How to configure basic security on elastic stack?

I have elastic stack.
I need to configure basic security.
When I add xpack.security.enabled: true in elasticsearch.yml it fails to start with message
bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

When I add xpack.security.transport.ssl.enabled: true it writes to me
Failed to determine the health of the cluster running at http://172.29.39.145:9200 Unexpected response code [503] from calling GET http://172.29.39.145:9200/_cluster/health?pretty Cause: master_not_discovered_exception

In your documentation says Set up minimal security for Elasticsearch | Elasticsearch Guide [7.15] | Elastic that I need add only xpack.security.enabled: true on every node, what i did.

So how to configure minimal security?

Not only do you have to enable xpack security in your Elasticsearch.yml for transport, but you also have to do it for http and you need to go through the same process for Kibana. Take a look at this guide - How to install Elastic SIEM and Elastic EDR - On The Hunt (newtonpaul.com)

It covers setting up SSL. There are a few minor tweaks to the configs regarding syntax since it was released, but it should get you where you need to be.

Setting up minimal security is different from setting up basic security.

As documented, minimal security is not suitable for production. You should only use it if your cluster is for development purpose, e.g. a single node cluster running locally or all nodes are running locally and bind on localhost.

If your cluster is not suitable for minimal security, you need at least basic security which involves setting up TLS on transport level. This includes configuring xpack.security.transport.ssl.enabled: true as well as generating and configuring relevant CA and certificates for which you can follow the instruction of setting up basic security.

You want to say, that I should skip minimal security, when am I configuring basic security?

No. The documentations are laid out in a way that stronger security configuration is built on top of previous lesser ones. So if you want basic security, you'd following relevant instruction of minimal security first, then move onto the basic.

I'm experiencing the exact same problem that @Mamol27 is referring to here. Trying to follow the instructions (Set up minimal security for Elasticsearch | Elasticsearch Guide [7.15] | Elastic) for setting up minimal security prior to going forward with setting up basic security, as you say we should do @Yang_Wang .

In a cluster of three servers I do this:

1. Shut down all instances of Elasticsearch
2. Add the setting xpack.security.enabled: true
3. Start Elasticsearch again, this will result in each node shutting down again with the error message Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
4. So I add the mentioned setting: xpack.security.transport.ssl.enabled: true
5. Start Elasticsearch again, this will throw this error message:

exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/10.58.66.139:52938}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No available authentication scheme etc.

6. If I ignore this error message and go forward with the instructions by calling elasticsearch-setup-passwords interactive I get an error message saying Failed to determine the health of the cluster running at http://localhost:9203 Unexpected response code [503] from calling GET http://localhost:9203/_cluster/health?pretty Cause: master_not_discovered_exception

Something must be missing in this workflow or did you manage to move forward with this problem @Manol27

Maybe should mention that we're currently running version 7.4.2 of Elasticsearch. Wanted to enable minimal and basic security before moving forward with upgrading to the current version (7.15.1)

Here is also the config on the server where I'm trying to setup passwords:

bootstrap.memory_lock: true
cluster.name: ClusterName
cluster.initial_master_nodes:
  - node01
discovery.seed_hosts:
  - node01.domain.com
  - node02.domain.com
  - node03.domain.com
http.port: 9203
network.host: node01.domain.com, _local_
node.data: true
node.ingest: true
node.master: true
node.max_local_storage_nodes: 1
node.name: node01
path.data: C:\ProgramData\Elastic\Elasticsearch\data
path.logs: C:\ProgramData\Elastic\Elasticsearch\logs
transport.tcp.port: 9300
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

@Martin_Emanuelsson Since your cluster have multiple nodes running on different hosts, minimal security alone is not going to work for you. Please note the documentation says:

The minimal security scenario is not sufficient for production mode clusters. If your cluster has multiple nodes, you must enable minimal security and then configure Transport Layer Security (TLS) between nodes.

What you need is to following both "minimal security" and "basic security" (in that order) and only restart your cluster at the end of configuring "basic security" (because minimal security alone does not work as you have discovered already)

What your cluster currently missing is TLS related configuration, i.e. TLS certificate, key and CA. You can follow the relevant section in Basic Security. I believe they should work for 7.4.2 as well.

I solve it by removing data folder on each node and run again with only minimal security.
You shouldn't run your cluster before minimal security is on.

You can't generate certificates without minimal security.

OK, the part of not starting the nodes in the cluster before finalizing both minimal and basic security has not been very clear to me, thanks for mentioning that, will give that a try.

But, just to be perfectly clear here. I need to take down all nodes in the cluster, set the xpack.security.enabled-setting to true, setup TLS between the nodes. Then start the nodes to be able to create passwords (part of the minimal security settings)?

Can I generate certificates (call Elasticsearch-certutil) without having Elasticsearch running?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.