How do I Secure Communication between Elasticsearch and Kibana?

Edit online

This section explains how to secure communication between Elasticsearch and Kibana based on mutual TLS (mTLs) in an API Management setup. Follow the procedure outlined if you are using Elasticsearch and Kibana.

You must have API Gateway administrator privileges to perform this operation. Also, ensure that the required client and server certificates are available.

To secure communication between Elasticsearch and Kibana

  1. Generate the HTTP-related certificates using the tool Elasticsearch-certutil.
    ./bin/elasticsearch-certutil http
    To generate the certificate follow the steps outlined in https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html

    A zip file elasticsearch-ssl-http.zip is created. The zip file contains a kibana folder containing a file elasticsearch-ca.pem.

  2. Copy the file elasticsearch-ca.pem into the kibana config folder located in the config folder of the Kibana installation. For example, if Kibana is installed in /usr/share/kibana, then it is /usr/share/kibana/config.
  3. Configure the following settings in the kibana.yml file located in the config folder of the Kibana installation.
    # Basic settings
server.host: "0.0.0.0"
# Elasticsearch connection
elasticsearch.hosts: ["https://<elasticsearch_host>:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "pass"
elasticsearch.ssl.certificateAuthorities: ['<path-to-kibana>/config/elasticsearch-ca.pem']
  4. For mTLs configure the following settings.
    elasticsearch.ssl.certificate: /etc/kibana/certs/kibana-client.crt
elasticsearch.ssl.key: /etc/kibana/certs/kibana-client.key
elasticsearch.ssl.verificationMode: certificate
  5. Encrypt traffic between WebApp and Kibana.

    This is required to setup a HTTPS traffic between webApp and Kibana.

    1. Setup HTTPS communication for Kibana and create the necessary certificates by following the instructions provided at https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html#encrypt-kibana-browser.
    2. After creating the certificate kibana-server.crt and private key kibana-server.key, add these files to the file kibana.yml and set the property server.ssl.enabled to true.
      server.ssl.enabled: true
server.ssl.certificate: <path-to-kibana>/certs/kibana-server.crt
server.ssl.key: <path-to-kibana>/certs/kibana-server.key
    3. Configure the following additional settings for mTLS between WebApp and Kibana.
      server.ssl.certificateAuthorities: ["<path-to-kibana>/certs/ca.crt"]
server.ssl.clientAuthentication: required