Mutual TLS authentication between Kibana and Elasticsearch keeping client_authentication "required"

I'm trying to enable mutual TLS between all the components. I managed to set up TLS between Kibana and Elasticsearch. But it doesn't work as I would expect.

I want to keep "xpack.security.http.ssl.client_authentication" setting "required". However, in the documentation in order to allow end users to authenticate using credentials, this setting has to be set to "optional".
When I keep "xpack.security.http.ssl.client_authentication" setting "required", I cannot log in to Kibana. When it's "optional", I can access Elastic using only CA and credentials.

Is there any way to require all the ELK components to request a certificate from client connections but log in to Kibana using only credentials?

Have you updated Kibana configmap to make sure it is using SSL, verifying certificates and presenting its own certificate for handshake?
I have setup my cluster similar to yours and configured following in my kibana.yml:

elasticsearch.ssl.verificationMode: true
elasticsearch.ssl.alwaysPresentCertificate: true

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.