Encrypt communications in Kibana
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) provide encryption for data-in-transit. While these terms are often used interchangeably, Kibana supports only TLS, which supersedes the old SSL protocols.
Browsers send traffic to Kibana and Kibana sends traffic to Elasticsearch. These communication channels are configured separately to use TLS.
TLS requires X.509 certificates to authenticate the communicating parties and perform encryption of data-in-transit. Each certificate contains a public key and has an associated — but separate — private key; these keys are used for cryptographic operations. Kibana supports certificates and private keys in PEM or PKCS#12 format.
Encrypt traffic between the browser and Kibana
You do not need to enable the Elasticsearch security features for this type of encryption.
Obtain a server certificate and private key for Kibana.
Kibana will need to use this “server certificate” and corresponding private key when receiving connections from web browsers.
When you obtain a server certificate, you must set its subject alternative name (SAN) correctly to ensure that modern web browsers with hostname verification will trust it. You can set one or more SANs to the Kibana server’s fully-qualified domain name (FQDN), hostname, or IP address. When choosing the SAN, you should pick whichever attribute you will be using to connect to Kibana in your browser, which is likely the FQDN.
You may choose to generate a certificate signing request (CSR) and private key using the
elasticsearch-certutil
tool. For example:bin/elasticsearch-certutil csr -name kibana-server -dns some-website.com,www.some-website.com
This will produce a ZIP archive named
kibana-server.zip
. Extract that archive to obtain the PEM-formatted CSR (kibana-server.csr
) and unencrypted private key (kibana-server.key
). In this example, the CSR has a common name (CN) ofkibana-server
, a SAN ofsome-website.com
, and another SAN ofwww.some-website.com
.You will need to use a certificate authority (CA) to sign your CSR to obtain your server certificate. This certificate’s signature will be verified by web browsers that are configured to trust the CA.
Configure Kibana to access the server certificate and private key.
If your server certificate and private key are in PEM format:
Specify your server certificate and private key in
kibana.yml
:server.ssl.certificate: "/path/to/kibana-server.crt"
server.ssl.key: "/path/to/kibana-server.key"
If your private key is encrypted, add the decryption password to your Kibana keystore:
bin/kibana-keystore add server.ssl.keyPassphrase
Otherwise, if your server certificate and private key are contained in a PKCS#12 file:
Specify your PKCS#12 file in
kibana.yml
:server.ssl.keystore.path: "/path/to/kibana-server.p12"
If your PKCS#12 file is encrypted, add the decryption password to your Kibana keystore:
bin/kibana-keystore add server.ssl.keystore.password
If your PKCS#12 file isn’t protected with a password, depending on how it was generated, you may need to set
server.ssl.keystore.password
to an empty string.
For more information about settings for certificates and keys, see [Kibana configuration settings]($ceae3611841f803a.md "Configure Kibana").
Configure Kibana to enable TLS for inbound connections.
Specify that TLS is used in
kibana.yml
:server.ssl.enabled: true
Restart Kibana.
After making these changes, you must always access Kibana via HTTPS. For example, https://
Encrypt traffic between Kibana and Elasticsearch
To perform this step, you must enable the Elasticsearch security features or you must have a proxy that provides an HTTPS endpoint for Elasticsearch.
- Enable TLS on the HTTP layer in Elasticsearch.
Obtain the certificate authority (CA) certificate chain for Elasticsearch.
Kibana needs the appropriate CA certificate chain to properly establish trust when connecting to Elasticsearch.
- If you followed the Elasticsearch documentation for generating node certificates and used the
elasticsearch-certutil http
command, check thekibana
directory in its output. Depending on what options you chose, the output may include the CA certificate chain in PEM format. Otherwise, you likely have a PKCS#12 file for each your Elasticsearch nodes. You can extract the CA certificate chain from one of these files. For example:
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elasticsearch-ca.pem
This will produce a PEM-formatted file named
elasticsearch-ca.pem
that contains all CA certificates from the PKCS#12 file.
- If you followed the Elasticsearch documentation for generating node certificates and used the
Configure Kibana to trust the Elasticsearch CA certificate chain for the HTTP layer.
If your CA certificate chain is in PEM format:
Specify one or more CA certificates in
kibana.yml
:elasticsearch.ssl.certificateAuthorities: ["/path/to/elasticsearch-ca.pem"]
Otherwise, if your CA certificate chain is contained in a PKCS#12 file:
You should not use a PKCS#12 file that contains a private key. This is an unnecessary security risk. If you only have a PKCS#12 file that contains a private key, a safer approach is to extract the CA certificate chain in PEM format.
Specify your PKCS#12 file in
kibana.yml
:elasticsearch.ssl.truststore.path: "/path/to/elasticsearch-ca.p12"
If your PKCS#12 file is encrypted, add the decryption password to your Kibana keystore:
bin/kibana-keystore add elasticsearch.ssl.truststore.password
If your PKCS#12 file isn’t protected with a password, depending on how it was generated, you may need to set
elasticsearch.ssl.truststore.password
to an empty string.
For more information about settings for certificates and keys, see [Kibana configuration settings]($ceae3611841f803a.md "Configure Kibana").
Configure Kibana to enable TLS for outbound connections to Elasticsearch.
Specify the HTTPS URL for Elasticsearch in
kibana.yml
:elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]
Using the HTTPS protocol results in a default
elasticsearch.ssl.verificationMode
option offull
, which utilizes hostname verification. For more information about this setting, see Kibana configuration settings.
If the Elastic monitoring features are enabled and you have set up a separate Elasticsearch monitoring cluster, you can also configure Kibana to connect to the monitoring cluster via HTTPS. The steps are the same, but each setting is prefixed by monitoring.
. For example, monitoring.ui.elasticsearch.hosts
, monitoring.ui.elasticsearch.ssl.truststore.path
, etc.