I wanted to try out enabling TLS on a 3 node ELK 5.5.2 cluster. So I created a CSR with certgen and issued a certificate from our PKI. All good so far,.
It doesnt complain about anything when I restarted the cluster , but I am not sure, whether TLS is actually active or not , because security is disabled generally.Is there some way of verying TLS?
TLS is part of xpack security. If you set xpack.security.enabled to false, then you have disabled TLS as well.
You need to turn on xpack security to use TLS.
If you want TLS, but don't want to require authentication (but really, you should), then you can enable anonymous access.
Why are you trying to avoid turning on security?
It seems a little strange to want to protect your communications from eavesdropping, but then leave your server open to anyone who has access to your network.
We have only a basic license for our clusters. It was my understanding, that enabling security required a purchased license. If this is still the case , that you require a purchased license for enabling TLS , then I suggest that you go back in your team and start to reevaluate this decision.
We are not leaving the cluster open to anyone, who has access to our network as write. The cluster is on Windows , running behind a reverse proxy on IIS, which is configured for AD validation.
Enabling TLS between the nodes in the cluster was the first step in enabling TLS on all trafic going in/out of the the clouster. We have trafic to logstash and Kafka trafic, that we also would like to switch to TLS.
TLS is part of X-Pack security, which is part of our commercial subscriptions. There are no current plans to change that.
My comments about leaving the server open were based on the fact that you were attempting to enable TLS on the http interface. That implies that you have HTTP connections coming in over a network that you don't trust (which is entirely reasonable), but if you don't trust the network then you ought to do something to authenticate the connections coming in on that network.
However, it doesn't sound like you really need TLS on the HTTP interface. If you are running IIS on the same machine, then you can terminate the TLS connection at the IIS server, and let IIS do all the work to support TLS connections from Logstash and Kafka.
In any case, if you want to enable TLS between nodes in your cluster, that requires a Gold license (or higher) and is not supported on the basic license.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.