Skip to content

Commit

Permalink
Update installing-stack-demo-secure.asciidoc (#2707) (#2711)
Browse files Browse the repository at this point in the history
* Update installing-stack-demo-secure.asciidoc

Added all the steps to configure https between Kibana and the browser, as well as creating and using an encryption key for Kibana sessions.

* A few super small updates

---------

Co-authored-by: David Kilfoyle <[email protected]>
(cherry picked from commit b5d9f80)

Co-authored-by: eric-cobb <[email protected]>
  • Loading branch information
mergify[bot] and eric-cobb authored May 6, 2024
1 parent 6ccca30 commit bf9608f
Showing 1 changed file with 74 additions and 3 deletions.
77 changes: 74 additions & 3 deletions docs/en/install-upgrade/installing-stack-demo-secure.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -552,9 +552,9 @@ sudo systemctl status elasticsearch.service

[discrete]
[[install-stack-demo-secure-kib-es]]
== Step 5: Generate a certificate for {kib} to access {es}
== Step 5: Generate server-side and client-side certificates for {kib}

Now that the transport and HTTP layers are configured with encryption using the new certificates, we'll set up certificates for encryption between {kib} and {es}. For additional details about any of these steps, refer to {kibana-ref}/elasticsearch-mutual-tls.html[Mutual TLS authentication between {kib} and {es}].
Now that the transport and HTTP layers are configured with encryption using the new certificates, there are two more tasks that must be accomplished for end-to-end connectivity to {es}: Set up certificates for encryption between {kib} and {es}, and between the client browser and {kib}. For additional details about any of these steps, refer to {kibana-ref}/elasticsearch-mutual-tls.html[Mutual TLS authentication between {kib} and {es}] and {ref}/security-basic-setup-https.html#encrypt-kibana-browser[Encrypt traffic between your browser and {kib}].

. In Step 3, when you generated a new certificate for the HTTP layer, the process created an archive `elasticsearch-ssl-http.zip`.
+
Expand All @@ -581,6 +581,75 @@ sudo systemctl stop kibana.service
elasticsearch.ssl.certificateAuthorities: [/etc/kibana/elasticsearch-ca.pem]
----

. Log in to the first Elasticsearch node and use the certificate utility to generate a certificate bundle for the Kibana server. This certificate will be used to encrypt the traffic between Kibana and the client's browser. In the command, replace <DNS name> and <IP address> with the name and IP address of your Kibana server host:
+
["source","shell"]
----
sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert --name kibana-server --ca-cert /etc/elasticsearch/certs/ca/ca.crt --ca-key /etc/elasticsearch/certs/ca/ca.key --dns <DNS name> --ip <IP address> --pem
----
+
When prompted, specify a unique name for the output file, such as `kibana-cert-bundle.zip`.

. Copy the generated archive over to your Kibana host and unpack it:
+
["source","shell"]
----
sudo unzip kibana-cert-bundle.zip
----
+
The unpacked archive will create a directory, `kibana-server`, containing the new {kib} key and certificate:
+
["source","shell"]
----
ls -l kibana-server/
total 8
-rw-r--r--. 1 root root 1208 May 3 16:08 kibana-server.crt
-rw-r--r--. 1 root root 1675 May 3 16:08 kibana-server.key
----

. Copy the certificate and key into `/etc/kibana`:
+
["source","shell"]
----
sudo cp kibana-server.crt /etc/kibana/
sudo cp kibana-server.key /etc/kibana/
----

. Update the permissions on the certificate files to ensure that they’re readable. From inside the `/etc/kibana` directory, run:
+
["source","shell"]
----
sudo chmod 640 *.crt
sudo chmod 640 *.key
----

. Open `/etc/kibana/kibana.yml` and make the following changes:
+
["source","sh",subs="attributes"]
----
server.ssl.certificate: /etc/kibana/kibana-server.crt
server.ssl.key: /etc/kibana/kibana-server.key
server.ssl.enabled: true
----
+
Keep the file open for the next step.

. To ensure that {kib} sessions are not invalidated, set up an encryption key by assigning any string of 32 characters or longer to the `xpack.security.encryptionKey` setting (this string will be configured in `kibana.yml` and does not need to be remembered). To generate a random string, you can use the following bash commands:
+
["source","shell"]
----
cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1
----
+
Using your own string or the output of the above command sequence, add the encryption key setting to `/etc/kibana/kibana.yml`:
+
["source","sh",subs="attributes"]
----
xpack.security.encryptionKey: previously_create_string
----
+
Save and close the file.

. Restart the {kib} service:
+
["source","shell"]
Expand All @@ -606,7 +675,9 @@ tail -f /var/log/kibana/kibana.log
+
In the log file you should find a `Kibana is now available` message.

. Open a web browser to the external IP address of the Kibana host machine: `https://<kibana-host-address>:5601``. Note that the URL should use `https` and not `http`.
. You should now have an end-to-end ecnrypted deployment with {es} and {kib} that provides encryption between both the cluster nodes and {kib}, and HTTPS access to {kib}.
+
Open a web browser to the external IP address of the Kibana host machine: `https://<kibana-host-address>:5601`. Note that the URL should use the `https` and not the `http` protocol.

. Log in using the `elastic` user and password that you configured in Step 1 of <<installing-stack-demo-self>>.

Expand Down

0 comments on commit bf9608f

Please sign in to comment.