Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 1bd0561a91
Branches Tags
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
configuring-stack-security.asciidoc

configuring-stack-security.asciidoc 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. [[configuring-stack-security]]
    2. 

  2. == Start the Elastic Stack with security enabled
    3. 

  3. 

  4. beta::[This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.]
    5. 

  5. 

  6. When you start {es} for the first time, the following security configuration
    7. 

  7. occurs automatically:
    8. 

  8. 

  9. * <<stack-security-certificates,Certificates and keys>> for TLS are
    10. 

  10. generated for the transport and HTTP layers.
    11. 

  11. * The TLS configuration settings are written to `elasticsearch.yml`.
    12. 

  12. * A password is generated for the `elastic` user.
    13. 

  13. * An enrollment token is generated for {kib}.
    14. 

  14. 

  15. You can then start {kib} and enter the enrollment token, which is valid for 30
    16. 

  16. minutes. This token automatically applies the security settings from your {es} 
    17. 

  17. cluster, authenticates to {es} with the built-in `kibana` service account, and writes the 
    18. 

  18. security configuration to `kibana.yml`. 
    19. 

  19. 

  20. [discrete]
    21. 

  21. === Prerequisites
    22. 

  22. 

  23. * https://www.elastic.co/downloads/elasticsearch#preview-release[Download] and
    24. 

  24. unpack the `elasticsearch 8.0.0-beta` package distribution for your
    25. 

  25. environment.
    26. 

  26. * https://www.elastic.co/downloads/kibana#preview-release[Download] and unpack
    27. 

  27. the `kibana 8.0.0-beta` package distribution for your environment.
    28. 

  28. 

  29. [discrete]
    30. 

  30. [[stack-start-with-security]]
    31. 

  31. === Start {es} and enroll {kib} with security enabled
    32. 

  32. 

  33. . From the installation directory, start {es}. A password is generated for the 
    34. 

  34. `elastic` user and output to the terminal, plus an enrollment token for
    35. 

  35. enrolling {kib}.
    36. 

  36. +
    37. 

  37. [source,shell]
    38. 

  38. ----
    39. 

  39. bin/elasticsearch
    40. 

  40. ----
    41. 

  41. +
    42. 

  42. TIP: You might need to scroll back a bit in the terminal to view the password
    43. 

  43. and enrollment token.
    44. 

  44. 

  45. . Copy the generated password and enrollment token and save them in a secure
    46. 

  46. location. These values are shown only when you start {es} for the first time.
    47. 

  47. +
    48. 

  48. [NOTE]
    49. 

  49. ====
    50. 

  50. If you need to reset the password for the `elastic` user or other
    51. 

  51. built-in users, run the <<reset-password,`elasticsearch-reset-password`>> tool.
    52. 

  52. To generate new enrollment tokens for {kib} or {es} nodes, run the
    53. 

  53. <<create-enrollment-token,`elasticsearch-create-enrollment-token`>> tool.
    54. 

  54. These tools are available in the {es} `bin` directory.
    55. 

  55. ====
    56. 

  56. 

  57. . (Optional) Open a new terminal and verify that you can connect to your {es} 
    58. 

  58. cluster by making an authenticated call. Enter the password for the `elastic` 
    59. 

  59. user when prompted:
    60. 

  60. +
    61. 

  61. [source,shell]
    62. 

  62. ----
    63. 

  63. curl --cacert config/tls_auto_config_<timestamp>/http_ca.crt \
    64. 

  64. -u elastic https://localhost:9200
    65. 

  65. ----
    66. 

  66. // NOTCONSOLE
    67. 

  67. +
    68. 

  68. `<timestamp>`:: The timestamp of when the auto-configuration process created
    69. 

  69. the security files directory in your Docker container.
    70. 

  70. 

  71. . From the directory where you installed {kib}, start {kib}.
    72. 

  72. +
    73. 

  73. [source,shell]
    74. 

  74. ----
    75. 

  75. bin/kibana
    76. 

  76. ----
    77. 

  77. +
    78. 

  78. This command generates a unique link to enroll your {kib} instance with {es}.
    79. 

  79. 

  80.   .. In your terminal, click the generated link to open {kib} in your browser.
    81. 

  81. 

  82.   .. In your browser, paste the enrollment token that you copied and click the
    83. 

  83. button to connect your {kib} instance with {es}.
    84. 

  84. 

  85.   .. Log in to {kib} as the `elastic` user with the password that was generated
    86. 

  86. when you started {es}.
    87. 

  87. 

  88. [discrete]
    89. 

  89. [[stack-enroll-nodes]]
    90. 

  90. === Enroll additional nodes in your cluster
    91. 

  91. 

  92. :slash:     /
    93. 

  93. 

  94. include::enroll-nodes.asciidoc[]
    95. 

  95. 

  96. [discrete]
    97. 

  97. include::{es-ref-dir}/setup/install/connect-clients.asciidoc[leveloffset=-1]
    98. 

  98. 

  99. [discrete]
    100. 

  100. === What's next?
    101. 

  101. Congratulations! You've successfully started the {stack} with security enabled.
    102. 

  102. {es} and {kib} are secured with TLS on the HTTP layer, and internode
    103. 

  103. communication is encrypted. If you want to enable HTTPS for web traffic, you
    104. 

  104. can <<encrypt-kibana-browser,encrypt traffic between your browser and {kib}>>.
    105. 

  105. 

  106. [discrete]
    107. 

  107. [[stack-security-certificates]]
    108. 

  108. === Security certificates and keys
    109. 

  109. 

  110. When you start {es} for the first time, the following certificates and keys are
    111. 

  111. generated in the `config/tls_auto_config_<timestamp>` directory,
    112. 

  112. which are used to connect a {kib} instance to your secured {es} cluster and
    113. 

  113. to encrypt internode communication. The files are listed here for reference.
    114. 

  114. 

  115. `http_ca.crt`::
    116. 

  116. The CA certificate that is used to sign the certificates for the HTTP layer of
    117. 

  117. this {es} cluster.
    118. 

  118. 

  119. `http_keystore_local_node.p12`::
    120. 

  120. Keystore that contains the key and certificate for the HTTP layer for this node.
    121. 

  121. 

  122. `transport_keystore_all_nodes.p12`::
    123. 

  123. Keystore that contains the key and certificate for the transport layer for all
    124. 

  124. the nodes in your cluster.
    125. 

  125. 

  126. Additionally, when you use the enrollment token to connect {kib} to a secured {es} cluster, a security certificate is retrieved from {es} and stored in the
    127. 

  127. {kib} `/data` directory. This file establishes trust between {kib} and the {es}
    128. 

  128. Certificate Authority (CA) for the HTTP layer.
    129.