Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Transport SSL must be enabled if security is enabled on a [basic] license

I have installed Elasticsearch 7.1 on Ubuntu. I want to password protect the cluster, so I have set: xpack.security.enabled: true in elasticsearch.yml file. Now when I restart Elasticsearch I get the message:

Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled]

I am using the basic license. I have seen this guide which explains how to use elasticsearch-certutil to install SSL certificates on the nodes.

Questions:

  1. Is it possible to password protect the cluster without setting xpack.security.transport.ssl.enabled to true?

  2. If I have the guide mentioned above and install SSL certifiactes on elasticsearch cluster, do I need any ssl certificate on my webserver? I don't want the communication between the web server and elasticsearch to use SSL.

like image 945
Hooman Bahreini Avatar asked May 26 '19 23:05

Hooman Bahreini


People also ask

What does Xpack security enabled do?

You configure xpack. security settings to enable anonymous access and perform message authentication, set up document and field level security, configure realms, encrypt communications with SSL,and audit security events. All of these settings can be added to the elasticsearch.

What is SSL enabled server?

SSL (Secure Sockets Layer) is a transaction security standard that provides encrypted protection between browsers and App Servers. When SSL is enabled for an App Server, browsers communicate with the App Server by means of an HTTPS connection, which is HTTP over an encrypted Secure Sockets Layer.

What is Xpack security?

X-Pack is an Elastic Stack extension that provides security, alerting, monitoring, reporting, machine learning, and many other capabilities. By default, when you install Elasticsearch, X-Pack is installed.


1 Answers

According to this answer:

For a cluster that is running in production mode with a production license, once security is enabled, transport TLS/SSL must also be enabled. On the other hand, if we are running with a trial license, then transport TLS/SSL is not obligatory.


It's not possible. In production mode, if you want to use any of the xpack security features by enabling (setting xpack.security.enabled = true), then you need to use TLS/SSL certificate.

By default, the web server (and Kibana) can communicate with the cluster without any TLS/SSL certificate (The certificate is used for communication within ES nodes). If you do want to use TLS/SSL between the cluster and your web server, then you need to set xpack.security.http.ssl.enabled which is set to false by default.

like image 157
Hooman Bahreini Avatar answered Sep 20 '22 22:09

Hooman Bahreini