elasticsearch/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc

[role="xpack"]
[testenv="trial"]
[[encrypting-internode]]
=== Encrypt internode communications

Now that we've generated a certificate authority and certificates, let's update
the cluster to use these files.

IMPORTANT: When you enable {es} {security-features}, unless you have a trial
license, you must use Transport Layer Security (TLS) to encrypt internode
communication. By following the steps in this tutorial, you learn how
to meet the minimum requirements to pass the
<<bootstrap-checks-tls,TLS bootstrap check>>.

. (Optional) Name the cluster.
+
--
For example, add the <<cluster.name,cluster.name>> setting in the
`ES_PATH_CONF/elasticsearch.yml` file:

[source,yaml]
----
cluster.name: test-cluster
----

TIP: The `ES_PATH_CONF` environment variable contains the path for the {es}
configuration files. If you installed {es} using archive distributions (`zip` or
`tar.gz`), it defaults to `ES_HOME/config`. If you used package distributions
(Debian or RPM), it defaults to `/etc/elasticsearch`. For more information, see
<<settings>>.

The default cluster name is `elasticsearch`. You should choose a unique name,
however, to ensure that your nodes join the right cluster.
--

. (Optional) Name the {es} node.
+
--
For example, add the <<node.name,node.name>> setting in the
`ES_PATH_CONF/elasticsearch.yml` file:

[source,yaml]
----
node.name: node-1
----

In this tutorial, the cluster will consist of three nodes that exist on the same
machine and share the same (loopback) IP address and hostname. Therefore, we
must give each node a unique name.

This step is also necessary if you want to use the `node.name` value to define
the location of certificates in subsequent steps.
--

. Disable single-node discovery.
+
--
To enable {es} to form a multi-node cluster, use the default value for the
`discovery.type` setting. If that setting exists in your
`ES_PATH_CONF/elasticsearch.yml` file, remove it.
--

. (Optional) If you are starting the cluster for the first time, specify the
initial set of master-eligible nodes.
+
--
For example, add the following setting in the `ES_PATH_CONF/elasticsearch.yml`
file:

[source,yaml]
----
cluster.initial_master_nodes: ["node-1"]
----

If you start an {es} node without configuring this setting or any other
discovery settings, it will start up in development mode and auto-bootstrap
itself into a new cluster.

TIP: If you are starting a cluster with multiple master-eligible nodes for the
first time, add all of those node names to the `cluster.initial_master_nodes`
setting.

See <<modules-discovery-bootstrap-cluster>> and
<<discovery-settings>>.
--

. Enable Transport Layer Security (TLS/SSL) for transport (internode)
communications.
+
--
// tag::enable-tls[]
For example, add the following settings in the `ES_PATH_CONF/elasticsearch.yml`
file:

[source,yaml]
----
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 <1>
xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12
----
<1> If the file name for your certificate does not match the `node.name` value,
you must put the appropriate file name in the `elasticsearch.yml` file.
// end::enable-tls[]

NOTE: The PKCS#12 keystore that is output by the `elasticsearch-certutil` can be
used as both a keystore and a truststore. If you use other tools to manage and
generate your certificates, you might have different values for these settings,
but that scenario is not covered in this tutorial.

For more information, see <<get-started-enable-security>> and
<<transport-tls-ssl-settings>>.
--

. Store the password for the PKCS#12 file in the {es} keystore.
+
--
// tag::secure-passwords[]
For example, run the following commands:

["source","sh",subs="attributes,callouts"]
----------------------------------------------------------------------
./bin/elasticsearch-keystore create <1>
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
----------------------------------------------------------------------
<1> If the {es} keystore already exists, this command asks whether you want to
overwrite it. You do not need to overwrite it; you can simply add settings to
your existing {es} keystore.
// end::secure-passwords[]

You are prompted to supply the password that you created for the `node-1.p12`
file. We are using this file for both the transport TLS keystore and truststore,
therefore supply the same password for both of these settings.
--

. <<starting-elasticsearch,Start {es}>>.
+
--
For example, if you installed {es} with a `.tar.gz` package, run the following
command from the {es} directory:

["source","sh",subs="attributes,callouts"]
----------------------------------------------------------------------
./bin/elasticsearch
----------------------------------------------------------------------
--

. Create passwords for the built-in users and configure {kib} to use them.
+
--
NOTE: If you already configured passwords for these users in other tutorials,
you can skip this step.

include::{xes-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users]

After you setup the password for the `kibana_system` built-in user,
<<get-started-kibana-user,configure {kib} to use it>>.

For example, run the following commands to create the {kib} keystore and add the
`kibana_system` built-in user and its password in secure settings:

include::{xes-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user]
--

. Start {kib}.
+
--
For example, if you installed {kib} with a `.tar.gz` package, run the following
command from the {kib}  directory:
["source","sh",subs="attributes,callouts"]
----------------------------------------------------------------------
./bin/kibana
----------------------------------------------------------------------

See {kibana-ref}/start-stop.html[Starting and stopping {kib}].
--