Enable X-Pack security without TLS - elasticsearch

I have a 3 node Elasticserach cluster, all of them eligible to be elected as master.
I want to implement RBAC for my cluster.
From the Documentation, They suggest the following configuration.
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
I want the xpack security to be enabled without TLS to be enabled. But when I set xpack.security.transport.ssl.enabled to false, I get an error saying it should be enabled if xpack.security.enabled is set to true.
Is it possible to achieve xpack security without enabling TLS?
The reason to disable TLS is to avoid overhead.

From the official documentation:
Clusters that do not have encryption enabled send all data in plain text including passwords. If the Elasticsearch security features are enabled, unless you have a trial license, you must configure SSL/TLS for internode-communication.
So there's no way to enable XPack security while disabling inter-node TLS communication at the same time... unless you have a trial license, which only lasts for 30 days.
The message behind this is that Elastic doesn't allow any production cluster running with security enabled without TLS.

Related

Failed to setup Alerts and Actions for ELK - You must enable Transport Layer Security

Am trying to setup the Alert and Actions for ELK. But, getting the error message
You must enable Transport Layer Security.
Have already set up the following parameter in the kibana.yml. As followed:
xpack.encryptedSavedObjects.encryptionKey: "abcdefghijklmnopqrstuvwxyz1234567890"
Pls advise.
Thanks
enter image description here
xpack.encryptedSavedObjects.encryptionKey: "abcdefghijklmnopqrstuvwxyz1234567890"
With only this, you don't enable the transport layer security.
There are two more steps you need to do.
Enable security in Kibana and Elasticsearch. (Relatively easy!)
Encrypt traffic between them. (You might need to get your org-specific certificates if you are not using Self signed1)
When you use the basic and trial licenses ,
Set xpack.security.enabled: true and discovery.type: single-node in elasticsearch.yml file
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/get-started-enable-security.html
and then xpack.encryptedSavedObjects.encryptionKey : A string of 32 or more characters in kibana.yml
https://www.elastic.co/guide/en/kibana/7.16/alert-action-settings-kb.html#general-alert-action-settings
After updating the config file please restart the elastic and kibana .

Security Seting in Elasticsearch, xpack showing inconsistent behavior

My ES cluster is running in production mode(on Kubernetes). It is accessible only within the organization so, for now, there is no need for securing the connection between ES nodes with certificates. While setting up the cluster I just added xpack.security.enabled: true that helped me in setting up a basic Kibana authentication, everything was working as expected until I restarted my data nodes pods and now it showing the following error:
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
The error message is pretty explicit: You must have TLS certificates to use security. Which also makes sense from a security point of view, especially on Kubernetes where you don't have much protection out of the box otherwise.
If you don't want to set up certificates and other stuff on Kubernetes, have a look at the Kubernetes Operator, which does that for you: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html

Transport SSL must be enabled if security is enabled on a [basic] license

I have installed Elasticsearch 7.1 on Ubuntu. I want to password protect the cluster, so I have set: xpack.security.enabled: true in elasticsearch.yml file. Now when I restart Elasticsearch I get the message:
Transport SSL must be enabled if security is enabled on a [basic]
license. Please set [xpack.security.transport.ssl.enabled] to [true]
or disable security by setting [xpack.security.enabled]
I am using the basic license. I have seen this guide which explains how to use elasticsearch-certutil to install SSL certificates on the nodes.
Questions:
Is it possible to password protect the cluster without setting xpack.security.transport.ssl.enabled to true?
If I have the guide mentioned above and install SSL certifiactes on elasticsearch cluster, do I need any ssl certificate on my webserver? I don't want the communication between the web server and elasticsearch to use SSL.
According to this answer:
For a cluster that is running in production mode with a production
license, once security is enabled, transport TLS/SSL must also be
enabled. On the other hand, if we are running with a trial license,
then transport TLS/SSL is not obligatory.
It's not possible. In production mode, if you want to use any of the xpack security features by enabling (setting xpack.security.enabled: true), then you need to use TLS/SSL certificate.
By default, the web server (and Kibana) can communicate with the cluster without any TLS/SSL certificate (The certificate is used for communication within ES nodes). If you do want to use TLS/SSL between the cluster and your web server, then you need to set xpack.security.http.ssl.enabled which is set to false by default.

kibana 6.x Configure Kibana to encrypt communications between the browser and the Kibana server?

what are the steps required to configure https in browser and kibanna server. i downloaded some certification from internet and it is saying not a secure one. it is for our production environment. my company may provide valid ssl certificate. in that case what are the things required?
https://www.elastic.co/guide/en/kibana/current/configuring-tls.html
According to the documentation, you have to modify your kibana.yml such as:
server.ssl.enabled: true
server.ssl.key: /path/to/your/server.key
server.ssl.certificate: /path/to/your/server.crt

How to disable elasticsearch http module?

The default value of "http.enabled" option in elasticsearch's configuration file is true which means that we can search and admin the cluster from http command, for example:DELETE /index_* request can delete all indexes. But this is not safe when deployment the service to the production environment. How can I fix this problem?
You can either implement shield - this is free if you are paying for one of the Elasticsearch support packages.
Or implement a reverse proxy which checks each request and the user running the request, for example nginx.

Resources