Does X-Pack Security authenticates clients via client certificates

(Bozho Bekriev) #1


I am in the process of evaluating X-Pack security and in my current setup, I've successfully sorted the following SSL/TLS communication:

Kibana ----> AD LDAPS Server (IIS generated self-signed certificate for the purpose of server authentication)
Kibana ----> ElasticSearch (certgen tool)
Kibana ----> Browser (certgen tool)
Filebeat ----> Logstash (certgen tool)
Logstash ----> ElasticSearch (certgen tool)

Kibana, Logstash and ElasticSearch are running on a single Windows server 2012R2
I have two servers that I am collecting logs from, running two different applications. I would like to use ELK for centralized logs monitoring from the two applications but I would like to have complete isolation between the two projects. I have realized this logical separation in the database by using different index name prefix. Each Filebeat shipper sends logs under a specific index depending on the project.

What I am concerned is in general, how do I make sure that data from a particular client server is actually coming from it and ensure that someone who has the server certificate doesn't load dirty data into the database?

If I understand correctly, the idea is to provide filebeat with the ElasticSearch node certificate so that it can authenticate the node, however does the node (ElasticSearch or Logstash) also try to authenticate the server from where logs are coming from? In other words, can I somehow ensure that a given filebeat agent is authenticated by the elastic node server and writing data only to a particular index in the database?

If the two application servers are using the same certificate to authenticate the ElasticSearch node server how do I make sure someone will not try to load dirty content into the indices of the other application or even worse submit DELETE Curl requests and compromise all indices:

curl -XDELETE https://:9200/index/filebeat-app01-* --cacert ca.crt

Does ElasticSearch cater for client certificates or only provides a way to authenticate the servers running the core components?

Thanks a lot in advance!


(Tim Vernum) #2

I think I probably answered most of your questions through your other post, but I'll fill in a few details. Please post a followup if I've missed something.

It's important to be really clear about client certificates vs server certificates (which you might be, but it's not entirely clear from your post)

When enabling TLS on Elasticsearch you must supply a server certificate (that certgen can generate for you), but client certificates are optional.
In your curl example, you're using the server ca.crt to verify the server certificate, but you're not supplying a client certificate.

If you want to rely on TLS to distinguish between different clients (such as different logstash instances) then you need to enable client certificates. The instructions for the PKI realm can guide you through that process.

You can use certgen to generate client certificates, but you would typically separate your client certificates from your server certificates.

(Bozho Bekriev) #3

Thanks a lot. I think all topics are cleared :slight_smile:

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.