How to setup pki auth for kibana and elasticsearch

Hello. I would like to set Kibana to use PKI auth instead of username/password.
I have added realms in elasticsearch.yml file. but it dint work .

`  elasticsearch.yml

cluster.name: cluster
node.master: false
node.data: false
node.name: es-coordinating
node.ingest: false
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
discovery.zen.ping.unicast.hosts: ["es-coordinating","es-master","es-data"]
node.ml: false
xpack.security.enabled: true
xpack:
  security:
    authc:
      realms:
        pki1:
          type: pki
xpack.ml.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/tls_server/tls_server/key.pem
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/tls_server/tls_server/crt.pem
xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/CA.crt" ]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key:   /usr/share/elasticsearch/config/tls_server/tls_server/key.pem
xpack.security.http.ssl.certificate:  /usr/share/elasticsearch/config/tls_server/tls_server/crt.pem
xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/CA.crt" ]`

kibana.yaml
` kibana.yaml

  server:
  name: "kibana"
  host: 0.0.0.0
  port: 5601
elasticsearch.url: "https://es-coordinating:9200"
xpack.security.enabled: true
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/tls_server/tls_server/key.pem
server.ssl.certificate: /usr/share/kibana/config/tls_server/tls_server/crt.pem
elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/certs/CA.crt`

Hey @rmadoori, you can use PKI to authenticate the internal Kibana server user with Elasticsearch, but it's not possible to authenticate the actual logged in end-users with Elasticsearch, yet. We're tracking that effort here: https://github.com/elastic/kibana/issues/7341

To get the Kibana server user authenticating using PKI, you'll need to set the elasticsearch.ssl.certificate and elasticsearch.ssl.key settings in your kibana.yml.

Thanks for Prompt Response .

should i set transport.ssl.certificate or http.ssl.certificate ? in kibana

In your kibana.yml, you set elasticsearch.ssl.certificate: /path/to/cert.crt and elasticsearch.ssl.key: /path/to/key.key

In your elasticsearch.yml, you set xpack.security.http.ssl.client_authentication: optional

Hi,

I have added the setting in kibana.yaml

` name: "kibana"
  host: 0.0.0.0
  port: 5601
elasticsearch.url: "https://es-coordinating:9200"
xpack.security.enabled: true
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/tls_server/tls_server/key.pem
server.ssl.certificate: /usr/share/kibana/config/tls_server/tls_server/crt.pem
elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/certs/CA.crt
elasticsearch.ssl.certificate: /usr/share/kibana/config/certs/cert.crt
elasticsearch.ssl.key: /usr/share/kibana/config/certs/key.key`

but still i am getting this error:

`{"type":"log","@timestamp":"2018-10-30T22:27:06Z","tags":["license","warning","xpack"],"pid":1,"message":"License information from the X-Pack plugin could not be obtained from Elasticsearch for the [data] cluster. [security_exception] missing authentication token for REST request [/_xpack], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } :: {\"path\":\"/_xpack\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication token for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication token for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}"}`

Hi,

I have updated this in my config

`xpack:
 security:
authc:
  realms:
    pki1:
      type: pki
      certificate_authorities: "/usr/share/elasticsearch/config/certs/CA.crt"
      enabled: true`

but still kibana is not able to connect

@rmadoori, what error are you seeing? Have you tried using curl and the --cert and --key arguments to ensure you're able to authenticate against Elasticsearch using the certificate and key that you've specified?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.