Setting up a Secured Elasticsearch Node in SymmetricDS

When setting up Elasticsearch, or any database for that matter, it is always important to make sure your data is secured. Every database has a multitude of security settings and permissions that can be customized to your liking, however, some are much more confusing than others. In this article, we are going to be talking about securing a stand alone Elasticsearch database, and how to make sure that you can connect it to SymmetricDS without any frustrations or struggles.

Generating the Elasticsearch Certificates

Before we set up all of the Elasticsearch-specific security settings, we first have to generate some certificates using Elasticsearch. These certificates will be used in the security settings as well as in SymmetricDS. There are a couple of steps involved in generating the proper certificates through Elasticsearch. To start off, we will need to open a command prompt and navigate to the Elasticsearch directory. Once there, you can enter the following, and follow the instructions that come up:

./bin/elasticsearch-certutil ca

This command generates a new certificate authority (ca). By default, it will produce a single PKCS#12 output file, which holds the certificate authority and the private key for that certificate.

Once that is completed, you can continue on to the next step below and follow the instructions that come up. The below command generates an X.509 certificate and private key. The –ca section is used to tell the program to sign the certificate with the CA we just created in the above command. It is important to note that if you selected a different name than the default, you will have to change the last part of the command below to match your name.

./bin/elasticsearch-certutil cert –ca elastic-stack-ca.p12

The final step in this process is to move the certificates file generated by the certutil to the config folder. If this file is not in the config folder, Elasticsearch will fail to find it when starting up. Elasticsearch uses the java security manager on startup, which is configured to only allow the opening of files in the config directory but not in other directories. Once these two steps are completed, you are ready to move on to setting up the Elasticsearch-specific security settings.

Setting up Elasticsearch Security

All of the changes and additional parameters that we will be working with today will be added to the elasticsearch.yml file that can be found in the config directory of your Elasticsearch installation. At the most basic level, we have to enable xpack security. This is the foundation for all other security settings in Elasticsearch. When first starting Elasticsearch, this parameter will not appear in the elasticsearch.yml.  I would recommend creating a little section in the elasticsearch.yml file for security settings so everything is organized and easy to find if needed. Adding the xpack security will look like this:

xpack.security.enabled: true

xpack.security.ssl.diagnose.trust: true

The second setting here, security.ssl.diagnose.trust, controls whether or not Elasticsearch should output diagnostic messages for SSL/TLS trust failures. This affects the logging of Elasticsearch, not SymmetricDS, and is purely optional.

The next step in setting up a secured Elasticsearch node is enabling the Transport SSL. What this does is enable TLS/SSL on the transport networking layer. This is the layer that the nodes in the Elasticsearch Cluster use to communicate with each other. 

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.supported_protocols: TLSv1.2

xpack.security.transport.ssl.client_authentication: “optional”

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.cipher_suites: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

xpack.security.transport.ssl.keystore.path: config/elasticsearch-demo-certificates.p12

xpack.security.transport.ssl.truststore.path: config/elasticsearch-demo-certificates.p12

As seen in the above code block, there are a handful of other options that go along with enabling the Transport SSL. Most of these have a default value assigned to them, however, the settings shown above are the ideal settings when using SymmetricDS with the exception of the keystore.path and truststore.path. Those values will be specific to your own installation of elasticsearch and where the certificates reside. As for the cipher_suites setting, these are specific to your version of Java, and you should refer to Java’s cryptography architecture documentation for the specific details. 

Once the Transport SSL settings are enabled and taken care of, we move into enabling and setting up HTTP SSL. This is the layer that Elasticsearch uses to communicate with other clients like SymmetricDS.

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.supported_protocols: TLSv1.2

xpack.security.http.ssl.client_authentication: “optional”

xpack.security.http.ssl.verification_mode: certificate

xpack.security.http.ssl.cipher_suites: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

xpack.security.http.ssl.keystore.path: config/elasticsearch-demo-certificates.p12

xpack.security.http.ssl.truststore.path: elasticsearch-demo-certificates.p12

All of the additional options that we will be using surrounding the HTTP SSL settings will be the same as what we did for the Transport SSL settings.

Once all of this is done, we are ready to move to SymmetricDS and set up our newly secured Elasticsearch node.

Connecting Elasticsearch to SymmetricDS

After setting up the Elasticsearch certificates and security settings, we are ready to connect to SymmetricDS. In order for SymmetricDS to connect to the Elasticsearch database, we must first import the certificate we just created on Elasticsearch. There are multiple ways to do this, however, the easiest way we have found is to download the chain from your preferred internet browser. In your browser, navigate to your Elasticsearch database. The default url is localhost:9200, however, you may have a different configuration. Make sure to use https and not http, as we have enabled that in the settings. Once there, click on the lock icon displayed to the left of the url:

Once that is selected, continue until you get to a section where you can view the Certificate. In the case of Firefox, that is the Page Info section that is brought up after clicking on the lock icon and following the prompts.

Once you are viewing the certificate, there is an option to download the PEM chain.

With the PEM chain downloaded, we are ready to log in to SymmetricDS. From the main screen, we will head to the Manage tab at the top, and the Security Screen on the left-hand side.

After navigating to that screen, make sure to click Authorities at the top of the page. Then, click Import and navigate to the PEM chain that was just downloaded. After following the prompts on the screen, there will be a “Restart” button at the top of the screen. SymmetricDS needs to restart in order for the system to recognize the certificate.

After restarting, everything should be in place, and all that’s left is to add an Elasticsearch node from the Nodes screen that can be found on the left-hand side of the Manage tab. More information on that can be found in the article: Elasticsearch and SymmetricDS.

By adding this extra security to your Elasticsearch setup, it allows you to have peace of mind that your data is safe and secure from prying eyes. SymmetricDS is able to seamlessly connect and will replicate securely with ease.