Enabling TLS on 5.5.2, how to verify


I wanted to try out enabling TLS on a 3 node ELK 5.5.2 cluster. So I created a CSR with certgen and issued a certificate from our PKI. All good so far,.

I have these settings in my elasticsearch.yml

xpack.security.enabled : false
xpack.monitoring.enabled : true
xpack.graph.enabled : false
xpack.watcher.enabled : false

When security is disabled like that, does that prevent me from enabling like this ?? :;

xpack.ssl.key: c:\elastic\elasticsearch\config\x-pack\elasticsearch-t.key
xpack.ssl.certificate: c:\elastic\elasticsearch\config\x-pack\elasticsearch-t.cer
xpack.ssl.certificate_authorities: [ "c:\elastic\elasticsearch\config\x-pack\myrootca.cer" ]
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true

When I connect to http://localhost:9200 , I dont see any active certificate.

It doesnt complain about anything when I restarted the cluster , but I am not sure, whether TLS is actually active or not , because security is disabled generally.Is there some way of verying TLS?


TLS is part of xpack security. If you set xpack.security.enabled to false, then you have disabled TLS as well.

You need to turn on xpack security to use TLS.
If you want TLS, but don't want to require authentication (but really, you should), then you can enable anonymous access.

I was afraid of that answer :frowning:

Will it be same situation in the upcoming 6.0 version?


Yes, that will be the same in 6.0

Why are you trying to avoid turning on security?
It seems a little strange to want to protect your communications from eavesdropping, but then leave your server open to anyone who has access to your network.


We have only a basic license for our clusters. It was my understanding, that enabling security required a purchased license. If this is still the case , that you require a purchased license for enabling TLS , then I suggest that you go back in your team and start to reevaluate this decision.

I was inspired to look at this from your blog article about 6.0: https://www.elastic.co/blog/default-security-for-elasticsearch-and-the-elastic-stack . Where it states TLS everywhere. TLS should be default in all setups.

We are not leaving the cluster open to anyone, who has access to our network as write. The cluster is on Windows , running behind a reverse proxy on IIS, which is configured for AD validation.

Enabling TLS between the nodes in the cluster was the first step in enabling TLS on all trafic going in/out of the the clouster. We have trafic to logstash and Kafka trafic, that we also would like to switch to TLS.


TLS is part of X-Pack security, which is part of our commercial subscriptions. There are no current plans to change that.

My comments about leaving the server open were based on the fact that you were attempting to enable TLS on the http interface. That implies that you have HTTP connections coming in over a network that you don't trust (which is entirely reasonable), but if you don't trust the network then you ought to do something to authenticate the connections coming in on that network.

However, it doesn't sound like you really need TLS on the HTTP interface. If you are running IIS on the same machine, then you can terminate the TLS connection at the IIS server, and let IIS do all the work to support TLS connections from Logstash and Kafka.

In any case, if you want to enable TLS between nodes in your cluster, that requires a Gold license (or higher) and is not supported on the basic license.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.