Securing ES node to node transport

mnhan · April 7, 2016, 1:10pm

Hi,

I couldn't find any post or doc that would answer this question. Without using shield, are there any working methods to secure the node-to-node transport of data between ES nodes. Is there a way to enable ssl node-to-node transport?

thanks,
Michael

tinle · April 7, 2016, 4:53pm

If you are using a recent version of ES (2.2.x or newer), you could look at search-guard-ssl.

TIn

mnhan · April 8, 2016, 3:18pm

thanks will take look at that. Will have to see if we can make use of the external plugin. May have to get this thru management for approval.

Was looking at stunnel to tunnel node-node transport.

Does anyone have a working stunnel configuration for ES node transport that can be shared.

tinle · April 8, 2016, 3:53pm

It's very easy to get SG-SSL working. We have it running across 4 data centers and close to 300 nodes. Eventually we will roll it out to all of our of clusters.

It's open source, so if you are concerned about it, you can compile it yourself.

Tin

mnhan · April 8, 2016, 4:04pm

you have it working for the latest 2.3.1 es? I didn't see it on their matrix as too how supported it was. Its not about open source, every piece of software that is used in production here has to be vetted by security/administrative group if its not in rhel/epel. Every version change of a piece of software needs to be revetted. I'll have to submit the plugin for review and continue without it in the mean time.

tinle · April 8, 2016, 5:12pm

I just tested upgrading one of my cluster to ES v2.3.1 and SG-SSL 2.3.1.8 and yes, it works fine. I will do more testing and schedule upgrade of the rest of my current clusters that is running ES + SG-SSL once I am satisfied that there is no regression.

Yes, I understand the need for security review. We've already gotten approval by our security to use SG-SSL. I am sure you'll need to go through yours.

Tin

mnhan · April 11, 2016, 4:01pm

My ES boxes has no internet access so everything will need to be transfer to them via scp. Being new to adding plugins to ES, do i simply compile the source with maven and then point the plugin application at the target dir it makes? I assume I will have cmpile this on a box with internet access to get things compiled and transfer everything as a tarball to the ES host. Trying to get a handle on what to do while waiting for approval. Thanks for the help.

Michael

tinle · April 11, 2016, 11:07pm

If you want to build the jar file yourself, then yes, you will need to do it on a box that has internet access.

Just clone the git repo from github, then run

mvn package

That should pull everything you need and build the packages.

Tin