Set up Elasticsearch X-Pack security

Without minimal security enabled many components will not work, for example:

  1. User roles management through Kibana
  2. Machin Learning
  3. Endpoint Protection
  4. and more.

In the first part of our lab, we set up Elasticsearch cluster with three servers, to run minimum security requirements between all servers, it is required to stop all the servers and Kibana.

Stopping elasticsearch:

sudo service elasticsearch stop

Kibana stop:

sudo service kibana stop

Enabling minimal security

For each Elasticsearch server, add the following line in the elasticsearch.yml configuration file and start Elasticsearch service true

Change password for system users

authentication requirement with Elasticsearch and Kibana, is the first step when enabling minimal security.

On Node01 server create a list of users and passwords by running the following commands:

/ cd usr / share / elasticsearch / bin

./elasticsearch-setup-passwords auto

* Save all username and passwords in secure location like keepass

Add Kibana authentication

On the Kibana server we will configure the default kibana_system user with a new password , edit a kibana.yml configuration file

elasticsearch.username: “kibana_system”

Add your own password with at least 32 characters, it is required for enabling alerts and rules.

encryptionKey: “b8707c3f9ffd788a02b2ec5f79aaea94b25638d8553afceb42cc3823344a9bec”

store password in keystore for Kibana

To keep your passwords secure, create a Keystore by run the these commands:

cd / usr / share / kibana / bin

./kibana-keystore create

save password for username “kibana_system” in the keystore

./kibana-keystore add elasticsearch.password

Elasticsearch Certificate Request

The next step is to enable certificate authentication between all Elasticsearch servers, enable this by requesting a CA certificate from Elasticsearch PKI.

From Node01 server, create request certificate include a private key and a public key, all Elasticsearch servers must trust the certificate, the certificate will be generated by the following commands:

cd / usr / share / elasticsearch / bin

./elasticsearch-certutil ca

confirm the creation of a default certificate [elastic-stack-ca.p12] and choose to protect the private key with a complex password.

create Elasticsearch trusted certificate
create trusted certificate for Elasticsearch server

copy the certificate name elastic-stack-ca.p12, to the Elasticsearch directory /etc/elasticsearch/ for each Elasticsearch server.

Set up TLS encryption between servers in a cluster

To set up TLS for all elasticsearch servers member cluster, add the below lines to the elasticsearch.yml configuration file for each server. true certificate required elastic-stack-ca .p12 elastic-stack-ca.p12

Save the private key password in the KeyStore for each member server

cd / usr / share / elasticsearch / bin

./elasticsearch-keystore add

./elasticsearch-keystore add

its importent to grant read permissions to elastic-stack-ca.p12 certificate file

chmod -v 640 elastic-stack-ca.p12

check our new security setting by starting Elasticsearch service on all servers and verifying that it is working properly

service elasticsearch start

Elasticsearch cluster health Check

By adding a username and password to get request, we will check the status of Elasticsearch cluster, “green” status mean all good :), for any other status please check for errors in the log file at var/log/elasticsearch/elasticsearch.log.

Checking the status of Elasticsearch cluster

curl -X GET “localhost: 9200 / _cluster / health? pretty & pretty” -u elastic: fOFZzcnavlAtk8pW5l

Kibana authentication test

It’s recommended to verify authentication from a Kibana server to elasticsearch servers using kibana user

curl -u kibana_system ‘’

start Kibana and access the portal at:

As you can see in the image below, since minimal security enabled, authentication is now required at the Kibana portal, use elastic user to access Kibana.

Users and roles Kibana

Once security was enabled, a new option was opened,

users and roles can be created by access the following addresses:

Kibana Roles List

enable Elasticsearch API

The second step in setting up minimal security is to set up secure access to Elasticsearch servers using https only, this step is necessary to protect the information that goes to Elasticsearch and required for manage the Elasticsearch system using API.

As you can see in the image below API is not enabled by default, allow API access by enable https only

API keys not enabled in elasticsearch

Elasticsearch Encrypt traffic

to set up secure access only with https, stop elasticsearch service on all servers

sudo service elasticsearch stop

TLS certificate can be requested by

  1. elasticsearch-certutil
  2. self sign certificate using tools like openssl
  3. active directory certificate authority

use elasticsearch-certutil

request certificate using elasticsearch-certutil, to request certificate from one server for all servers run the below commands,


./elasticsearch-certutil http

Generate a CSR? [y / N] n

Use an existing CA? [y / N] y

CA Path: /etc/elasticsearch/elastic-stack-ca.p12

Password for elastic-stack-ca.p12:

For how long should your certificate be valid? [5y]

Generate a certificate per node? [y / N] y

node # 1 name: node01

Enter all the hostnames that you need, one per line.
When you are done, press once more to move on to the next step.


Enter all the IP addresses that you need, one per line.
When you are done, press once more to move on to the next step.

Generate additional certificates? [Y / n] y

The questions should be repeated for all Elasticsearch servers.

After requesting certificates for all servers answer no for

generate additional certificates selected? n

The new certificates can be found in the following directory usr/share/elasticsearch/

extract and copy the certificate to /etc/elasticsearch/ directory for each server

extract and copy example for node01 server:

unzip /usr/share/elasticsearch/ -d /tmp/

cp /tmp/elasticsearch/node01/http.p12 /etc/elasticsearch/

Once you copy the http.p12 certificate to all the servers, we will configure the elasticsearch servers to receive https requests by edit the elasticsearch.xml configuration file true http.p12

Keeping a private key certificate in the keystore

Before starting the elasticsearch servers, it is required to add the certificate password to the keystore.


./elasticsearch-keystore add

Once you save the certificate password in the keystore all Elasticsearch servers can be started

test Elasticsearch API

More security features are now available to used from Kibana portal, you can create you own token and start to manage Elasticsearch using API reset options.

API management address:

Elasticsearch API enabled


Once we have set x-pack security, advanced options such as API, manage users and roles, machine learning, are now available for use.

In this guide we enabled certificate authentication between all Elasticsearch servers and enabled secure connection using https, we only allowed access using user authentication to Elasticsearch and Kibana.

Next steps

sending logs from IDS servers and Wazuh EDR to Elasticsearch SIEM, use Kibana to detect threats such as Malware traffic, analyze network anomaly using Elasticsearch Machine learning.

Like this article?

You may also enjoy these articles

SearchSploit: Guide to Exploit Database Search

Searchsploit is a command-line tool that allows users to search the Exploit Database, which is a repository of publicly disclosed vulnerabilities and exploitation techniques. It

fuzzing with ffuf tool

Guide to FFUF tool – Web Application Fuzzing

FFUF is a powerful and flexible open-source tool for performing web application fuzzing. Whether you’re a security professional looking to identify vulnerabilities or a developer

Guide to sqlmap tool – sql injection

SQLmap is an powerful open source tool used by hackers to detect and exploit SQL
injection flaws. SQLmap automates the process of detecting and


Hydra tool make password cracking to easy task, hydra can brute Force multiple protocols and services like ftp irc ldap2[s] ldap3 mongodb mssql mysql

Scroll to Top