I've got a running production cluster "A" autoconfigured with security on install. The cluster already contains some data / indices.
Now I want to add cross-cluster-replication (Simple Leader -> Follower setup like Cross-cluster replication | Elasticsearch Guide [8.3] | Elastic). I've set up a second cluster "B" in a different data center. The documentation states, that I have to add the certificates from remote clusters as trusted CA on the local cluster and veci versa (Configure remote clusters with security | Elasticsearch Guide [8.3] | Elastic).
Which certificates do I have to copy and how do I import them in the remote cluster? The autoconfigation on install created three certificates automatically on each of the nodes in each cluster: http_ca.crt, http.p12, transport.p12 (Start the Elastic Stack with security enabled automatically | Elasticsearch Guide [8.3] | Elastic)
Any ideas? Thanks.
Hi, I worked it out:
- Copy certs/transport.p12 file from cluster A to all nodes of cluster B (you may have to copy the file to a directory you can write e.g. with scp from a remote server to your home directory. Then copy the file on the cluster B nodes with sudo to /etc/elasticsearch/certs/)
- Make sure the elasticsearch Unix user owns the file: chown -R root:elasticsearch transport.p12
- Update the keystore on cluster B
Find out passwords on any node of cluster A:
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
on all nodes of cluster B set the password from cluster A:
/usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.truststore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
- Restart alle nodes of cluster B. Remote Cluster connection should be working now.
As I stated above, I used autoconfiguration for both of my clusters. Heres my elasticsearch.yml for the transport layer:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.