mTLS under basic license

Hi

I am trying to setup mTLS and using basic license. However not able to understand how should I grant access to kibana CN?

My goal is to create cert for kibana and use mTLS between elasticsearch and kibana. But for this, I think I need to grant some roles to kibana CN?

The link below states that mTLS is part of basic but I am wondering how mTLS is supposed to work in absence of PKI realm.

PKI security realm lisence - Elastic Stack / Elasticsearch - Discuss the Elastic Stack

Please refer to the doc Mutual TLS authentication between Kibana and Elasticsearch | Kibana Guide [8.4] | Elastic

Thanks @Yang_Wang my question is are the steps 3 & 6 on the docs achievable on Basic license?
As per other link which I shared it says mTLS is covered under Basic but to achieve if one need to have the PKI realm and role mapping which are part of Gold / Platinum then mTLS is not part of the Basic. I would need a confirmation on this puzzle, can one setup mTLS on basic license?

Ah ok. Sorry I missed the steps for PKI realm. No PKI realm is not available for basic license. But you don't need PKI for mTLS. In your case, I think you can just skip step 3 and 6 and change step 4 to be xpack.security.http.ssl.client_authentication: "required".

my question is if I skip 3 & 6 then how does CN=kibana gets access to Elasticsearch without updating the userroles and no PKI realm.
Kibana will remain authenticated with no access to anything? no?

I think you are correct, mTLS from Kibana to Elasticsearch requires PKI realm, because you need a role mapping rule to map TLS client cert to kibana_system role. Basic license does not allow PKI realm, but you can use service account token (preferred) or username/password.

Service Account token example:

POST /_security/service/elastic/kibana/credential/token/mytoken?pretty=true

Username/password example:

printf "Y\nkibana_system\nkibana_system\n"| bin/elasticsearch-reset-password -i -u kibana_system

The corresponding settings for kibana.yml or kibana-keystore would be:

elasticsearch.serviceAccountToken

elasticsearch.username
elasticsearch.password

No. Using mTLS as a network level control does not require PKI realm and can totally work with the Basic license. A simplified configuration like the following works:

# elasticsearch.yml

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: http.key
xpack.security.http.ssl.certificate: http.cert
xpack.security.http.ssl.certificate_authorities: [ "http-ca.cert" ]
xpack.security.http.ssl.client_authentication: required
# kibana.yml

elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.serviceAccountToken: "CREATE_YOUR_OWN_SERVICE_TOKEN"
elasticsearch.ssl.certificate: http.cert
elasticsearch.ssl.key: http.key
elasticsearch.ssl.alwaysPresentCertificate: true
elasticsearch.ssl.certificateAuthorities: [ "http-ca.cert" ]
elasticsearch.ssl.verificationMode: certificate

For simplicity, the above configuration uses the same pair of cert/key for both Elasticsearch and Kibana. But you can configure them to be different. The configuration uses mTLS as network layer control and Kibana service token as application level authentication and authorization.

Thank you for the clarification @Yang_Wang. If I were to summarize, does this look correct?

Assumption: Elasticsearch is configured to use HTTPS:

  1. Kibana uses elastic/kibana service token => Basic license
  2. Kibana uses kibana_system reserved user => Basic license
  3. Kibana uses TLS client cert + elastic/kibana service token => Basic license
  4. Kibana uses TLS client cert + kibana_system reserved user => Basic license
  5. Kibana uses TLS client cert => Gold license (PKI realm for role mapping)

Note: Gold is deprecated so next license level is Platinum.

1 Like

That is correct.

Thanks @Justin_Cranford @Yang_Wang

Does bullet 5 mean I must have a paid subscription to setup mTLS?
Not sure If I understand if both serviceToken and cert will be used to identify kibana's identity by elasticsearch, if I am using serviceToken then whats the use of Kibana's tls client cert?

Is there a example on how to create the / automate the serviceToken for kibana_system if I am deploying ELK using helm charts?

No you don't. Both point 3 and 4 are mTLS. Piont 5 is mTls plus it uses client cert for kibana identity at application level which is not an inherent part of mTLS.

You don't really need client cert for kibana if you use service token. mTLS does not provide extra security compared to server TLS + service token. You started the question with mTLS. I assumed you need it. But if you just wanted client cert for Kibana identity at application level, it is not necessary. Service token or plain old kibana_system username+password works just fine. There are certain environments where mTLS and PKI is mandated. But apparently your enviroment is not like that. So you don't have configure it like that.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.