Connect autoconfigured clusters for cross-cluster-replication

Elastic Stack Elasticsearch
1

Hi,

I've got a running production cluster "A" autoconfigured with security on install. The cluster already contains some data / indices.

Now I want to add cross-cluster-replication (Simple Leader -> Follower setup like Cross-cluster replication | Elasticsearch Guide [8.3] | Elastic). I've set up a second cluster "B" in a different data center. The documentation states, that I have to add the certificates from remote clusters as trusted CA on the local cluster and veci versa (Configure remote clusters with security | Elasticsearch Guide [8.3] | Elastic).

Which certificates do I have to copy and how do I import them in the remote cluster? The autoconfigation on install created three certificates automatically on each of the nodes in each cluster: http_ca.crt, http.p12, transport.p12 (Start the Elastic Stack with security enabled automatically | Elasticsearch Guide [8.3] | Elastic)

Any ideas? Thanks.

2

Hi, I worked it out:

  1. Copy certs/transport.p12 file from cluster A to all nodes of cluster B (you may have to copy the file to a directory you can write e.g. with scp from a remote server to your home directory. Then copy the file on the cluster B nodes with sudo to /etc/elasticsearch/certs/)
  2. Make sure the elasticsearch Unix user owns the file: chown -R root:elasticsearch transport.p12
  3. Update the keystore on cluster B
    Find out passwords on any node of cluster A:
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

on all nodes of cluster B set the password from cluster A:

/usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.truststore.secure_password

/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
  1. Restart alle nodes of cluster B. Remote Cluster connection should be working now.

As I stated above, I used autoconfiguration for both of my clusters. Heres my elasticsearch.yml for the transport layer:

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.