I have a couple of questions pertaining to encryption when using Shield.
If you have ES and Kibana running on two separate containers (docker), utilizing two realms, esusers and Active Directory, how many levels of encryption will you need?
I assume the authentication path is as follows ::
Client visits Kibana URL and is presented with the login UI provided by Shield
Client enters AD credentials and attempts to log in
Kibana first tries to authenticate to Elasticsearch using the elasticsearch.username and elasticsearch.password contained within kibana.yml
If authentication is successful, Elasticsearch then attempts to authenticate to Active Directory (I am unsure of this part).
If authentication is successful, user successfully arrives into Kibana UI displaying logs.
I am assuming there is two parts to authentication here, esusers and AD.
Will this require two different certificates? One for the esusers authentication and one for the AD authentication?
Currently, our domain is small and does not have Active Directory Certificate Services installed, so I am assuming I will most definitely need this if I want encryption for ELK, which I know is highly recommended.
Will both of these certificates need to be issued by AD CS, (either one or more certificates)?
My understanding of your question is that when you are talking about encryption, you are talking about TLS/SSL.
The elasticsearch.username and elasticsearch.password in the kibana.yml is used by the kibana server to communicate with elasticsearch and issue health checks; it is not used as part of a user authentication.
The authentication flow on the first login is:
Client visits Kibana URL and is presented with the login UI provided by Shield
Client enters AD credentials. Kibana passes these to elasticsearch
Elasticsearch (Shield) then attempts to authenticate to Active Directory
If authentication is successful, user successfully arrives into Kibana UI displaying logs.
On subsequent authentications, step 3 may hit a cache inside of Shield rather than hitting AD on all the time. The cache is time bound (20 minutes by default). If you want, this behavior can be configured in the AD realm settings.
Having multiple realms does not imply a need for different certificates.
That said you can absolutely use AD certificate services as your CA. I think it can make managing certificates and client trust easier since you can push a trusted certificate out using group policies. Side note: when you generate your certificates for elasticsearch they need to have the extended key usage for clientAuth and serverAuth, so you'll need to look at the profile you use in AD CS to make sure it allows for both.
Each node should have its own certificate and private key. The certificate should have Subject Alternative Names for IP/DNS entries (depending on how you access it). Kibana should also have its own certificate and private key. So in the case of a single elasticsearch instance and a single Kibana instance, you would need two certificates.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.