Hi,
I couldn't find any post or doc that would answer this question. Without using shield, are there any working methods to secure the node-to-node transport of data between ES nodes. Is there a way to enable ssl node-to-node transport?
thanks,
Michael
If you are using a recent version of ES (2.2.x or newer), you could look at search-guard-ssl.
TIn
thanks will take look at that. Will have to see if we can make use of the external plugin. May have to get this thru management for approval.
Was looking at stunnel to tunnel node-node transport.
Does anyone have a working stunnel configuration for ES node transport that can be shared.
It's very easy to get SG-SSL working. We have it running across 4 data centers and close to 300 nodes. Eventually we will roll it out to all of our of clusters.
It's open source, so if you are concerned about it, you can compile it yourself.
Tin
you have it working for the latest 2.3.1 es? I didn't see it on their matrix as too how supported it was. Its not about open source, every piece of software that is used in production here has to be vetted by security/administrative group if its not in rhel/epel. Every version change of a piece of software needs to be revetted. I'll have to submit the plugin for review and continue without it in the mean time.
I just tested upgrading one of my cluster to ES v2.3.1 and SG-SSL 2.3.1.8 and yes, it works fine. I will do more testing and schedule upgrade of the rest of my current clusters that is running ES + SG-SSL once I am satisfied that there is no regression.
Yes, I understand the need for security review. We've already gotten approval by our security to use SG-SSL. I am sure you'll need to go through yours.
Tin
My ES boxes has no internet access so everything will need to be transfer to them via scp. Being new to adding plugins to ES, do i simply compile the source with maven and then point the plugin application at the target dir it makes? I assume I will have cmpile this on a box with internet access to get things compiled and transfer everything as a tarball to the ES host. Trying to get a handle on what to do while waiting for approval. Thanks for the help.
Michael
If you want to build the jar file yourself, then yes, you will need to do it on a box that has internet access.
Just clone the git repo from github, then run
mvn package
That should pull everything you need and build the packages.
Tin
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.