Xpack without SSL/Certificates

Hi gang,

with upgrading our environments to 7.11 I tackled an old issue of mine: Trying to get our dev. cluster running with the xpack features active but without the need for those pesky certificates all the time.
The requirement for the setting xpack.security.enabled to ALWAYS have xpack.security.transport.ssl.enabled set to true as well is kind of annoying. I am very well aware that this would result in my "secure" cluster sending data over the network in plaintext, freely accessible by any attacker. Please let me deal with this risk myself.

Not every elasticsearch cluster is a prod. cluster. We have developer environments, all of our developers work with the SIEM application, a lot of them use their own device as a log source, as well as any OS/Appllication they might have an interest in.

With the current way elasticsearch is handling this it is extremely diffcult for us to work with the SIEM application and just add a new log source to the mix.
Every single time a developer wants to onboard a new log source he will have to create certificates for it.

I have not found a way to run xpack.security.enabled: true without the need for certificates. If there is some sort of developement setting I am not aware of, please let me now..

Kind Regards,
madduck

There's no way to do this, enabling Security is TLS at a min.

1 Like

I don't follow.

xpack.security.transport.ssl.enabled is the setting that enabled SSL on "transport" protocol, which is how ES nodes communicate with one another.
Turning on SSL between your Elasticsearch nodes should have zero impact on configuring new log sources.

1 Like

Turning on SSL between your Elasticsearch nodes should have zero impact on configuring new log sources.

When I said "configuring log sources" I might have used a wrong term. This is about setting up a new client and getting data through beats into the evironment.

It is to my understanding that with that setting enabled all elasticsearch components are in need of certificates in order to communicate with each other.
So when developer A decides to do some work on a Linux machine and sets it up, he now has to create certificates for his new machine etc.

I just wanted to know if there is a way to work with the SIEM application and not be forced into the whole certificate ordeal because we keep getting complaints that its not "easy" enough.

Thank you, this is what I thought but its good to have an official statement :slight_smile:

I think there is quite some confusion here. It's certainly required to enable security on the transport protocol, that's what xpack.security.transport.ssl.enabled does and what Mark meant, but that has no bearing on SIEM's interaction with Elasticsearch because SIEM is a collection of HTTP clients, it doesn't use the transport protocol. The transport protocol is only used between nodes.

The security configuration for HTTP clients is quite separate from the transport protocol config and comprises mostly the settings matching xpack.security.http.ssl.* . It probably helps to read these docs which describe the distinction, and these docs cover the security configuration for HTTP clients.

If xpack.security.http.ssl.client_authentication is none (the default) then clients (i.e. log sources) don't need their own certificate.