Setting up TLS on a cluster
The Elastic Stack security features enable you to encrypt traffic to, from, and within your Elasticsearch cluster. Connections are secured using Transport Layer Security (TLS), which is commonly referred to as “SSL”.
Clusters that do not have encryption enabled send all data in plain text including passwords. If the Elasticsearch security features are enabled, unless you have a trial license, you must configure SSL/TLS for internode-communication.
The following steps describe how to enable encryption across the various components of the Elastic Stack. You must perform each of the steps that are applicable to your cluster.
- Generate a private key and X.509 certificate for each of your Elasticsearch nodes. See Generating Node Certificates.
- Configure each node in the cluster to identify itself using its signed certificate and enable TLS on the transport layer. You can also optionally enable TLS on the HTTP layer. See Encrypting communications between nodes in a cluster and Encrypting HTTP client communications.
- Configure the monitoring features to use encrypted connections. See Monitoring and security.
- Configure Kibana to encrypt communications between the browser and the Kibana server and to connect to Elasticsearch via HTTPS. See Configuring security in Kibana.
- Configure Logstash to use TLS encryption. See Configuring security in Logstash.
- Configure Beats to use encrypted connections. For example, see Configure Filebeat to use security features.
- Configure the Java transport client to use encrypted communications. See Java Client and security.
- Configure Elasticsearch for Apache Hadoop to use secured transport. See Elasticsearch for Apache Hadoop Security.