- 1 Configuring a secure connection between Elasticsearch and Cassandra
Configuring a secure connection between Elasticsearch and Cassandra
- Elasticsearch must be installed.
- Cassandra must be installed.
- Make Elasticsearch accessible from another host by setting the network.host:<host name> in the config/elastic.yml file.
- Install the SearchGuard plugin for Elasticsearch.
- Install certificates.
- Configure Elasticsearch.
- Provide the Cassandra index with the Elasticsearch credentials.
- Configure UCS to use the secured port.
- Restart everything.
Install the SearchGuard plugin for Elasticsearch
- Download the SearchGuard plugin using the information on this page.
- Install the plugin using this command:
bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.2.4-23.0
The version of the plugin must match the version of Elasticsearch—please refer to the compatibility matrix.
Install real certificates into the <elasticsearch installation dir>/config folder.
Add the following minimal SearchGuard configuration to the elasticsearch.yml file:
searchguard.ssl.transport.pemcert_filepath: esnode.pem searchguard.ssl.transport.pemkey_filepath: esnode-key.pem searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem searchguard.ssl.transport.enforce_hostname_verification: false searchguard.ssl.http.enabled: true searchguard.ssl.http.pemcert_filepath: esnode.pem searchguard.ssl.http.pemkey_filepath: esnode-key.pem searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem searchguard.allow_unsafe_democertificates: true searchguard.allow_default_init_sgindex: true searchguard.authcz.admin_dn: - CN=kirk,OU=client,O=client,L=test,C=de searchguard.enable_snapshot_restore_privilege: true searchguard.check_snapshot_restore_write_privileges: true searchguard.restapi.roles_enabled: ["sg_all_access"]
Provide the Cassandra index with the Elasticsearch credentials
To provide the Cassandra index for Elasticsearch with credentials, each node must have the environment variable ESCREDENTIALS correctly set before starting. This must be set on all Cassandra hosts, but is not needed on UCS hosts.
The example below provides the password for the user 'elastic' and password 'examplepassword' separated by : (colon) character. It can be done either directly in the system as an environment variable or in the shortcut that launches Cassandra.
ESCREDENTIALS = elastic:examplepassword
Once the index is successfully initialized, it will write "Elasticsearch credentials provided" in Cassandra logs at the INFO level. Once this message is output, it is possible to clear the environment variable. If Cassandra is restarted, the environment variable must be reset before restarting. The credentials are kept in memory only and are not saved anywhere else. If the user and/or password is changed, all Cassandra nodes must be restarted with the updated environment variable value.
Configure UCS to use the secured port
In the options of UCS, set the following:
elasticsearch/unicast-hosts = https://<host name>:9200
It is currently not possible to migrate an existing index from HTTP to HTTPS. Usage of one or the other must be decided before UCS creates the Cassandra schema. In order to ease HTTPS deployment, the index will automatically trust all HTTPS certificates.
The new value of the unicast-hosts option is taken into account when creating the index, which means that you need to clean up your database and your index before restarting Cassandra, Elasticsearch and UCS.