Mutual TLS authentication between Kibana and Elasticsearch keeping client_authentication "required"

alex_kuz · January 5, 2023, 10:19am

I'm trying to enable mutual TLS between all the components. I managed to set up TLS between Kibana and Elasticsearch. But it doesn't work as I would expect.

I want to keep "xpack.security.http.ssl.client_authentication" setting "required". However, in the documentation in order to allow end users to authenticate using credentials, this setting has to be set to "optional".
When I keep "xpack.security.http.ssl.client_authentication" setting "required", I cannot log in to Kibana. When it's "optional", I can access Elastic using only CA and credentials.

Is there any way to require all the ELK components to request a certificate from client connections but log in to Kibana using only credentials?

Ayush_Mathur · January 6, 2023, 7:57am

Have you updated Kibana configmap to make sure it is using SSL, verifying certificates and presenting its own certificate for handshake?
I have setup my cluster similar to yours and configured following in my kibana.yml:

elasticsearch.ssl.verificationMode: true
elasticsearch.ssl.alwaysPresentCertificate: true

alex_kuz · January 6, 2023, 1:34pm

Thank you!

system · February 3, 2023, 1:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.