lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
							[role="xpack"]
[[tls-http]]
==== Encrypting HTTP client communications

When {security-features} are enabled, you can optionally use TLS to ensure that
communication between HTTP clients and the cluster is encrypted.

Enabling TLS on the HTTP layer is strongly recommended, but is not required.

IMPORTANT: In a <<dev-vs-prod-mode,production environment>>, some {es} features
such as tokens will be disabled unless you enable TLS on the HTTP
layer.

If you enable TLS on the HTTP layer in {es}, you might need to make
configuration changes in other parts of the Elastic Stack and in any {es}
clients that you use. For example, the following changes are typically
necessary:

* Update all clients, tools, and applications that connect to {es} to use the
`https` protocol in their configuration URL. For example, {kib}, {beats}, {ls},
language clients, and custom applications.
* Set trusted certificate authorities. This change is typically required only
if the {es} server certificate is issued by a certificate authority that is not
automatically trusted by the clients, tools, and applications that connect to
{es}.

If you enable advanced TLS features on {es} (such as
`ssl.client_authentication`), additional
configuration could be necessary, but is not typically required in most {es}
deployments.

. If you have not done so already, <<node-certificates,generate node certificates>>.
+
--
In particular, you need the files that are generated by the following command:

[source,shell]
----------------------------------------------------------
bin/elasticsearch-certutil http
----------------------------------------------------------

This command generates a zip file that contains certificates and keys for use in
{es} and {kib}. Each folder contains a readme that explains how to use the files.
--

. Verify that you've copied the output files to the appropriate locations, as
specified in the readme files.
+
--
For example, copy the `http.p12` file from the `elasticsearch` folder into a
directory within the {es} configuration directory on each node. If you chose to
generate one certificate per node, copy the appropriate `http.p12` file to each
node. If you want to use {kib} to access this cluster, copy the
`elasticsearch-ca.pem` file from the `kibana` folder into the {kib}
configuration directory.
--

. Enable TLS and specify the information required to access the node’s
certificate. For example:

.. Update the `elasticsearch.yml` file on each node with the location of the
certificates.
+
--
If the certificates are in PKCS#12 format:

[source, yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"
--------------------------------------------------

If you have certificates in PEM format:

[source, yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key:  /home/es/config/node1_http.key <1>
xpack.security.http.ssl.certificate: /home/es/config/node1_http.crt <2>
xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3>
--------------------------------------------------
<1> The full path to the node key file. This must be a location within the
    {es} configuration directory.
<2> The full path to the node certificate. This must be a location within the
    {es} configuration directory.
<3> An array of paths to the CA certificates that should be trusted. These paths
    must be a location within the {es} configuration directory.
--

.. If you secured the keystore or the private key with a password, add that password to a secure
setting in {es}.
+
--
If the certificates are in PKCS#12 format:

[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
-----------------------------------------------------------

If the certificates are in PEM format:

[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
-----------------------------------------------------------
--

. Optional: If you want to use {kib}, follow the instructions in the readme
provided by the `elasticsearch-certutil http` command or see
{kibana-ref}/configuring-tls.html[Encrypting communications in {kib}].

. Restart {es}.

[NOTE]
===============================
* All TLS-related node settings are considered to be highly sensitive and
therefore are not exposed via the
<<cluster-nodes-info,nodes info API>> For more
information about any of these settings, see <<security-settings>>.

* {es} monitors all files such as certificates, keys, keystores, or truststores
that are configured as values of TLS-related node settings. If you update any of
these files (for example, when your hostnames change or your certificates are
due to expire), {es} reloads them. The files are polled for changes at
a frequency determined by the global {es} `resource.reload.interval.high`
setting, which defaults to 5 seconds.
===============================