Connect autoconfigured clusters for cross-cluster-replication

neox2811 · August 12, 2022, 10:40am

Hi,

I've got a running production cluster "A" autoconfigured with security on install. The cluster already contains some data / indices.

Now I want to add cross-cluster-replication (Simple Leader -> Follower setup like Cross-cluster replication | Elasticsearch Guide [8.3] | Elastic). I've set up a second cluster "B" in a different data center. The documentation states, that I have to add the certificates from remote clusters as trusted CA on the local cluster and veci versa (Configure remote clusters with security | Elasticsearch Guide [8.3] | Elastic).

Which certificates do I have to copy and how do I import them in the remote cluster? The autoconfigation on install created three certificates automatically on each of the nodes in each cluster: http_ca.crt, http.p12, transport.p12 (Start the Elastic Stack with security enabled automatically | Elasticsearch Guide [8.3] | Elastic)

Any ideas? Thanks.

neox2811 · August 16, 2022, 7:42am

Hi, I worked it out:

Copy certs/transport.p12 file from cluster A to all nodes of cluster B (you may have to copy the file to a directory you can write e.g. with scp from a remote server to your home directory. Then copy the file on the cluster B nodes with sudo to /etc/elasticsearch/certs/)
Make sure the elasticsearch Unix user owns the file: chown -R root:elasticsearch transport.p12
Update the keystore on cluster B
Find out passwords on any node of cluster A:

/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

on all nodes of cluster B set the password from cluster A:

/usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore remove xpack.security.transport.ssl.truststore.secure_password

/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

Restart alle nodes of cluster B. Remote Cluster connection should be working now.

As I stated above, I used autoconfiguration for both of my clusters. Heres my elasticsearch.yml for the transport layer:

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

system · September 13, 2022, 7:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trusting remote clusters' CA Elasticsearch elastic-stack-security	4	440	March 27, 2023
Elasticsearch Cross Cluster Search Implementation Elasticsearch elastic-stack-security , ccs-cross-cluster-search	15	2122	January 28, 2021
Remote clusters authentication Elasticsearch ccr-cross-cluster-replication	23	2148	December 9, 2020
Connect remote cluster between a cluster disabled TLS/SSL and a cluster enabled TLS/SSL Elasticsearch ccr-cross-cluster-replication , ccs-cross-cluster-search	5	123	June 7, 2024
How to connect cluster with configured TLS? Elasticsearch elastic-stack-security , ccr-cross-cluster-replication	7	730	November 24, 2021

Connect autoconfigured clusters for cross-cluster-replication

Related topics