Kibana Setup including SSL
In this article we are going to explore on configuring Kibana to use Elasticseach cluster with encrypted communication and add SSL for encrypting communications in Kibana.
Kibana is one of component of ELK stack which is used for visualization of metrics that were collected in Elasticsearch.
Prerequisite for this article are Elasticsearch Production Cluster Setup and Secure Ealsticsearch
Note: We should same version of Kibana build as of Elasticseach or else it will not compatible.
I am using Kibana Version 7.4 as i am have Elasticsearch 7.4 cluster.
Download Kibana 7.4
Generate Certificates:
1. Let generate client certificate based on the CA certificate generated in earlier post Encrypting communications in Elasticsearch.
There should be "elastic-stack-ca.p12" certificate under "config" folder in Elasticsearch.
bin/elasticsearch-certutil cert --ca config/elastic-stack-ca.p12 -name "CN=something,OU=Consulting Team,DC=mydomain,DC=com"
ENTER
client.p12 ENTER
ENTER
The above command will generate "client.p12" certificate which we will be used to generate certificate used by Kibana to authenticate.
2. Create a Client certificate that could be used by Kibana to communicate with Elasticsearch. I am using same Client certificate that was created Elasticsearch to Encrypting Kibana communications as well. Valid CA certicates can be used instead of self signed certificates.
I am using "openssl" utlility to converting the certificate. In windows you can convert it using Git bash.
openssl pkcs12 -in client.p12 -cacerts -nokeys -chain > es-client-ca.cer
ENTER
openssl pkcs12 -in client.p12 -clcerts -nokeys > es-client.cer
ENTER
openssl pkcs12 -in client.p12 -nocerts -nodes > es-client.key
ENTER
openssl pkcs12 -in client.p12 -clcerts -nokeys > es-client.cer
ENTER
openssl pkcs12 -in client.p12 -nocerts -nodes > es-client.key
ENTER
With 1st and 2nd step we have completed generating certificate that is needed to communicate with Elasticsearch cluster and Encrypting communications in Kibana.
Note: If the domain details did not match with server hosting Kibana you would be noticing SSL exceptions in Kibana logs.
3. Place all the certificates generated under config folder.
Once you have completed all the three steps we can go ahead and add the configuration to "Kibana.yml" present under "config" folder.
Configure Kibana: We need to modify "kibana.yml" under "config" folder, Below are the attributes that needs to be added.
server.port: 5601 #Port on which Kibana needs to be accessible
server.host: "192.168.0.14" #Physical server IP address
server.name: "myservername" #Physical server Name
elasticsearch.hosts: ["https://192.168.0.14:9205"] #Client nodes addresses followed by coma for load balancing
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxxxxxxxxxx" #Kibana password setup while securing Elasticsearch
xpack.security.enabled: true
elasticsearch.ssl.certificateAuthorities: ../config/es-client-ca.cer
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.certificate: ../config/es-client.cer
server.ssl.key: ../config/es-client.key
server.ssl.key: ../config/es-client.key
Once you are done with above configuration, start Kibana and then we should be good to go, Kibana URL would be available in the prompt as per configred IP address and port. https://IPADDRESS:PORT/
Provide the "elastic" username and Password that was setup while securing Elasticsearch. "elastic" user account is Super user account.
Kibana Config file is available in GitHub