Skip to main content

Install and Configure X-Pack Security

Hands-On Lab

 

Photo of Myles Young

Myles Young

BigData Training Architect II in Content

Length

04:00:00

Difficulty

Advanced

No matter what technology we are working with, we always need to be mindful of security. Big data platforms are certainly no exception, as they can contain massive amounts of sensitive data that must be protected. Elasticsearch provides multiple security mechanisms through the X-Pack Security plugin. In this hands-on lab, you will complete the following tasks on a 3-node Elasticsearch cluster: Install X-Pack Generate a certificate authority Generate node certificates Add certificate passwords to Elasticsearch's keystore Enable cluster (transport) network encryption Enable client (HTTP) network encryption * Set built-in user passwords

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Install and Configure X-Pack Security

Introduction

No matter what technology we are working with, we always need to be mindful of security. Big data platforms are certainly no exception, as they can contain massive amounts of sensitive data that must be protected. Elasticsearch provides multiple security mechanisms through the X-Pack Security plugin. In this hands-on lab, you will complete the following tasks on a 3-node Elasticsearch cluster:

  • Install X-Pack
  • Generate a certificate authority
  • Generate node certificates
  • Add certificate passwords to Elasticsearch's keystore
  • Enable cluster (transport) network encryption
  • Enable client (HTTP) network encryption
  • Set built-in user passwords

Solution

Install X-Pack on each Elasticsearch node

Log In

  1. Using the Secure Shell (SSH), log in to Node 1 as cloud_user via the public IP address.

    ssh cloud_user@PUBLIC_IP_ADDRESS
  2. Become the elastic user with:

    sudo su - elastic

Install X-Pack

  1. Change directory to the Elasticsearch installation path.

    cd /home/elastic/elasticsearch
  2. Install X-Pack with:

    ./bin/elasticsearch-plugin install file:///home/elastic/x-pack.zip
  3. Grant additional permissions for X-Pack at the prompts by typing Y and pressing Enter.

Repeat

  1. Repeat these steps for Node 2 and Node 3.

Use the X-Pack certutil tool to generate a certificate authority

Generate the Certificate Authority (CA)

  1. Create a certs directory.

    mkdir /home/elastic/elasticsearch/config/certs
  2. Change directory to the certs directory.

    cd /home/elastic/elasticsearch/config/certs
  3. Create a CA certificate with:

    /home/elastic/elasticsearch/bin/x-pack/certutil ca
  4. Use the default output file.

  5. Set the CA password to elastic_ca.

Disseminate the CA to the Cluster

  1. Remote copy the CA to Node 2.

    scp /home/elastic/elasticsearch/config/certs/elastic-stack-ca.p12 cloud_user@10.0.1.102:/tmp
  2. Remote copy the CA to Node 3.

    scp /home/elastic/elasticsearch/config/certs/elastic-stack-ca.p12 cloud_user@10.0.1.103:/tmp

Install the CA on Nodes 2 and 3

  1. On Node 2, become the root user:

    exit
    sudo su -
  2. Change the ownership of the CA.

    chown elastic:elastic /tmp/elastic-stack-ca.p12
  3. Become the elastic user with:

    su - elastic
  4. Create a certs directory.

    mkdir /home/elastic/elasticsearch/config/certs
  5. Move the CA into the certs directory.

    mv /tmp/elastic-stack-ca.p12 /home/elastic/elasticsearch/config/certs/.
  6. Repeat these steps for Node 3.

Use the X-Pack certutil tool with the CA to generate a PKCS#12 keystore

Generate the Node Certificate

Start on Node 1:

  1. Change directory to the certs directory.

    cd /home/elastic/elasticsearch/config/certs
  2. Generate the node certificate with the CA and the CA's password (elastic_ca).

    /home/elastic/elasticsearch/bin/x-pack/certutil cert --ca elastic-stack-ca.p12 --name node_name_here --dns dns_here --ip ip_address_here

    > Note: The table with the information to fill in this command for each node is provided here for your convenience:

NameDNSIPFilenamePassword
node1ip-10-0-1-101.ec2.internal10.0.1.101node1.p12elastic_node1
node2ip-10-0-1-102.ec2.internal10.0.1.102node2.p12elastic_node2
node3ip-10-0-1-103.ec2.internal10.0.1.103node3.p12elastic_node3
  1. Use the default output file name.
  2. Set the node certificate password per the instructions.

Add the Password to Elasticsearch's Keystore

  1. Add the transport keystore password.

    /home/elastic/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
  2. Add the transport truststore password.

    /home/elastic/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
  3. Add the HTTP keystore password.

    /home/elastic/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
  4. Add the HTTP truststore password.

    /home/elastic/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

Repeat

  1. Repeat these steps on Node 2 and Node 3.

Configure transport network encryption and start Elasticsearch

Configure Transport Network Encryption

Start on Node 1:

  1. Add the following to /home/elastic/elasticsearch/config/elasticsearch.yml:

    #
    # ---------------------------------- X-Pack ------------------------------------
    #
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: full
    xpack.security.transport.ssl.keystore.path: certs/node1.p12
    xpack.security.transport.ssl.truststore.path: certs/node1.p12

Start Elasticsearch

  1. Change directory to the elasticsearch directory.

    cd /home/elastic/elasticsearch/
  2. Start Elasticsearch as a background daemon and record the PID to a file.

    ./bin/elasticsearch -d -p pid

Repeat

  1. Repeat these steps on Node 2 and Node 3, but remember to change the name of the certificate to match the node you're on.

Use the X-Pack setup-passwords tool to set the password for each built-in user

Log In

  1. On Node 1, change directory to the elasticsearch directory.

    cd /home/elastic/elasticsearch/

Set the Built-In User Passwords

  1. Set the built-in user passwords using the setup-passwords utility.

    ./bin/x-pack/setup-passwords interactive
  2. Use the following passwords:

    User: elastic
    Password: elastic
    
    User: kibana
    Password: kibana
    
    User: logstash_system
    Password: logstash_system

Configure HTTP network encryption and restart Elasticsearch

Configure HTTP Network Encryption

Start on Node 1:

  1. Add the following to /home/elastic/elasticsearch/config/elasticsearch.yml:

    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: certs/node1.p12
    xpack.security.http.ssl.truststore.path: certs/node1.p12

Restart Elasticsearch

  1. Change directory to the elasticsearch directory.

    cd /home/elastic/elasticsearch/
  2. Stop Elasticsearch.

    kill `cat pid`
  3. Start Elasticsearch as a background daemon and record the PID to a file.

    ./bin/elasticsearch -d -p pid

Repeat

  1. Repeat these steps on Node 2 and Node 3, but remember to change the name of the certificate to match the node you are on.

Verify

  1. Verify Elasticsearch is running properly:

    curl https://localhost:9200 -u elastic -k

    Provide the password "elastic".

Conclusion

Congratulations — you've completed this hands-on lab!