Jump to: navigation, search

Configuring a secure connection between Elasticsearch and Cassandra


  • Elasticsearch must be installed.
  • Cassandra must be installed.

Process overview

  1. Make Elasticsearch accessible from another host by setting the network.host:<host name> in the config/elastic.yml file.
  2. Install the SearchGuard plugin for Elasticsearch.
  3. Install certificates.
  4. Configure Elasticsearch.
  5. Provide the Cassandra index with the Elasticsearch credentials.
  6. Configure UCS to use the secured port.
  7. Restart everything.

Install the SearchGuard plugin for Elasticsearch

  1. Download the SearchGuard plugin using the information on this page.
  2. Install the plugin using this command:
bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.2.4-23.0

The version of the plugin must match the version of Elasticsearch—please refer to the compatibility matrix.

Install certificates

Install real certificates into the <elasticsearch installation dir>/config folder.

Configure Elasticsearch

Add the following minimal SearchGuard configuration to the elasticsearch.yml file:

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
 - CN=kirk,OU=client,O=client,L=test,C=de
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]

Provide the Cassandra index with the Elasticsearch credentials

To provide the Cassandra index for Elasticsearch with credentials, each node must have the environment variable ESCREDENTIALS correctly set before starting. This must be set on all Cassandra hosts, but is not needed on UCS hosts.

The example below provides the password for the user 'elastic' and password 'examplepassword' separated by : (colon) character. It can be done either directly in the system as an environment variable or in the shortcut that launches Cassandra.

ESCREDENTIALS = elastic:examplepassword

Once the index is successfully initialized, it will write "Elasticsearch credentials provided" in Cassandra logs at the INFO level. Once this message is output, it is possible to clear the environment variable. If Cassandra is restarted, the environment variable must be reset before restarting. The credentials are kept in memory only and are not saved anywhere else. If the user and/or password is changed, all Cassandra nodes must be restarted with the updated environment variable value.

Configure UCS to use the secured port

In the options of UCS, set the following:

elasticsearch/unicast-hosts = https://<host name>:9200

It is currently not possible to migrate an existing index from HTTP to HTTPS. Usage of one or the other must be decided before UCS creates the Cassandra schema. In order to ease HTTPS deployment, the index will automatically trust all HTTPS certificates.

Restart everything

The new value of the unicast-hosts option is taken into account when creating the index, which means that you need to clean up your database and your index before restarting Cassandra, Elasticsearch and UCS.

This page was last modified on December 28, 2018, at 16:13.


Comment on this article:

blog comments powered by Disqus