Enabling TLS in Elasticsearch encrypts network traffic, securing sensitive information against interception and tampering.
TLS secures both HTTP and transport layers, providing robust authentication of nodes and clients while ensuring confidentiality and integrity of data in transit.
Adopting TLS aligns with best practices and compliance standards, creating a secure environment for reliable analytics, search, and data management operations.
Steps to configure Elasticsearch for TLS:
- Generate or obtain the required TLS certificates and keys.
Use the built-in Elasticsearch certificate utility or acquire certificates from a trusted CA.
- Place the certificates and keys in a secure location with proper permissions.
- Edit elasticsearch.yml to enable TLS for HTTP and transport communication.
$ sudo nano /etc/elasticsearch/elasticsearch.yml
Set xpack.security.http.ssl.enabled and xpack.security.transport.ssl.enabled to true.
- Specify paths to the certificates and keys in the configuration.
- Restart Elasticsearch to apply changes.
$ sudo systemctl restart elasticsearch
Ensure clients trust the CA or certificates used by the cluster.
- Verify secure connectivity.
$ curl --request GET --insecure --silent https://localhost:9200 | jq { "name": "secure-node", ... }HTTPS responses confirm TLS encryption is active.
- Check certificate validity and expiration regularly.
Use openssl to inspect certificates and ensure they remain valid.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.