Securing Elasticsearch 6.1 with X-Pack

Elasticsearch 6.1 is EOL as of June 13, 2019. If possible, install Elastic stack 6.5 products.

X-Pack is an Elastic extension for securing and monitoring Elasticsearch clusters. If you use Elasticsearch, you should secure it with X-Pack. The security features of X-Pack include authenticating access to the Elasticsearch cluster’s data and encrypting Elasticsearch’s internal and external communications. These are necessary security features for most production systems. A Liferay Enterprise Search subscription gets you access to both monitoring and security. Contact Liferay’s Sales department for more information.

Here’s an overview of using X-Pack to secure the data indexed in Elasticsearch:

  1. Get an Enterprise Search subscription.

  2. Install X-Pack into Elasticsearch and configure it to require authentication and encryption.

  3. Download and install the Liferay Enterprise Search Security.

  4. Configure the Liferay Enterprise Search Security app with the proper credentials and encryption information.

  5. Restart Elasticsearch. These steps require a full cluster restart.

Following these instructions gives you a basic working installation of Elasticsearch communicating freely with Liferay DXP, but read Elastic’s documentation to learn about additional configuration options, features, and the architecture of X-Pack.

Installing X-Pack

  1. To install X-Pack and automatically grant it the required permissions (recommended), run

    bin/elasticsearch-plugin install x-pack --batch
    

    on each cluster node. The --batch option bypasses installation prompts for granting permissions to X-Pack.

    You’ll see log output detailing the permissions granted, finishing with Installed x-pack:

    -> Downloading x-pack from elastic
    [=================================================] 100%   
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @     WARNING: plugin requires additional permissions     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    * java.io.FilePermission \\.\pipe\* read,write
    * java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
    * java.lang.RuntimePermission getClassLoader
    * java.lang.RuntimePermission setContextClassLoader
    * java.lang.RuntimePermission setFactory
    * java.net.SocketPermission * connect,accept,resolve
    * java.security.SecurityPermission createPolicy.JavaPolicy
    * java.security.SecurityPermission getPolicy
    * java.security.SecurityPermission putProviderProperty.BC
    * java.security.SecurityPermission setPolicy
    * java.util.PropertyPermission * read,write
    See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
    for descriptions of what these permissions allow and the associated risks.
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @        WARNING: plugin forks a native controller        @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    This plugin launches a native controller that is not subject to the Java
    security manager nor to system call filters.
    Elasticsearch keystore is required by plugin [x-pack], creating...
    -> Installed x-pack
    

    See more about the permissions X-Pack needs here.

  2. Make sure Elasticsearch does not allow the automatic creation of indexes. If you’re unsure, check elasticsearch.yml for this property:

    action.auto_create_index: false
    

    This property is true by default, so if you don’t see it in elasticsearch.yml, there’s nothing to worry about. See Elastic’s documentation for more information on automatic index creation.

  3. Restart Elasticsearch.

Once X-Pack is installed, configure its built-in user passwords.

Setting Up X-Pack Users

In a system using X-Pack Security and X-Pack Monitoring, two of the built-in X-Pack users are important: kibana and elastic.

Set the passwords for all X-Pack’s built-in users. The setup-passwords command is the simplest method to set the built-in users’ first-use passwords for the first time. To update a password subsequently, use Kibana’s UI or the Change Password API.

The interactive argument lets you set the passwords for all built-in users. The configuraiton shown in these articles assumes you set all of the passwords to liferay. Of course, that’s not recommended for production systems.

./bin/x-pack/setup-passwords interactive

See Elastic’s documentation on the setup-passwords command for additional options.

Since you’re securing Elasticsearch, make sure you keep track of the password set for the elastic user.

We recommend enabling transport layer security on each node.

Enabling Transport Layer Security

The following instructions for enabling TLS use liferay as the password whenever one is needed. Customize these as appropriate for your installation.

Generate Node Certificates

Generate a node certificate for each node. You can, of course, use a Certificate Authority toobtain node certificates.

  1. Create a certificate authority, using X-Pack’s certutil command:

    ./bin/x-pack/certutil ca --pem --ca-dn CN=localhost
    

    This generates a ZIP file. Unzip the contents somewhere safe.

  2. Generate X.509 certificates and private keys using the CA from Step 1. For example:

     ./bin/x-pack/certutil cert --pem --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --dns localhost --ip 127.0.0.1 --name localhost
    

    This generates another ZIP file. Extract the contents somewhere in the Elasticsearch Home/config folder.

Enable TLS

Enable TLS on each node via its elasticsearch.yml.

  1. Add the certificate, key and certificate authority paths to each node’s elasticsearch.yml:

    xpack.ssl.certificate: /path/to/[Elasticsearch Home]/config/localhost.crt
    xpack.ssl.key: /path/to/[Elasticsearch Home]/config/localhost.key
    xpack.ssl.certificate_authorities: ["/path/to/ca.crt"]
    

    The example paths above assume you added the certificate to Elasticsearch Home/config/.

  2. Enable transport layer TLS with these settings in elasticsearch.yml:

    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    
  3. Enable TLS on the HTTP layer to encrypt client communication:

    xpack.security.http.ssl.enabled: true
    

After X-Pack is installed and TLS is enabled, configure the LES Security app in Liferay DXP.

Install and Configure the Liferay Enterprise Search Security app

If you have a Liferay Enterprise Search subscription, download the Liferay Enterprise Search Security app. Install the LPKG file by copying it into the Liferay Home/deploy folder. That’s all there is to it.

To configure security, navigate to Control PanelConfigurationSystem Settings. Find the Foundation category and click on the X-Pack Security entry. You can enter the property values here, but it’s more common to use a configuration file deployed to Liferay Home/osgi/configs. Create a file called

com.liferay.portal.search.elasticsearch6.xpack.security.internal.configuration.XPackSecurityConfiguration.config

The exact contents of the file depend on your X-Pack setup. To configure the adapter according to the Elasticsearch setup documented here, populate the file with these contents:

sslKeyPath="/path/to/localhost.key"
sslCertificatePath="/path/to/localhost.crt"
certificateFormat="PEM"
requiresAuthentication="true"
username="elastic"
password="GqhoaEUyTM@tp1*wQd~F"
sslCertificateAuthoritiesPaths="/path/to/ca.crt"
transportSSLVerificationMode="certificate"
transportSSLEnabled="true"

The certificate and key files referenced here are the same ones used on the Elasticsearch server. Copy them to the Liferay DXP server and update their paths in the configuration accordingly.

Enable authentication by setting authentication to required and providing the credentials for the Elasticsearch user. For SSL, enable transport SSL, set the certificate verification mode and certificate format, and provide the path to the certificate, key, and certificate authority. Of course, the exact values will differ if you configured X-Pack differently.

Here’s the complete list of configuration options for the LES Security app:

  • sslKeyPath
  • sslCertificatePath
  • sslCertificateAuthoritiesPaths
  • certificateFormat
  • requiresAuthentication
  • username
  • password
  • transportSSLVerificationMode
  • transportSSLEnabled
  • sslKeystorePath
  • sslKeystorePassword
  • sslTruststorePath
  • sslTruststorePassword

When you’re finished configuring X-Pack Security, restart Elasticsearch. These steps require a full cluster restart.

« Installing X-Pack Monitoring for Elasticsearch 6.5Installing X-Pack Monitoring for Elasticsearch 6.1 »
¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0