Enabling security features in an existing cluster with Elasticsearch 6.8

With the release of Elasticsearch 6.8 / 7.1 we have some questions on the right approach to enabling the base security features on an existing cluster, which we seem unable to find anywhere. Help appreciated, or someone who can point us in the right direction.

Our cluster setup looks like the following:

  • 3 data nodes
  • 3 dedicated master nodes
  • 1 coordinator node / Kibana

We've been running with the security features explicitly disabled until now. I realise the steps looks something like:

  • Update the config for Elasticsearch / Kibana
  • Generate certs for the nodes
  • Doing a restart of each node
  • Obviously updating any integration to use authentication

What we're not 100% sure about is: can we somehow manage doing only a rolling restart, or do we need a full cluster restart for this operation?

I'm thinking it's impossible without the full restart, since the nodes will start communicating using TLS once it's enabled, and thus needs to be enabled on all nodes in the cluster - but I'm somehow hoping for someone offering a rolling-restart option I've simply overlooked, to avoid downtime :slight_smile:

Thank you in advance!

  • Henrik

Hi Henrik,

Sadly when enabling TLS it does require a full restart (so the nodes can talk to each other.) Do you plan on using self signed certs, or do you plan on using internally signed certificates? There's a few ways we can go about doing it now. I personally like the certutil with the yaml, and getting it setup that way. It can generate the CSR's or everything. Just remember to be ready for upgrade time.

My questions summarized:

  1. Do you plan on using Self Signed, or Internal?
  2. Do you have a plan on getting the CSRs?

Hi Todd,

Thank you for your quick reply, answer, and raising questions I had not yet considered.

After some light reading on the subject, I think the current plan will be using certutil with the yaml configuration option, and having it generate both the CA and the node certificates, since we don't have an organization CA, and the nodes aren't public facing in any way.

Once again thank you - without your questions, our upgrade night would likely have resulted in a few unnecessary hours of reading! :slight_smile:

  • Henrik


No problem, I'm happy to help, I'm going to send a guide I made awhile ago (some of the commands may call a different item, but it should work for the certs just fine (elastic-certutil versus just certutil)


@ToddFerg it sounds cool! I can't wait to read this guide, i really need it to understand how configure security feautures properly

thanks in advance

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.