Problem in elasticsearch-create-enrollment-token for Kibana

Hello all,

I have a new installation of Elasticsearch 8.2 and KIbana 8.2 on my Windows Server.
I have installed it on a Windows Server. Elasticsearch is up and running and configured to be an Windows Service.
I can access Elasticsearch with no problems.
Kibana however I just can run locally by starting the file bin/kibana.bat
Then I am also able to access Kibana via localhost:5601 in my Browser.
However, I can not install Kibana as a Windows Service. When I run the command bin/kibana-setup.bat I get asked to provide an enrollment-token. But I do not have such a token. Hiow do I get one?

I have tried to create such a token by running bin\elasticsearch-create-enrollment-token.bat create -s kibana. But it did not work. The respons was ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configurationis not configured with a keystore. Even when I specify the URL with --url "localhost:9200" it was returning the same error.

I have made some configuration inside my elasticsearch.yml config file. There I have set xpack.security.enabled: false and xpack.security.enrollment.enabled: true. The first one because there is already a authenticaton needed to access the server. And the server is only available in the LAN. So no need for extra security. The second option was requested to bet set so I can create an enrollment token.
I have made some other setting, but I believe they are not affecting this issue.

After the bat file failed, I tried an API commands. But both did not work as well
The command was GET /_security/enroll/kibana, response: "error": "no handler found for uri [/_security/enroll/kibana?pretty=true] and method [GET]"

The final goal is that Kibana also gets installed as a Windows Service, So both are running in the background.

I hope someone can help me,
All the best

If you manually set up Elasticsearch, then Security On By Default goes not generate your configuration (including certs), so I don't think you can generate enrollment tokens for other Elasticsearch or KIbana nodes.

elasticsearch-create-enrollment-token can only be used with Elasticsearch clusters that have been auto-configured for security.

Try manually creating an Elasticsearch credential with the kibana_system role. This is used for backend communication from Kibana to Elasticsearch. One option for Kibana authentication to Elasticsearch is a service token.

curl -X POST --cacert "your-elasticsearch-https-ca.crt" -H "Authorization: Basic `echo -n elastic:PASSWORD|base64 -`" -H 'Content-Type: application/json' https://HOSTNAME:9200/_security/service/elastic/kibana/credential/token/service_account_token-kibana1?pretty=true

So, because I do not want to have username/password authentication and have set xpack.security.enabled: false for that reason, I will not be able to connect Kibana with Elasticsearch?

In the cURL command, I have changed HOSTNAME to localhost. However, I get the message

curl: (6) Could not resolve host: application
{
"error" : "no handler found for uri [/_security/service/elastic/kibana/credential/token/service_account_token-kibana1?pretty=true] and method [POST]"
}

Although, I have also removed https:\\ because of that

Is there another way to install Kibana as a Windows Service without an enrollment-token?

All the best

Sorry, I thought security was enabled in both Kibana and Elasticsearch, because you are using 8.2. In 8.0+, security is enabled by default, and enrollment tokens depends on security being enabled. This is part of the Security on by Default feature introduced in 8.0.

If you are disabling security in Elasticsearch, I think Kibana might be defaulting to security enabled. I think you will need to configure Kibana to also disable security, at least for the backend communication with Elasticsearch.

Alternatively, have you considered using Security on by Default? If you unzip Elasticsearch and Kibana into new directories, you can run bin/elasticsearch in a console without any manual configuration. Elasticsearch will print auto-generated enrollment tokens and passwords to console. You can use the auto-generated Kibana enrollment token to start bin/kibana. For this to work, run Elasticsearch and Kibana once each in a console. After that, you can start them via Windows Services, and they will reuse their auto-generated certs and credentials.

Hi Justin,

I think I will try to disable security in Kibana as well.
As mentioned above, the security feature is disabled, because you already need an authentication just to be able to access the server. And the server is only available in the intranet. So there is no need for an extra Username/Password authentication.

I will report here, if I was successfull and how I managed it. And how I got it to work.

Would it be a possible solution to let Elasticsearch and Kibana run in a new folder with enabled security, use the passwords and especially the token to install both as Windows Services and connect Kibana with Elasticsearch. After that I disable the security with the parameter in the Elasticsearch configuration file?

All the best

I think it would be possible, but if you want security disabled it may be easier to continue your current approach.

Hi Justin,

do you know by any chance how to disable security features in Kibana? The parameter for the config-file?
In the internet I have not found instructions on how to disable that Kibana requests an enrollment-token before it gets installed as a Windows service.

All the best