Configure TLS certificates

TLS is configured in elasticsearch.yml. There are two main configuration sections: the transport layer and the REST layer. TLS is optional for the REST layer and mandatory for the transport layer.

You can find an example configuration template with all options on GitHub.


Table of contents

  1. X.509 PEM certificates and PKCS #8 keys
    1. Transport layer TLS
    2. REST layer TLS
  2. Keystore and truststore files
    1. Transport layer TLS
    2. REST layer TLS
  3. Configure node certificates
  4. Configure admin certificates
  5. OpenSSL
  6. (Advanced) Hostname verification and DNS lookup
  7. (Advanced) Client authentication
  8. (Advanced) Enabled ciphers and protocols
    1. Example settings
  9. (Advanced) Disable client initiated renegotiation for Java 8

X.509 PEM certificates and PKCS #8 keys

The following tables contain the settings you can use to configure the location of your PEM certificates and private keys.

Transport layer TLS

Name Description
opendistro_security.ssl.transport.pemkey_filepath Path to the certificate’s key file (PKCS #8), which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.transport.pemkey_password Key password. Omit this setting if the key has no password. Optional.
opendistro_security.ssl.transport.pemcert_filepath Path to the X.509 node certificate chain (PEM format), which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.transport.pemtrustedcas_filepath Path to the root CAs (PEM format), which must be under the config directory, specified using a relative path. Required.

REST layer TLS

Name Description
opendistro_security.ssl.http.pemkey_filepath Path to the certificate’s key file (PKCS #8), which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.http.pemkey_password Key password. Omit this setting if the key has no password. Optional.
opendistro_security.ssl.http.pemcert_filepath Path to the X.509 node certificate chain (PEM format), which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.http.pemtrustedcas_filepath Path to the root CAs (PEM format), which must be under the config directory, specified using a relative path. Required.

Keystore and truststore files

As an alternative to certificates and private keys in PEM format, you can instead use keystore and truststore files in JKS or PKCS12/PFX format. The following settings configure the location and password of your keystore and truststore files. If you want, you can use different keystore and truststore files for the REST and the transport layer.

Transport layer TLS

Name Description
opendistro_security.ssl.transport.keystore_type The type of the keystore file, JKS or PKCS12/PFX. Optional. Default is JKS.
opendistro_security.ssl.transport.keystore_filepath Path to the keystore file, which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.transport.keystore_alias: my_alias Alias name. Optional. Default is the first alias.
opendistro_security.ssl.transport.keystore_password Keystore password. Default is changeit.
opendistro_security.ssl.transport.truststore_type The type of the truststore file, JKS or PKCS12/PFX. Default is JKS.
opendistro_security.ssl.transport.truststore_filepath Path to the truststore file, which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.transport.truststore_alias Alias name. Optional. Default is all certificates.
opendistro_security.ssl.transport.truststore_password Truststore password. Default is changeit.

REST layer TLS

Name Description
opendistro_security.ssl.http.enabled Whether to enable TLS on the REST layer. If enabled, only HTTPS is allowed. Optional. Default is false.
opendistro_security.ssl.http.keystore_type The type of the keystore file, JKS or PKCS12/PFX. Optional. Default is JKS.
opendistro_security.ssl.http.keystore_filepath Path to the keystore file, which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.http.keystore_alias Alias name. Optional. Default is the first alias.
opendistro_security.ssl.http.keystore_password Keystore password. Default is changeit.
opendistro_security.ssl.http.truststore_type The type of the truststore file, JKS or PKCS12/PFX. Default is JKS.
opendistro_security.ssl.http.truststore_filepath Path to the truststore file, which must be under the config directory, specified using a relative path. Required.
opendistro_security.ssl.http.truststore_alias Alias name. Optional. Default is all certificates.
opendistro_security.ssl.http.truststore_password Truststore password. Default is changeit.

Configure node certificates

The Security plugin needs to identify inter-cluster requests (i.e. requests between the nodes). The simplest way of configuring node certificates is to list the Distinguished Names (DNs) of these certificates in elasticsearch.yml. All DNs must be included in elasticsearch.yml on all nodes. The Security plugin supports wildcards and regular expressions:

opendistro_security.nodes_dn:
  - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
  - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
  - 'CN=elk-devcluster*'
  - '/CN=.*regex/'

If your node certificates have an OID identifier in the SAN section, you can omit this configuration.

Configure admin certificates

Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the the Security plugin configuration using plugins/opendistro_security/tools/securityadmin.sh or the REST API. Admin certificates are configured in elasticsearch.yml by stating their DN(s):

opendistro_security.authcz.admin_dn:
  - CN=admin,OU=SSL,O=Test,L=Test,C=DE

For security reasons, you can’t use wildcards or regular expressions here.

OpenSSL

The Security plugin supports OpenSSL. If you use Java 8, we recommend OpenSSL in production for enhanced performance and a wider range of modern cipher suites. If you use Java 11, performance should be similar.

To use OpenSSL, you must install OpenSSL, the Apache Portable Runtime, and a Netty version with OpenSSL support matching your platform on all nodes.

If OpenSSL is enabled, but for one reason or another the installation does not work, the Security plugin falls back to the Java JCE as the security engine.

Name Description
opendistro_security.ssl.transport.enable_openssl_if_available Enable OpenSSL on the transport layer if available. Optional. Default is true.
opendistro_security.ssl.http.enable_openssl_if_available Enable OpenSSL on the REST layer if available. Optional. Default is true.
  1. Download the statically-linked JAR that includes OpenSSL, Apache Portable Runtime, and netty-tcnative for RPM-based distributions or other distributions and place it in plugins/opendistro_security/ on every node.

(Advanced) Hostname verification and DNS lookup

In addition to verifying the TLS certificates against the root CA and/or intermediate CA(s), the Security plugin can apply additional checks on the transport layer.

With enforce_hostname_verification enabled, the Security plugin verifies that the hostname of the communication partner matches the hostname in the certificate. The hostname is taken from the subject or SAN entries of your certificate. For example, if the hostname of your node is node-0.example.com, then the hostname in the TLS certificate has to be set to node-0.example.com, as well. Otherwise, errors are thrown:

[ERROR][c.a.o.s.s.t.OpenDistroSecuritySSLNettyTransport] [WX6omJY] SSL Problem No name matching <hostname> found
[ERROR][c.a.o.s.s.t.OpenDistroSecuritySSLNettyTransport] [WX6omJY] SSL Problem Received fatal alert: certificate_unknown

In addition, when resolve_hostnames is enabled, the Security plugin resolves the (verified) hostname against your DNS. If the hostname does not resolve, errors are thrown:

Name Description
opendistro_security.ssl.transport.enforce_hostname_verification Whether to verify hostnames on the transport layer. Optional. Default is true.
opendistro_security.ssl.transport.resolve_hostname Whether to resolve hostnames against DNS on the transport layer. Optional. Default is true. Only works if hostname verification is also enabled.

(Advanced) Client authentication

With TLS client authentication enabled, REST clients can send a TLS certificate with the HTTP request to provide identity information to the Security plugin. There are three main usage scenarios for TLS client authentication:

  • Providing an admin certificate when using the REST management API.
  • Configuring roles and permissions based on a client certificate.
  • Providing identity information for tools like Kibana, Logstash, or Beats.

TLS client authentication has three modes:

  • NONE: The Security plugin does not accept TLS client certificates. If one is sent, it is discarded.
  • OPTIONAL: The Security plugin accepts TLS client certificates if they are sent, but does not require them.
  • REQUIRE: The Security plugin only accepts REST requests when a valid client TLS certificate is sent.

For the REST management API, the client authentication modes has to be OPTIONAL at a minimum.

You can configure the client authentication mode by using the following setting:

Name Description
opendistro_security.ssl.http.clientauth_mode The TLS client authentication mode to use. Can be one of NONE, OPTIONAL (default) or REQUIRE. Optional.

(Advanced) Enabled ciphers and protocols

You can limit the allowed ciphers and TLS protocols for the REST layer. For example, you can only allow strong ciphers and limit the TLS versions to the most recent ones.

If this setting is not enabled, the ciphers and TLS versions are negotiated between the browser and the Security plugin automatically, which in some cases can lead to a weaker cipher suite being used. You can configure the ciphers and protocols using the following settings.

Name Description
opendistro_security.ssl.http.enabled_ciphers Array, enabled TLS cipher suites for the REST layer. Only Java format is supported.
opendistro_security.ssl.http.enabled_protocols Array, enabled TLS protocols for the REST layer. Only Java format is supported.
opendistro_security.ssl.transport.enabled_ciphers Array, enabled TLS cipher suites for the transport layer. Only Java format is supported.
opendistro_security.ssl.transport.enabled_protocols Array, enabled TLS protocols for the transport layer. Only Java format is supported.

Example settings

opendistro_security.ssl.http.enabled_ciphers:
  - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
  - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
opendistro_security.ssl.http.enabled_protocols:
  - "TLSv1.1"
  - "TLSv1.2"

Because it is insecure, the Security plugin disables TLSv1 by default. If you need to use TLSv1 and accept the risks, you can still enable it:

opendistro_security.ssl.http.enabled_protocols:
  - "TLSv1"
  - "TLSv1.1"
  - "TLSv1.2"

(Advanced) Disable client initiated renegotiation for Java 8

Set -Djdk.tls.rejectClientInitiatedRenegotiation=true to disable secure client initiated renegotiation, which is enabled by default. This can be set via ES_JAVA_OPTS in config/jvm.options.