Configuring the Transport Client to work with a Secured Cluster

Elastic Stack Elasticsearch
1

hey there,
following this doc page I was trying to use Transport Client. ES cluster is already configured to use SSL and Basic Auth and it works properly.
I would like to give an answer to my doubt, following step #4, if I specify only

import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        .put("xpack.security.transport.ssl.enabled", true)
        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
        .put("xpack.security.transport.ssl.verification_mode","certificate");
        ...
        .build());

so, what will happen if my client will provide only certificate_authorities key?

2

You client has 3 settings with prefix xpack.security.transport.ssl.. That is sufficient for TLS server authentication only. If you want TLS client authentication, your client is missing 2 more settings. TLS mutual authentication (mTLS) happens when you enable authentication both ways.

Transport mTLS settings:

  • enabled: enable or disable TLS
  • certificate_authorities & verification_mode: client settings for TLS server authentication
  • key & certificate: client settings for TLS client authentication

The certificate setting is the client cert to sent to the server, so the server can check if it came from a trusted CA. The key setting is for the client to prove it has the private key which matches the cert public key. For example, the server can send a signature challenge to the client; the client signs with the private key, and the server verifies with the cert public key.

For a complete config example of transport mTLS, it might be helpful to look at the Docker Compose example in Elasticsearch 8.0 documentation. It shows 3 nodes with these 5 settings, so they can talk over mTLS to each other.

  - xpack.security.transport.ssl.enabled=true
  - xpack.security.transport.ssl.key=certs/es02/es02.key
  - xpack.security.transport.ssl.certificate=certs/es02/es02.crt
  - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
  - xpack.security.transport.ssl.verification_mode=certificate

If it helps, here is a link to the Docker Compose example in Elasticsearch 8.0 documentation:

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.