Enabling SSL for the Elastic Stack using a self-signed certificate

Configure SSL for Elastic Stack using a self-signed certificate for testing purposes.

Before you begin

  • You must be a cluster administrator.
  • You must ensure that the clock settings on the server and client are identical. Otherwise, errors may occur.

About this task

Follow these steps if you want to:
  • Enable SSL for the first time (in other words, if you disabled SSL during installation by setting DISABLESSL=Y).
  • Use your own self-signed certificate that will replace the default one generated when SSL is enabled during installation.
When SSL is enabled for the Elastic Stack, a trust relationship between the server and the client is established by sending a server certificate to the client. The client validates the certificates that are signed by the self-signed Platform Computing CA Root. This self-signed certificate can be used only for testing purposes. For your production environment, use a properly chained certificate that is issued or signed by a trusted certificate authority. By default the Elastic Stack uses the TLSv1.2 protocol.
Note: On a local file system, Tier 1 files must be generated on all management hosts. On a shared file system, the files need to be generated on a shared file system location that all management hosts can access.

Procedure

  1. Stop the elk-shipper, elk-indexer, elk-manager, elk-elasticsearch, elk-elasticsearch-master, and elk-elasticsearch-data services: 
    egosh service stop elk-shipper elk-indexer elk-manager elk-elasticsearch elk-elasticsearch-master elk-elasticsearch-data
  2. Secure communication between the elk-shipper and elk-indexer services by enabling host name and certificate verification. This verification is disabled by default. Ensure that you enable this verification in your production environment. For this step, you require the SSL certificate in .pem format (for example, cacert.pem) that you downloaded in Enabling SSL for the cluster management console using a self-signed certificate.
    1. Rename this .pem certificate (for example, cacert.pem) as certificate.pem. If your vendor provided multiple .pem certificates, concatenate each file into a single .pem file, called certificate.pem, in the following order: 
      -----BEGIN CERTIFICATE----- 
[contents of server certificate]
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
[contents of intermediate certificate]
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
[contents of root certificate]
-----END CERTIFICATE----
    2. On all your hosts, edit the $EGO_TOP/integration/elk/conf/filebeat.yml.template file to update the ssl.certificate_authorities setting to point to your root CA certificate.
      For example:
      # cat $EGO_TOP/integration/elk/conf/filebeat.yml.template
filebeat:
  config_dir: "../conf/"

output:
  logstash:
    hosts: [@INDEXERS@]
    loadbalance: true
    ssl.certificate_authorities: ["path_to_certificate.pem"]
    ssl.verification_mode: none
      where path_to_certificate.pem specifies the path to the .pem certificate (for example, certificate.pem).
  3. If you don't already have a server trust store file, generate the file:
    1. Go to the $EGO_TOP/wlp/usr/shared/resources/security directory: 
      cd $EGO_TOP/wlp/usr/shared/resources/security
    2. Generate a server trust store file, for example, serverTrustStore.jks: 
      keytool -importcert -noprompt -alias srvalias -file cacert.pem_location -keystore serverTrustStore.jks -storepass storepass
      where cacert.pem_location is the path to the cacert.pem file that you saved previously, and storepass specifies the keystore password; for example, Liberty.
  4. Secure communication to the Elasticsearch services (elk-elasticsearch, elk-elasticsearch-master, and elk-elasticsearch-data). For this step, you require the SSL certificate in .pem format (for example, cacert.pem) that you downloaded in Enabling SSL for the cluster management console using a self-signed certificate:
    1. Enable SSL for the Elastic Stack services by setting the searchguard.ssl.http.enabled parameter to true in the Elasticsearch configuration file. The configuration file is located at $EGO_CONFDIR/../../integration/elk/conf/elasticsearch/elasticsearch.yml. To disable SSL, see Disabling SSL for the Elastic Stack.
    2. Encrypt the password by using the securityUtilities command, for example: 
      $EGO_TOP/wlp/version/bin/securityUtility encode --encoding=aes Liberty

      For more information, see Setting keystore password and private key password.

    3. Edit the Elasticsearch configuration file according to the SSL keystore and certificate.

      By default, the transport and HTTP communication layers are configured with the same SSL keystore and certificate. Modify the searchguard.nodes_dn parameter based on your certificates to match the Owner. For example, the owner of the default srvalias alias is *.{domain}. With the default 'CN=*,O=IBM,C=CA', the searchguard.nodes_dn setting accepts any host/domain in the IBM org in CA.

      If you are using an encrypted password for any Search Guard SSL password parameters, you must add double quotation marks around it. 
      searchguard.nodes_dn:
  - 'CN=*,O=IBM,C=CA'
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalKeyStore.jks
searchguard.ssl.transport.truststore_filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalTrustStore.jks
searchguard.ssl.transport.keystore_password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
searchguard.ssl.transport.truststore_password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
searchguard.ssl.transport.keystore.type: jks
searchguard.ssl.transport.truststore.type: jks
searchguard.ssl.transport.keystore_alias: srvalias
searchguard.ssl.transport.truststore_alias: srvalias
searchguard.ssl.transport.enabled.protocols:
   - "TLSv1.2"
searchguard.ssl.http.enabled: true
searchguard.ssl.http.enabled.protocols:
  - "TLSv1.2"
searchguard.ssl.http.keystore_filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalKeyStore.jks
searchguard.ssl.http.truststore_filepath: $EGO_TOP/wlp/usr/shared/resources/security/externalTrustStore.jks
searchguard.ssl.http.keystore_password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
searchguard.ssl.http.truststore_password: "{aes}ABE7CTHBolSmXwkUH9+xyxpYVO8H4lyllJKito98fpC5"
searchguard.ssl.http.keystore.type: jks
searchguard.ssl.http.truststore.type: jks
searchguard.ssl.http.keystore_alias: srvalias
searchguard.ssl.http.truststore_alias: srvalias

      The truststore_alias is the alias name of a trusted certificate entry in your server truststore, for example, the alias of your root certificate which signed your server certificate.

    4. Check the value of the CA_CERT_PATH parameter in $EGO_CONFDIR/../../integration/elk/conf/elk.conf. By default, this parameter's value is ${EGO_TOP}/wlp/usr/shared/resources/security/cacert.pem.
  5. Start the elk-shipper, elk-indexer, elk-manager, elk-elasticsearch, elk-elasticsearch-master, and elk-elasticsearch-data services: 
    egosh service start elk-shipper elk-indexer elk-manager elk-elasticsearch elk-elasticsearch-master elk-elasticsearch-data
  6. Update the Explorer access protocol so that you can view Explorer reports in the cluster management console after enabling SSL for the Elastic Stack:
    1. Open the $EGO_CONFDIR/../../explorer/config/config.json file for editing.
    2. Locate the "protocol":"http" line, and change it to "protocol":"https".
      For example:
      
{
    "pa.net.port": 5000,
    "pa.metadata": {
        "datasource": "ds1",
        "index": "model"
    },
    "pa.dashboard.default": "cluster_overview",
    "pa.query.size.max": 10000,
    "pa.query.timeout" : 300000,
    "pa.logging": {
        "logLevel": "debug",
        "appName": "server",
        "logDir": "logs",
        "datasource": "ds1"
    },
    "pa.datasources": {
"ds1": {"name": "ES Instance1", "type": "elasticsearch", "hosts": [{"host" : "user.example.ibm.com", "port": 9200, "protocol":"https"}]}
    },
    "pa.allow.cross.domain": "false",
    "pa.allow.limited.access": "true",
    "pa.allow.access.ips": "9.21.52.21",
    "elasticsearch.version" : "5.4.2"
}
    3. Save and close the file.
    4. Restart the Explorer service for the changes to take effect: 
      egosh service stop Explorer
egosh service start Explorer