5.1.10.3. Elastic Stack Certificates Configuration
Since communication between Elastic stack nodes is usually carried out over the network, it is possible to implement the TLS protocol through certificates to secure said connection.
In order to keep the information that is sent between the nodes of the system secure, it is advisable to send said information through encrypted channels.
There are two main communication channels between the Filebeat service and the Logstash service that we need to encrypt to keep secure information. These are the communications between ON Core, ON Analytics, ON sensor and VPN Gateway.
The ON Analytics node can have two roles, ON Analytics or ON Aggregator. Since the ON Aggregator role is who manages the Logstash service, it will be the one that will receive the pertinent modifications.
In this section we will explain how to configure it to ensure that the information sent is encrypted:
5.1.10.3.1. Communications between ON Core, ON Sensor and ON Analytics
5.1.10.3.1.1. ON Analytics
If it does not exist, create the “certs” directory in /etc/logstash/ to store the certificates:
mkdir /etc/logstash/certs
If not installed, install unzip:
dnf install unzip
Create a CA to sign the server certificates:
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --out /etc/logstash/certs/ca.zip --pass <ca.pass> --days <days> --pem
ca.pass: Definition of the password value that the generated CA will have.
days: Number of days of validity of the certificates and the CA. Example: 1095
Note
In some versions of elasticsearch (like 7.2.X) some warnings like “WARNING: An illegal reflective access operation has occurred” may appear. This notice does not affect the configuration process.
If our client already has certificates signed by a commercial or private CA, we could use it to issue subsequent certificates. However, in this case, we are generating a new one from the Elasticsearch tool.
Extract the .zip folder in /etc/logstash/certs/:
unzip /etc/logstash/certs/ca.zip -d /etc/logstash/certs/
Create the ON Aggregator certificate using the CA created above:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /etc/logstash/certs/ca/ca.crt --ca-key <ca.pass>
/etc/logstash/certs/ca/ca.key --ca-pass <ca.pass> --name server_onaggregator --dns onaggregator --out
/etc/logstash/certs/server_onaggregator.zip --pass <onaggregator.cert.pass> --pem
ca.pass: Password value of the previously generated CA.
onanalytics.cert.pass: Definition of the value of the password that the generated certificate will have.
Extract the files from ca.zip in /etc/logstash/certs/:
unzip /etc/logstash/certs/server_onaggregator.zip -d /etc/logstash/certs/
Decrypt the .key file:
openssl rsa -in /etc/logstash/certs/server_onaggregator/server_onaggregator.key -out
/etc/logstash/certs/server_onaggregator/server_onaggregator.key -passin pass:<cert.pass>
Convert the rsa file to pkcs8:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in /etc/logstash/certs/server_onaggregator/server_onaggregator.key -out /etc/logstash/certs/server_onaggregator/server_onaggregator_pkcs8.key
Create the ON Sensor certificate using the CA created above:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /etc/logstash/certs/ca/ca.crt --ca-key
/etc/logstash/certs/ca/ca.key --ca-pass <ca.pass> --name client_onsensor --dns onsensor --out
/etc/logstash/certs/client_onsensor.zip --pass <onsensor.cert.pass> --pem
ca.pass: Password value of the previously generated CA.
onsensor.cert.pass: Definition of the value of the password that the generated certificate will have.
Extract the files from ca.zip in /etc/logstash/certs/:
unzip /etc/logstash/certs/client_onsensor.zip -d /etc/logstash/certs/
Decrypt the .key file:
openssl rsa -in /etc/logstash/certs/client_onsensor/client_onsensor.key -out
/etc/logstash/certs/client_onsensor/client_onsensor.key -passin pass:<cert.pass>
Convert the rsa file to pkcs8:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in /etc/logstash/certs/client_onsensor/client_onsensor.key -out
/etc/logstash/certs/client_onsensor/client_onsensor_pkcs8.key
Create the certs folder in ON Sensor remotely:
ssh onsensor 'mkdir /etc/filebeat/certs/'
Send the certificates to the /certs/ folder of ON Sensor:
scp /etc/logstash/certs/ca/ca.crt /etc/logstash/certs/client_onsensor/client_onsensor_pkcs8.key
/etc/logstash/certs/client_onsensor/client_onsensor.crt onsensor:/etc/filebeat/certs/
Create the ON Core certificate using the CA created above:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /etc/logstash/certs/ca/ca.crt --ca-key
/etc/logstash/certs/ca/ca.key --ca-pass <ca.pass> --name client_oncore --dns oncore --out /etc/logstash/certs/client_oncore.zip --pass <oncore.cert.pass> --pem
ca.pass: Password value of the previously generated CA.
oncore.cert.pass: Definition of the value of the password that the generated certificate will have.
Extract the .zip folder in /etc/logstash/certs/:
unzip /etc/logstash/certs/client_oncore.zip -d /etc/logstash/certs/
Decrypt the .key file:
openssl rsa -in /etc/logstash/certs/client_oncore/client_oncore.key -out /etc/logstash/certs/client_oncore/client_oncore.key -passin pass:<cert.pass>
Convert the rsa file to pkcs8:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in /etc/logstash/certs/client_oncore/client_oncore.key -out
/etc/logstash/certs/client_oncore/client_oncore_pkcs8.key
Create the certs folder in ON Core remotely:
ssh oncore 'mkdir /etc/filebeat/certs/'
Send the certificates to the /certs/ folder of ON Core:
scp /etc/logstash/certs/ca/ca.crt /etc/logstash/certs/client_oncore/client_oncore_pkcs8.key
/etc/logstash/certs/client_oncore/client_oncore.crt oncore:/etc/filebeat/certs/
Configure the Logstash of ON Aggregator by adding the following lines in the file /etc/logstash/conf.d/000_input.conf.
It is important to modify the port number used for communication between ON Core and ON Analytics. By default, this is configured in port 5000 and we will have to modify it so port 5003 is used.
input {
beats {
port => 5003
type => syslog
client_inactivity_timeout => "600"
ssl => true
ssl_certificate_authorities => ["/etc/logstash/certs/ca/ca.crt"]
ssl_certificate => "/etc/logstash/certs/server_onaggregator/server_onaggregator.crt"
ssl_key => "/etc/logstash/certs/server_onaggregator/server_onaggregator_pkcs8.key"
ssl_verify_mode => "force_peer"
}
beats {
port => 5001
type => beats
client_inactivity_timeout => "600"
ssl => true
ssl_certificate_authorities => ["/etc/logstash/certs/ca/ca.crt"]
ssl_certificate => "/etc/logstash/certs/server_onaggregator/server_onaggregator.crt"
ssl_key => "/etc/logstash/certs/server_onaggregator/server_onaggregator_pkcs8.key"
ssl_verify_mode => "force_peer"
}
tcp {
port => 5002
type => syslog
}
}
Restart the Logstash service:
systemctl restart logstash
5.1.10.3.1.2. ON Core
Configure ON Core Filebeat service, add the following lines in the /etc/filebeat/filebeat.yml file and verify that the Logstash server is defined with its hostname and not its IP.
As in the ON Analytics Logstash configuration, here we must modify the port used for the communication, this must coincide with the one defined in the Logstash service, 5003.
output.logstash:
hosts: ["onaggregator:5003"]
ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
ssl.certificate: "/etc/filebeat/certs/client_oncore.crt"
ssl.key: "/etc/filebeat/certs/client_oncore_pkcs8.key"
We restart Filebeat services:
systemctl restart filebeat
5.1.10.3.1.3. ON Sensor
To configure ON Sensor’s Filebeat service, add the following lines to the /etc/filebeat/filebeat.yml file and verify that the Logstash server is defined with its hostname and not its IP.
output.logstash:
hosts: ["onaggregator:5001"]
ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
ssl.certificate: "/etc/filebeat/certs/client_onsensor.crt"
ssl.key: "/etc/filebeat/certs/client_onsensor_pkcs8.key"
We restart Filebeat services:
systemctl restart filebeat