How to connect cluster with configured TLS?

Elastic Stack Elasticsearch
,
1

I have two similar clusters with TLS configured on each.
What I need to do to connect to each other as remote cluster?
Need I add ca to keystore on each node or what?
What to do with secured HTTPS traffic?

cluster.name: elk1
node.name: ${HOSTNAME}
node.roles: [ master, remote_cluster_client ]
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.29.39.141", "172.29.39.142", "172.29.39.143", "172.29.39.144"]
cluster.initial_master_nodes: ["172.29.39.141", "172.29.39.142"]
action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*


xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12


xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
indices.breaker.total.use_real_memory : false

cluster.name: elk2
node.name: ${HOSTNAME}
node.roles: [ master, remote_cluster_client ]
path.data: /opt/elasticsearch/data
path.logs: /opt/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.29.39.145", "172.29.39.146", "172.29.39.147", "172.29.39.148"]
cluster.initial_master_nodes: ["172.29.39.145", "172.29.39.146"]
action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12


xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
indices.breaker.total.use_real_memory : false
2

Connect them for what specifically?

3

For bi-directional replication.
Does it matter?

4

It does, because you originally posted this in the Elastic Security product section, which doesn't really apply to the question. It also adds context :slight_smile:

5

I can't it connect because I have configured security. Without security i had no problems with that.

[2021-10-27T11:23:58,614][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [el1] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/172.29.39.141:9300, remoteAddress=/172.29.39.145:56270, profile=default}
[2021-10-27T11:23:58,619][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [el1] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/172.29.39.141:9300, remoteAddress=/172.29.39.145:56262, profile=default}

Which certificate I need to add where? I don't understand.

6

Does it mean that I need to use one elastic-certificates.p12 for each node on both clusters?

7

All of the nodes in the local cluster need to trust the nodes in the remote cluster, and vice versa. You need to configure Transport Layer Security (TLS) on every node, which it seems like you have already.

You can add the certificates from the local cluster as a trusted CA in each remote cluster. You must also add the certificates from remote clusters as a trusted CA on the local cluster. Using the same CA to generate certificates for all nodes simplifies this task, which is what we recommend in the documentation: Set up basic security for the Elastic Stack | Elasticsearch Guide [7.15] | Elastic

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.