92 lines
3.3 KiB
Plaintext
92 lines
3.3 KiB
Plaintext
[[manually-configure-security]]
|
|
== Manually configure security
|
|
++++
|
|
<titleabbrev>Configure security</titleabbrev>
|
|
++++
|
|
|
|
Security needs vary depending on whether you're developing locally on your
|
|
laptop or securing all communications in a production environment. Because
|
|
security needs vary, the following scenarios provide options for configuring
|
|
the Elastic Stack.
|
|
|
|
Each subsequent scenario builds on the previous one so that you can add
|
|
additional security by building on the existing layer.
|
|
|
|
These scenarios don't cover every situation, but provide a framework for
|
|
securing {es} and the Elastic Stack based on typical use cases.
|
|
|
|
NOTE: If you want to enable security by default when you start {es} for the
|
|
first time without manually configuring security, refer to
|
|
<<configuring-stack-security,Starting the Elastic Stack with security enabled>>.
|
|
|
|
image::images/elastic-security-overview.png[Elastic Security layers]
|
|
|
|
|
|
[discrete]
|
|
[[security-minimal-overview]]
|
|
=== Minimal security ({es} Development)
|
|
|
|
If you want to set up {es} on your laptop and start developing, this scenario
|
|
is for you. This configuration prevents unauthorized access to your local
|
|
cluster by setting up passwords for the built-in users. You also configure
|
|
password authentication for {kib}.
|
|
|
|
// tag::minimal-security-note[]
|
|
IMPORTANT: The minimal security scenario is not sufficient for
|
|
<<dev-vs-prod-mode,production mode>> clusters. If your cluster has multiple
|
|
nodes, you must enable minimal security and then
|
|
<<security-basic-setup,configure Transport Layer Security (TLS)>> between
|
|
nodes.
|
|
|
|
// end::minimal-security-note[]
|
|
|
|
<<security-minimal-setup,Set up minimal security>>
|
|
|
|
[discrete]
|
|
[[security-basic-overview]]
|
|
=== Basic security ({es} Production)
|
|
|
|
This scenario builds on the minimal security requirements by adding transport
|
|
Layer Security (TLS) for communication between nodes. This additional layer
|
|
requires that nodes verify security certificates, which prevents unauthorized
|
|
nodes from joining your {es} cluster.
|
|
|
|
Your external HTTP traffic between {es} and {kib} won't be encrypted, but
|
|
internode communication will be secured.
|
|
|
|
<<security-basic-setup,Set up basic security>>
|
|
|
|
[discrete]
|
|
[[security-basic-https-overview]]
|
|
=== Basic security plus secured HTTPS traffic (Elastic Stack)
|
|
|
|
This scenario builds on the one for basic security and secures all HTTP
|
|
traffic with TLS. In addition to configuring TLS on the transport interface of
|
|
your {es} cluster, you configure TLS on the HTTP interface for both
|
|
{es} and {kib}.
|
|
|
|
NOTE: If you need mutual (bidirectional) TLS on the HTTP layer, then you'll
|
|
need to configure mutual authenticated encryption.
|
|
|
|
You then configure {kib} and Beats to communicate with
|
|
{es} using TLS so that all communications are encrypted. This level
|
|
of security is strong, and ensures that any communications in and out of your
|
|
cluster are secure.
|
|
|
|
<<security-basic-setup-https,Set up basic security plus HTTPS traffic>>
|
|
|
|
include::securing-communications/security-minimal-setup.asciidoc[]
|
|
|
|
include::securing-communications/security-basic-setup.asciidoc[]
|
|
|
|
include::securing-communications/security-basic-setup-https.asciidoc[]
|
|
|
|
include::securing-communications/configuring-tls-docker.asciidoc[]
|
|
|
|
include::securing-communications/enabling-cipher-suites.asciidoc[]
|
|
|
|
include::securing-communications/tls-versions-jdk.asciidoc[]
|
|
|
|
include::reference/files.asciidoc[]
|
|
|
|
include::fips-140-compliance.asciidoc[] |