Hi
I am trying to setup mTLS and using basic license. However not able to understand how should I grant access to kibana CN?
My goal is to create cert for kibana and use mTLS between elasticsearch and kibana. But for this, I think I need to grant some roles to kibana CN?
The link below states that mTLS is part of basic but I am wondering how mTLS is supposed to work in absence of PKI realm.
PKI security realm lisence - Elastic Stack / Elasticsearch - Discuss the Elastic Stack
Please refer to the doc Mutual TLS authentication between Kibana and Elasticsearch | Kibana Guide [8.4] | Elastic
Thanks @Yang_Wang my question is are the steps 3 & 6 on the docs achievable on Basic license?
As per other link which I shared it says mTLS is covered under Basic but to achieve if one need to have the PKI realm and role mapping which are part of Gold / Platinum then mTLS is not part of the Basic. I would need a confirmation on this puzzle, can one setup mTLS on basic license?
Ah ok. Sorry I missed the steps for PKI realm. No PKI realm is not available for basic license. But you don't need PKI for mTLS. In your case, I think you can just skip step 3 and 6 and change step 4 to be xpack.security.http.ssl.client_authentication: "required".
my question is if I skip 3 & 6 then how does CN=kibana gets access to Elasticsearch without updating the userroles and no PKI realm.
Kibana will remain authenticated with no access to anything? no?
I think you are correct, mTLS from Kibana to Elasticsearch requires PKI realm, because you need a role mapping rule to map TLS client cert to kibana_system role. Basic license does not allow PKI realm, but you can use service account token (preferred) or username/password.
Service Account token example:
POST /_security/service/elastic/kibana/credential/token/mytoken?pretty=true
Username/password example:
printf "Y\nkibana_system\nkibana_system\n"| bin/elasticsearch-reset-password -i -u kibana_system
The corresponding settings for kibana.yml or kibana-keystore would be:
elasticsearch.serviceAccountToken
elasticsearch.username
elasticsearch.password
No. Using mTLS as a network level control does not require PKI realm and can totally work with the Basic license. A simplified configuration like the following works:
# elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: http.key
xpack.security.http.ssl.certificate: http.cert
xpack.security.http.ssl.certificate_authorities: [ "http-ca.cert" ]
xpack.security.http.ssl.client_authentication: required
# kibana.yml
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.serviceAccountToken: "CREATE_YOUR_OWN_SERVICE_TOKEN"
elasticsearch.ssl.certificate: http.cert
elasticsearch.ssl.key: http.key
elasticsearch.ssl.alwaysPresentCertificate: true
elasticsearch.ssl.certificateAuthorities: [ "http-ca.cert" ]
elasticsearch.ssl.verificationMode: certificate
For simplicity, the above configuration uses the same pair of cert/key for both Elasticsearch and Kibana. But you can configure them to be different. The configuration uses mTLS as network layer control and Kibana service token as application level authentication and authorization.
Thank you for the clarification @Yang_Wang. If I were to summarize, does this look correct?
Assumption: Elasticsearch is configured to use HTTPS:
Note: Gold is deprecated so next license level is Platinum.
That is correct.
Thanks @Justin_Cranford @Yang_Wang
Does bullet 5 mean I must have a paid subscription to setup mTLS?
Not sure If I understand if both serviceToken and cert will be used to identify kibana's identity by elasticsearch, if I am using serviceToken then whats the use of Kibana's tls client cert?
Is there a example on how to create the / automate the serviceToken for kibana_system if I am deploying ELK using helm charts?
No you don't. Both point 3 and 4 are mTLS. Piont 5 is mTls plus it uses client cert for kibana identity at application level which is not an inherent part of mTLS.
You don't really need client cert for kibana if you use service token. mTLS does not provide extra security compared to server TLS + service token. You started the question with mTLS. I assumed you need it. But if you just wanted client cert for Kibana identity at application level, it is not necessary. Service token or plain old kibana_system username+password works just fine. There are certain environments where mTLS and PKI is mandated. But apparently your enviroment is not like that. So you don't have configure it like that.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.