Elasticsearch security features

How to to set up Elasticsearch security features.

Setting up Elasticsearch authentication

Elasticsearch authentication involves verifying the identity of users and systems before granting access to Elasticsearch. You can use TLS for Elasticsearch authentication.To do so, you need to configure both the search nodes (Elasticsearch nodes) and the application nodes (clients) to use TLS/SSL for communication and ensure they have valid certificates. This involves setting up a Certificate Authority (CA), generating a certificate and configuring Elasticsearch to use this certificate for authentication.

Step 1: Generate the CA and certificate

You must generate a Certificate Authority together with a certificate and private key. Generate only one certificate for all nodes.

You can use the elasticsearch-certutil tool to generate both the Certificate Authority and the certificate (see the Elastic documentation):

  • Make sure you include all the search nodes’ hostnames. They will be then added as DNS names in the Subject Alternative Name. See the example below.

  • Choose the password that will be assigned to searchNodes.searchAuthentication.userPassword. This is optional in a Kubernetes installation unless you are not using searchAuthentication. If you are using searchAuthentication and do not define a password in your helm chart, the system will fail.

  • As a result of the certificate creation process, you should get a file called http.p12. Rename it to elastic-stack-ca.p12

When creating the PKCS#12 container, make sure it is created with an algorithm that is readable by Java 17.

DNS names list example

As an example, let’s assume that your cluster has three search nodes with the release’s name set to "sq", the chart’s name set to "sonarqube-dce", and the namespace set to "sonar". You will need to add the following DNS names in the SAN.

sq-sonarqube-dce-search-0.sq-sonarqube-dce-search.sonar.svc.cluster.local

sq-sonarqube-dce-search-1.sq-sonarqube-dce-search.sonar.svc.cluster.local

sq-sonarqube-dce-search-2.sq-sonarqube-dce-search.sonar.svc.cluster.local

sq-sonarqube-dce-search

Remember to add the service name in the list (in this case, sq-sonarqube-dce-search).

Note that you can retrieve the search nodes’ FQDN running hostname -f within one of the node.

Step 2: Configure the authentication in SonarQube

You must restart the cluster to apply the changes.

  1. On each application node and on each search node, enable the authentication to the Elasticsearch cluster by setting the Elasticsearch password in the system property sonar.cluster.search.password or the corresponding environment variable SONAR_CLUSTER_SEARCH_PASSWORD. It must have the exact same value on all nodes.

  2. On each search node, set the path to elastic-stack-ca.p12 in the following system properties:

    • sonar.cluster.es.ssl.keystore / SONAR_CLUSTER_ES_SSL_KEYSTORE

    • sonar.cluster.es.ssl.truststore / SONAR_CLUSTER_ES_SSL_TRUSTSTORE

  3. On each search node, set the keystore / truststore password in the following system properties:

    • sonar.cluster.es.ssl.keystorePassword / SONAR_CLUSTER_ES_SSL_KEYSTOREPASSWORD

    • sonar.cluster.es.ssl.truststorePassword / SONAR_CLUSTER_ES_SSL_TRUSTSTOREPASSWORD

For information about the system properties, see Elasticsearch authentication.

Setting up TLS encryption

TLS encryption is used to secure the HTTP traffic between clients (application nodes) and Elasticsearch (search nodes). If Elasticsearch authentication is enabled, you can set up TLS encryption.

You must restart the cluster to apply the changes.

On each application node and each search node, set the path to elastic-stack-ca.p12 in the following system properties:

  • sonar.cluster.es.http.ssl.keystore / SONAR_CLUSTER_ES_HTTP_SSL_KEYSTORE

  • sonar.cluster.es.http.ssl.keystorePassword / SONAR_CLUSTER_ES_HTTP_SSL_KEYSTOREPASSWORD

For information about the properties, see TLS encryption.

Related pages

PreviousSecuring behind a proxyNextNetwork rules

Last updated

Was this helpful?