XPACK Security in ELK stack 7.1.1

sunnynazar · June 3, 2019, 3:14pm

Hi Guys,

I am working with ELK stack 7.1.1 version on kubernetes using image: docker.elastic.co/elasticsearch/elasticsearch:7.1.1
I am facing an issue , when xpack security is enabled on elasticsearch cluster , elasticsearch components fail to start with below error. It says either disable the security or change xpack.security.transport.ssl.enabled to true as i am on basic license.

{"type": "server", "timestamp": "2019-06-03T15:00:26,674+0000", "level": "INFO", "component": "o.e.b.BootstrapChecks", "cluster.name": "opselasticsearch", "node.name": "elasticsearch-master-2", "message": "bound or publishing to a non-loopback address, enforcing bootstrap
checks" }
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

why do i need to enable ssl if i am on basic licsense and xpac security enabled is true.

please help me to understand this.

ikakavas · June 3, 2019, 8:32pm

This is a requirement for ALL licenses that allow ssl (apart from the trial license), not just basic. You need to enable ssl for the transport layer because since you have enabled security, now nodes will start sending data between them that will contain sensitive data such as passwords. If you don't enable SSL, this data is sent between nodes in plaintext

sunnynazar · June 4, 2019, 5:57am

So, this means I have to generate certificates also for this ssl to work, because enabling this ssl property alone to true doesn't help as it looks for certificates and gives handshake failure.

TimV · June 4, 2019, 6:20am

Yes, that is exactly what this mean.

You must configure SSL between nodes in order to enable security.
https://www.elastic.co/guide/en/elastic-stack-overview/7.1/encrypting-internode-communications.html

sunnynazar · June 4, 2019, 6:55am

Can you please give a guide which tells the steps for containerised elk stack. The link above is just for single node and doesn't include all steps.

TimV · June 4, 2019, 7:54am

https://www.elastic.co/guide/en/elasticsearch/reference/7.1/configuring-tls-docker.html

ylasri · June 4, 2019, 8:20am

For a cluster that is running in production mode with a production license, once security is enabled, transport TLS/SSL must also be enabled. On the other hand, if we are running with a trial license, then transport TLS/SSL is not obligatory.

If we are running with a production license and we attempt to start the cluster with security enabled before we have enabled transport TLS/SSL, we will see the following error message:

Transport SSL must be enabled for setups with production licenses. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

ikakavas · June 4, 2019, 8:41am

Hi @ylasri, this is expected behavior. Is there a question? If so, can you please open a new issue, so that it's clearer for people reading the forums?

ylasri · June 4, 2019, 10:29am

Hi @ikakavas I just provided this comment as answer to @sunnynazar issue
In my dev env i change discovery.type to single-node to get thing working quickly

ikakavas · June 4, 2019, 11:03am

Gotcha, thank you for the clarification and the feedback !

sunnynazar · June 6, 2019, 3:42pm

Issue was fixed. thanks @all.

system · July 4, 2019, 3:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.