Skip to content

Commit

Permalink
Document mutual TLS authentication (PKI) between Kibana and Elasticse…
Browse files Browse the repository at this point in the history 
…arch (#54940)
  • Loading branch information
@jportner
jportner authored Jan 16, 2020
1 parent c8c03e4 commit 0d19b38
Show file tree
Hide file tree
Showing 3 changed files with 123 additions and 0 deletions.
Binary file added docs/user/security/images/mutual-tls-role-mapping.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
120 changes: 120 additions & 0 deletions docs/user/security/securing-communications/elasticsearch-mutual-tls.asciidoc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
[role="xpack"]
[[elasticsearch-mutual-tls]]
=== Mutual TLS authentication between {kib} and {es}
++++
<titleabbrev>Mutual TLS with {es}</titleabbrev>
++++

In a standard Transport Layer Security (TLS/SSL) configuration, the server presents a signed certificate to authenticate itself to the
client. In a mutual TLS configuration, the client also presents a signed certificate to authenticate itself to the server.

When {security} is enabled on your cluster, each request that {kib} makes to {es} must be authenticated. Most requests made through {kib} to
{es} are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the {kib} server
needs to make to the {es} cluster. For this reason, you must configure credentials for the {kib} server to use for those requests.

If {kib} has `elasticsearch.username` and `elasticsearch.password` configured, it will attempt to use these to authenticate to {es} via the
{ref}/native-realm.html[Native realm]. However, {kib} also supports mutual TLS authentication with {es} via a {ref}/pki-realm.html[Public
Key Infrastructure (PKI) realm]. To do so, {es} needs to verify the signature on the {kib} client certificate, and it also needs to map the
certificate's distinguished name (DN) to the appropriate `kibana_system` role.

NOTE: Using a PKI realm is a gold feature. For a comparison of the Elastic license levels, see https://www.elastic.co/subscriptions[the
subscription page].

To configure {kib} and {es} to use mutual TLS authentication:

. <<using-kibana-with-security,Set up {kib} to work with {security}>> with a username and password.

. <<configuring-tls-kib-es,Set up TLS encryption between {kib} and {es}>>. At a minimum, this requires a server certificate for {es}.

. Create a client certificate and private key for {kib} to use when connecting to {es}.
+
--
NOTE: This is not the same as the <<configuring-tls-browser-kib,server certificate>> that {kib} will present to web browsers.

You may choose to generate a certificate and private key using {ref}/certutil.html[the {es} certutil tool]. At this point, you will have
already set up a certificate authority (CA) to sign the {es} server certificate. You may choose to use the same CA to sign the {kib} client
certificate. You would do this like so:

[source,sh]
--------------------------------------------------------------------------------
bin/elasticsearch-certutil cert -ca elastic-stack-ca.p12 -name kibana-client
--------------------------------------------------------------------------------

This will generate a certificate and private key in a PKCS #12 keystore named `kibana-client.p12`. The certificate has a Common Name (CN) of
"kibana-client".

You will also need to use the CA certificate when setting up the PKI realm in {es}. While you could use the CA keystore in the above example
for this purpose, it is bad practice to expose the CA's private key in such a manner. Instead, you can extract the CA certificate (without
its private key) like so:

[source,sh]
--------------------------------------------------------------------------------
openssl pkcs12 -in kibana-client.p12 -cacerts -nokeys -out ca.crt
--------------------------------------------------------------------------------
--

. Configure a PKI realm and a Native realm in your {es} cluster:
+
--
By default, {es} provides a Native realm. However, to support both a PKI realm (for {kib}) and a Native realm (for end users), you must
configure each realm in `elasticsearch.yml`:

[source,yaml]
--------------------------------------------------------------------------------
xpack.security.authc.realms.pki.realm1.order: 1
xpack.security.authc.realms.pki.realm1.certificate_authorities: "/path/to/ca.crt"
xpack.security.authc.realms.native.realm2.order: 2
--------------------------------------------------------------------------------

--

. Configure your {es} cluster to request client certificates:
+
--
By default, {es} will not request a client certificate when establishing a TLS connection. To change this, you must set up optional client
certificate authentication in `elasticsearch.yml`:

[source,yaml]
--------------------------------------------------------------------------------
xpack.security.http.ssl.client_authentication: "optional"
--------------------------------------------------------------------------------
--

. Restart your {es} cluster.

. Use {kib} to create a <<role-mappings,role mapping>> for your new client certificate:
+
--
This role mapping will assign the `kibana_system` role to any user that matches the included mapping rule, which is set to equal the client
certificate's DN attribute:

[role="screenshot"]
image:user/security/images/mutual-tls-role-mapping.png["Role mapping for the {kib} client certificate"]
--

. Configure {kib} to use the client certificate:
+
--
Assuming you used the {es} certutil tool to generate a certificate and private key in a PKCS #12 keystore, add the following values to
`kibana.yml`:

[source,yaml]
--------------------------------------------------------------------------------
elasticsearch.ssl.keystore.path: "/path/to/kibana-client.p12"
elasticsearch.ssl.keystore.password: "decryption password"
--------------------------------------------------------------------------------

The decryption password should match what you entered when prompted by the {es} certutil tool.

You must also remove the `elasticsearch.username` and `elasticsearch.password` values from the configuration file. Otherwise, {kib} will
attempt to use those to authenticate via the Native realm.

TIP: Alternatively, {kib} also supports using a client certificate and private key in PEM format with the `elasticsearch.ssl.certificate`
and `elasticsearch.ssl.key` settings. For more information, see <<settings,{kib} configuration settings>>.
--

. Restart {kib}.

NOTE: The steps above enable {kib} to authenticate to {es} using a certificate. However, end users will only be able to authenticate to
{kib} with a username and password. To allow end users to authenticate to {kib} using certificates, see <<pki-authentication,{kib} PKI
authentication>>.
3 changes: 3 additions & 0 deletions docs/user/security/securing-kibana.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@ xpack.security.session.lifespan: "8h"

. Optional: <<configuring-tls,Configure {kib} to encrypt communications>>.

. Optional: <<elasticsearch-mutual-tls,Configure {kib} to authenticate to {es} with a client certificate>>.

. Restart {kib}.

. [[kibana-roles]]Choose an authentication mechanism and grant users the privileges they need to
Expand Down Expand Up @@ -141,4 +143,5 @@ NOTE: This must be a user who has been assigned <<kibana-privileges, Kibana priv

include::authentication/index.asciidoc[]
include::securing-communications/index.asciidoc[]
include::securing-communications/elasticsearch-mutual-tls.asciidoc[]
include::audit-logging.asciidoc[]

0 comments on commit 0d19b38

Please sign in to comment.