Questions around encryption

security

(Michael) #1

I have a couple of questions pertaining to encryption when using Shield.

If you have ES and Kibana running on two separate containers (docker), utilizing two realms, esusers and Active Directory, how many levels of encryption will you need?

I assume the authentication path is as follows ::

  1. Client visits Kibana URL and is presented with the login UI provided by Shield
  2. Client enters AD credentials and attempts to log in
  3. Kibana first tries to authenticate to Elasticsearch using the elasticsearch.username and elasticsearch.password contained within kibana.yml
  4. If authentication is successful, Elasticsearch then attempts to authenticate to Active Directory (I am unsure of this part).
  5. If authentication is successful, user successfully arrives into Kibana UI displaying logs.

I am assuming there is two parts to authentication here, esusers and AD.

Will this require two different certificates? One for the esusers authentication and one for the AD authentication?

Currently, our domain is small and does not have Active Directory Certificate Services installed, so I am assuming I will most definitely need this if I want encryption for ELK, which I know is highly recommended.

Will both of these certificates need to be issued by AD CS, (either one or more certificates)?

Thank you!


(Michael) #2

Bump!


(Jay Modi) #3

HI Michael,

My understanding of your question is that when you are talking about encryption, you are talking about TLS/SSL.

The elasticsearch.username and elasticsearch.password in the kibana.yml is used by the kibana server to communicate with elasticsearch and issue health checks; it is not used as part of a user authentication.

The authentication flow on the first login is:

  1. Client visits Kibana URL and is presented with the login UI provided by Shield
  2. Client enters AD credentials. Kibana passes these to elasticsearch
  3. Elasticsearch (Shield) then attempts to authenticate to Active Directory
  4. If authentication is successful, user successfully arrives into Kibana UI displaying logs.

On subsequent authentications, step 3 may hit a cache inside of Shield rather than hitting AD on all the time. The cache is time bound (20 minutes by default). If you want, this behavior can be configured in the AD realm settings.

Having multiple realms does not imply a need for different certificates.

AD certificate services is not a hard requirement. We have documentation on setting up your own CA if you wish to manage it yourself.

That said you can absolutely use AD certificate services as your CA. I think it can make managing certificates and client trust easier since you can push a trusted certificate out using group policies. Side note: when you generate your certificates for elasticsearch they need to have the extended key usage for clientAuth and serverAuth, so you'll need to look at the profile you use in AD CS to make sure it allows for both.

Each node should have its own certificate and private key. The certificate should have Subject Alternative Names for IP/DNS entries (depending on how you access it). Kibana should also have its own certificate and private key. So in the case of a single elasticsearch instance and a single Kibana instance, you would need two certificates.


(Michael) #4

Great information, thanks again Jay!


(system) #5