Secure the reporting endpoints
In a production environment, you should restrict access to the reporting endpoints to authorized users. This requires that you:
- Enable Elastic Stack security features on your Elasticsearch cluster. For more information, see Getting started with security.
- Configure TLS/SSL encryption for the Kibana server. For more information, see Encrypt communications.
Specify the Kibana server’s CA certificate chain in
elasticsearch.yml
:If you are using your own CA to sign the Kibana server certificate, then you need to specify the CA certificate chain in Elasticsearch to properly establish trust in TLS connections between Watcher and Kibana. If your CA certificate chain is contained in a PKCS #12 trust store, specify it like so:
xpack.http.ssl.truststore.path: "/path/to/your/truststore.p12"
xpack.http.ssl.truststore.type: "PKCS12"
xpack.http.ssl.truststore.password: "optional decryption password"
Otherwise, if your CA certificate chain is in PEM format, specify it like so:
xpack.http.ssl.certificate_authorities: ["/path/to/your/cacert1.pem", "/path/to/your/cacert2.pem"]
For more information, see the Watcher HTTP TLS/SSL Settings.
Add one or more users who have the permissions necessary to use Kibana and reporting features. For more information, see Reporting and security.
Once you’ve enabled SSL for Kibana, all requests to the reporting endpoints must include valid credentials. For example, see the following page which includes a watch that submits requests as the built-in elastic
user: Automating report generation.
For more information about configuring watches, see How Watcher works.