elasticsearch/x-pack/docs/en/security/configuring-stack-security.asciidoc

[[configuring-stack-security]]
== Start the Elastic Stack with security enabled

beta::[This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.]

When you start {es} for the first time, the following security configuration
occurs automatically:

* <<stack-security-certificates,Certificates and keys>> for TLS are
generated for the transport and HTTP layers.
* The TLS configuration settings are written to `elasticsearch.yml`.
* A password is generated for the `elastic` user.
* An enrollment token is generated for {kib}.

You can then start {kib} and enter the enrollment token, which is valid for 30
minutes. This token automatically applies the security settings from your {es} 
cluster, authenticates to {es} with the built-in `kibana` service account, and writes the 
security configuration to `kibana.yml`. 

[discrete]
=== Prerequisites

* https://www.elastic.co/downloads/elasticsearch#preview-release[Download] and
unpack the `elasticsearch 8.0.0-beta` package distribution for your
environment.
* https://www.elastic.co/downloads/kibana#preview-release[Download] and unpack
the `kibana 8.0.0-beta` package distribution for your environment.

[discrete]
[[stack-start-with-security]]
=== Start {es} and enroll {kib} with security enabled

. From the installation directory, start {es}. A password is generated for the 
`elastic` user and output to the terminal, plus an enrollment token for
enrolling {kib}.
+
[source,shell]
----
bin/elasticsearch
----
+
TIP: You might need to scroll back a bit in the terminal to view the password
and enrollment token.

. Copy the generated password and enrollment token and save them in a secure
location. These values are shown only when you start {es} for the first time.
+
NOTE: If you need to reset the password for the `elastic` user or other
built-in users, run the <<reset-password,`elasticsearch-reset-password`>> tool.
This tool is available in the {es} `/bin` directory.

. (Optional) Open a new terminal and verify that you can connect to your {es} 
cluster by making an authenticated call. Enter the password for the `elastic` 
user when prompted:
+
[source,shell]
----
curl --cacert config/tls_auto_config_<timestamp>/http_ca.crt \
-u elastic https://localhost:9200 <1>
----
// NOTCONSOLE
<1> Ensure that you use `https` in your call, or the request will fail.
+
`--cacert`::
Path to the generated `http_ca.crt` certificate for the HTTP layer.

. From the directory where you installed {kib}, start {kib}.
+
[source,shell]
----
bin/kibana
----
+
This command generates a unique link to enroll your {kib} instance with {es}.

  .. In your terminal, click the generated link to open {kib} in your browser.

  .. In your browser, paste the enrollment token that you copied and click the
button to connect your {kib} instance with {es}.

  .. Log in to {kib} as the `elastic` user with the password that was generated
when you started {es}.

[discrete]
[[stack-enroll-nodes]]
=== Enroll additional nodes in your cluster

:slash:     /

include::enroll-nodes.asciidoc[]

[discrete]
=== What's next?
Congratulations! You've successfully started the {stack} with security enabled.
{es} and {kib} are secured with TLS on the HTTP layer, and internode
communication is encrypted. If you want to enable HTTPS for web traffic, you
can <<encrypt-kibana-browser,encrypt traffic between your browser and {kib}>>.

[discrete]
[[stack-security-certificates]]
=== Security certificates and keys

When you start {es} for the first time, the following certificates and keys are
generated in the `config/tls_auto_config_<timestamp>` directory,
which are used to connect a {kib} instance to your secured {es} cluster and
to encrypt internode communication. The files are listed here for reference.

`http_ca.crt`::
The CA certificate that is used to sign the certificates for the HTTP layer of
this {es} cluster.

`http_keystore_local_node.p12`::
Keystore that contains the key and certificate for the HTTP layer for this node.

`transport_keystore_all_nodes.p12`::
Keystore that contains the key and certificate for the transport layer for all
the nodes in your cluster.

Additionally, when you use the enrollment token to connect {kib} to a secured {es} cluster, a security certificate is retrieved from {es} and stored in the
{kib} `/data` directory. This file establishes trust between {kib} and the {es}
Certificate Authority (CA) for the HTTP layer.