Start Free
Latest | Server installation and setup | Data Center Edition | Network security | Elasticsearch security features

Configuring Elasticsearch security features in Data Center Edition

On this page

Related pages Elasticsearch authentication TLS encryption

Setting up Elasticsearch authentication

Elasticsearch authentication involves verifying the identity of users and systems before granting access to Elasticsearch. You can use TLS for Elasticsearch authentication.To do so, you need to configure both the search nodes (Elasticsearch nodes) and the application nodes (clients) to use TLS/SSL for communication and ensure they have valid certificates. This involves setting up a Certificate Authority (CA), generating a certificate and configuring Elasticsearch to use this certificate for authentication. 

Step 1: Generate the CA and certificate

You must generate a Certificate Authority together with a certificate and private key. Generate only one certificate for all nodes.

You can use the elasticsearch-certutil tool to generate both the Certificate Authority and the certificate (see the Elastic documentation):

  • Make sure you include all the search nodes' hostnames. They will be then added as DNS names in the Subject Alternative Name. See the example below. 
  • Choose the password that will be assigned to searchNodes.searchAuthentication.userPassword. This is optional in a Kubernetes installation unless you are not using searchAuthentication. If you are using searchAuthentication and do not define a password in your helm chart, the system will fail.
  • As a result of the certificate creation process, you should get a file called http.p12. Rename it to elastic-stack-ca.p12
DNS names list example

As an example, let's assume that your cluster has three search nodes with the release's name set to "sq", the chart's name set to "sonarqube-dce", and the namespace set to "sonar". You will need to add the following DNS names in the SAN.

sq-sonarqube-dce-search-0.sq-sonarqube-dce-search.sonar.svc.cluster.local

sq-sonarqube-dce-search-1.sq-sonarqube-dce-search.sonar.svc.cluster.local

sq-sonarqube-dce-search-2.sq-sonarqube-dce-search.sonar.svc.cluster.local

sq-sonarqube-dce-search

Remember to add the service name in the list (in this case, sq-sonarqube-dce-search). 

Note that you can retrieve the search nodes' FQDN running hostname -f within one of the node.

Step 2: Configure the authentication in SonarQube

You  must restart the cluster to apply the changes.

  1. On each application node and on each search node, enable the authentication to the Elasticsearch cluster by setting the Elasticsearch password in the system property sonar.cluster.search.password or the corresponding environment variable SONAR_CLUSTER_SEARCH_PASSWORD.  It must have the exact same value on all nodes.
  2. On each search node, set the path to elastic-stack-ca.p12 in the following system properties: 
    • sonar.cluster.es.ssl.keystore / SONAR_CLUSTER_ES_SSL_KEYSTORE
    • sonar.cluster.es.ssl.truststore / SONAR_CLUSTER_ES_SSL_TRUSTSTORE
  3. On each search node, set the keystore / truststore password in the following system properties:
    • sonar.cluster.es.ssl.keystorePassword / SONAR_CLUSTER_ES_SSL_KEYSTOREPASSWORD
    • sonar.cluster.es.ssl.truststorePassword / SONAR_CLUSTER_ES_SSL_TRUSTSTOREPASSWORD

For information about the system properties, see Elasticsearch authentication in System properties specific to the Data Center Edition.

In the Helm chart:

  1. Set searchNodes.searchAuthentication.enabled to true.
  2. Create the secret that will contain the certificate and assign its name to the searchNodes.searchAuthentication.keyStoreSecret parameter. 
  3. If you chose a password in the certificate generation process, set the keyStorePassword or keyStorePasswordSecret values with that password value.

Setting up TLS encryption

TLS encryption is used to secure the HTTP traffic between clients (application nodes) and Elasticsearch (search nodes). If Elasticsearch authentication is enabled, you can set up TLS encryption.

You  must restart the cluster to apply the changes.

On each application node and each search node, set the path to elastic-stack-ca.p12 in the following system properties:

  • sonar.cluster.es.http.ssl.keystore / SONAR_CLUSTER_ES_HTTP_SSL_KEYSTORE
  • sonar.cluster.es.http.ssl.keystorePassword / SONAR_CLUSTER_ES_HTTP_SSL_KEYSTOREPASSWORD

For information about the properties, see TLS encryption in System properties specific to the Data Center Edition

In the Helm chart:

  • Set nodeEncryption.enabled to true.

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved.

Creative Commons License