Securing Elasticsearch cluster communication

To better secure the IBM® StoredIQ® Elasticsearch cluster, you can enable HTTPS communication.

Before you begin

To enable HTTPS communication for the Elasticsearch cluster, the primary Elasticsearch node must be configured with specific property settings in the cluster-setup.properties file. To edit the file, you must be logged in with the builder account. Update the properties file as follows:
  • The STUNNEL_ENABLED property must be set to false.
  • For deployments upgraded to IBM StoredIQ 7.6.0.20, remove the SEARCHGUARD_ENABLED entry (if the entry still exists) and add the following entry to the end of the properties file: 
    STUNNEL_HTTPS_ENABLED=true

    For new deployments (starting with IBM StoredIQ 7.6.0.20), the STUNNEL_HTTPS_ENABLED property must be set to true.

After editing the properties file, run the cluster setup with the updated properties file. At the prompt [builder@localhost ˜]$, enter: 

/siq/bin/cluster-setup.sh cluster-setup.properties

About this task

This configuration enables HTTPS connections between the data server and the Elasticsearch cluster and between the nodes of the Elasticsearch cluster. It also ensures that all connections to the Elasticsearch other than those with authorized clients are blocked.

Procedure

  1. Test the cluster setup by using this command: 
    curl -vk https://localhost:9200/_cluster/health?pretty -E ./sgcerts/es-admin.crt.pem --key ./sgcerts/es-admin.key.pem --cacert ./sgcerts/chain-ca.pem
  2. To enable secure communication between the data server and the Elasticsearch nodes, copy the data server certificates that are available on the Elasticsearch nodes to each data server.
    Tip: If you previously had Search Guard configured and are reconfiguring your system to use stunnel with HTTPS, you can use the existing certificates. In this case, skip this step and continue with step 3.
    1. Log in to an Elasticsearch node as root.
    2. Navigate to the directory where the certificates are stored: 
      cd /siq/env/docker/stcerts
    3. Copy the following files to the /etc/deepfile/dataserver directory on the data server.
      Use a secure copy tool such as scp to do so.
      • es-admin.crt.pem
      • es-admin.key.pem
      • chain-ca.pem
    4. Log in to the data server as root and rename the certificates as follows:
      • es-admin.crt.pem to client.crt.pem
      • es-admin.key.pem to client.key.pem
      • chain-ca.pem to cert-chain.pem
    5. Restart all services on the data server.
  3. Test the connection from the data server to the Elasticsearch cluster: 
    curl -vk https://primary_node_ip:9200/_cluster/health?pretty -E ./client.crt.pem --key ./client.key.pem --cacert ./cert-chain.pem
    where primary_node_ip is the IP address of the primary Elasticsearch node.