasticsearch]# cd /etc/kibana
[root@ip-172-31-11-193 kibana]# mkdir config
[root@ip-172-31-11-193 kibana]# cd config/
[root@ip-172-31-11-193 config]# mkdir certs
[root@ip-172-31-11-193 config]# ll
total 0
drwxr-sr-x 2 root kibana 6 Oct 12 15:18 certs
[root@ip-172-31-11-193 config]# cp /home/ec2-user/elasticKey/certs/ca/ca* /home/ec2-user/elasticKey/certs/my-kibana/* /etc/kibana/config/certs
[root@ip-172-31-11-193 config]# cd certs/
[root@ip-172-31-11-193 certs]# ll
total 16
-rw-r--r-- 1 root kibana 1200 Oct 12 15:19 ca.crt
-rw-r--r-- 1 root kibana 1675 Oct 12 15:19 ca.key
-rw-r--r-- 1 root kibana 1180 Oct 12 15:19 my-kibana.crt
-rw-r--r-- 1 root kibana 1679 Oct 12 15:19 my-kibana.key
[root@ip-172-31-11-193 certs]#

vi kibana.yml



[root@ip-172-31-11-193 certs]# cat /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false

# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576

# The Kibana server's name.  This is used for display purposes.
server.name: "my-kibana"

# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://localhost:9200"]

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"

# The default application to load.
#kibana.defaultAppId: "home"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "pass"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: true
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/config/certs/my-kibana.crt
server.ssl.key: /etc/kibana/config/certs/my-kibana.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/config/certs/ca.crt" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000

# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false

# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid

# Enables you to specify a file where Kibana stores log output.
#logging.dest: stdout

# Set the value of this setting to true to suppress all logging output.
#logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"

PreviousElasticSearch NextBash and shell linux

Last updated 5 years ago

Was this helpful?

[root@ip-172-31-11-193 elasticsearch]# vi /etc/kibana/kibana.yml [root@ip-172-31-11-193 elasticsearch]# cd /etc/kibana [root@ip-172-31-11-193 kibana]# mkdir config [root@ip-172-31-11-193 kibana]# cd config/ [root@ip-172-31-11-193 config]# mkdir certs [root@ip-172-31-11-193 config]# ll total 0 drwxr-sr-x 2 root kibana 6 Oct 12 15:18 certs [root@ip-172-31-11-193 config]# cp /home/ec2-user/elasticKey/certs/ca/ca* /home/ec2-user/elasticKey/certs/my-kibana/* /etc/kibana/config/certs [root@ip-172-31-11-193 config]# cd certs/ [root@ip-172-31-11-193 certs]# ll total 16 -rw-r--r-- 1 root kibana 1200 Oct 12 15:19 ca.crt -rw-r--r-- 1 root kibana 1675 Oct 12 15:19 ca.key -rw-r--r-- 1 root kibana 1180 Oct 12 15:19 my-kibana.crt -rw-r--r-- 1 root kibana 1679 Oct 12 15:19 my-kibana.key [root@ip-172-31-11-193 certs]# vi kibana.yml [root@ip-172-31-11-193 certs]# cat /etc/kibana/kibana.yml # Kibana is served by a back end server. This setting specifies the port to use. #server.port: 5601 # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. # The default is 'localhost', which usually means remote machines will not be able to connect. # To allow connections from remote users, set this parameter to a non-loopback address. server.host: "0.0.0.0" # Enables you to specify a path to mount Kibana at if you are running behind a proxy. # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath # from requests it receives, and to prevent a deprecation warning at startup. # This setting cannot end in a slash. #server.basePath: "" # Specifies whether Kibana should rewrite requests that are prefixed with # `server.basePath` or require that they are rewritten by your reverse proxy. # This setting was effectively always `false` before Kibana 6.3 and will # default to `true` starting in Kibana 7.0. #server.rewriteBasePath: false # The maximum payload size in bytes for incoming server requests. #server.maxPayloadBytes: 1048576 # The Kibana server's name. This is used for display purposes. server.name: "my-kibana" # The URLs of the Elasticsearch instances to use for all your queries. elasticsearch.hosts: ["https://localhost:9200"] # When this setting's value is true Kibana uses the hostname specified in the server.host # setting. When the value of this setting is false, Kibana uses the hostname of the host # that connects to this Kibana instance. #elasticsearch.preserveHost: true # Kibana uses an index in Elasticsearch to store saved searches, visualizations and # dashboards. Kibana creates a new index if the index doesn't already exist. #kibana.index: ".kibana" # The default application to load. #kibana.defaultAppId: "home" # If your Elasticsearch is protected with basic authentication, these settings provide # the username and password that the Kibana server uses to perform maintenance on the Kibana # index at startup. Your Kibana users still need to authenticate with Elasticsearch, which # is proxied through the Kibana server. elasticsearch.username: "kibana_system" elasticsearch.password: "pass" # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. # These settings enable SSL for outgoing requests from the Kibana server to the browser. #server.ssl.enabled: true #server.ssl.certificate: /path/to/your/server.crt #server.ssl.key: /path/to/your/server.key server.ssl.enabled: true server.ssl.certificate: /etc/kibana/config/certs/my-kibana.crt server.ssl.key: /etc/kibana/config/certs/my-kibana.key # Optional settings that provide the paths to the PEM-format SSL certificate and key files. # These files are used to verify the identity of Kibana to Elasticsearch and are required when # xpack.security.http.ssl.client_authentication in Elasticsearch is set to required. #elasticsearch.ssl.certificate: /path/to/your/client.crt #elasticsearch.ssl.key: /path/to/your/client.key # Optional setting that enables you to specify a path to the PEM file for the certificate # authority for your Elasticsearch instance. #elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/config/certs/ca.crt" ] # To disregard the validity of SSL certificates, change this setting's value to 'none'. #elasticsearch.ssl.verificationMode: full # Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of # the elasticsearch.requestTimeout setting. #elasticsearch.pingTimeout: 1500 # Time in milliseconds to wait for responses from the back end or Elasticsearch. This value # must be a positive integer. #elasticsearch.requestTimeout: 30000 # List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side # headers, set this value to [] (an empty list). #elasticsearch.requestHeadersWhitelist: [ authorization ] # Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten # by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. #elasticsearch.customHeaders: {} # Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. #elasticsearch.shardTimeout: 30000 # Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. #elasticsearch.startupTimeout: 5000 # Logs queries sent to Elasticsearch. Requires logging.verbose set to true. #elasticsearch.logQueries: false # Specifies the path where Kibana creates the process ID file. #pid.file: /var/run/kibana.pid # Enables you to specify a file where Kibana stores log output. #logging.dest: stdout # Set the value of this setting to true to suppress all logging output. #logging.silent: false # Set the value of this setting to true to suppress all logging output other than error messages. #logging.quiet: false # Set the value of this setting to true to log all events, including system usage information # and all requests. #logging.verbose: false # Set the interval in milliseconds to sample system and process performance # metrics. Minimum is 100ms. Defaults to 5000. #ops.interval: 5000 # Specifies locale to be used for all localizable strings, dates and number formats. # Supported languages are the following: English - en , by default , Chinese - zh-CN . #i18n.locale: "en"