Configuration details
Detailed configuration
Last updated
Was this helpful?
Detailed configuration
Last updated
Was this helpful?
This is a detailed description of how to configure two Elasticsearch clusters:
One in Elastic Cloud (managed Elasticsearch from Elastic) containing the bulk of the data
One self-hosted with ReadonlyREST (for enterprise-level access control and authentication)
The objective is to get the two connected using the transport protocol over SSL, so that we can attach a Kibana (with ROR Enterprise installed) to the cluster #2, and from there query the data in cluster #1 using the feature.
The local, self-managed ROR cluster connects with the remote Elastic Cloud cluster using the Elasticsearch transport interface. The transport uses two-way SSL to authorize nodes of clusters.
To do that, we need to
Generate CA certificates of nodes of the local cluster (using the CA certificates of the Elastic cloud cluster)
Use them to add a trusted environment in the Elastic Cloud console
Configure the internode SSL and remote cluster settings in elasticsearch.yml
The CA certificates of the Elastic Cloud cluster nodes can be downloaded from the security settings of the Elastic Cloud deployment (see ).
To generate CA certificates in the self-hosted cluster, we will use the elasticsearch-certutil
which can be found in the bin
folder in your Elasticsearch location (eg. /usr/share/elasticsearch/bin/
).
Our working directory structure will look like that:
Let's move the downloaded Elastic Cloud CA certificates file to /tmp/certs/input
as elastic-cloud-ca.cer
:
Great, we have all the ingredients to generate the CA certificates of the nodes in our local ROR cluster:
Let's use our CA and generate certificates for the ROR cluster nodes:
The last thing, we need to do, is to import Elastic Cloud CA to the ROR node's keystore:
This is it. The structure of the certs
folder should look like this:
upload the ROR cluster CA (/tmp/certs/output/ca/ca.crt
)
select trusted cluster by:
ticking Trust clusters whose Common Name follows the Elastic pattern
entering Scope ID
(in out example, it was ror-test
)
marking that we trust "All deployments" (or specific if you wish)
give a name of the environment (pick anything you want)
click Create trust
And that's it! Now ROR cluster should trust the Elastic Cloud cluster and vice versa.
elasticsearch.yml
should look like this:
and the readonlyrest.yml
like this:
Kibana configuration doesn't contain anything special.
Now, let's create the instances.yml
file in the /tmp/certs/input
directory where we will define all nodes and their properties (see ) eg.
Details about the usage of the elasticsearch-certutil
tool you will find in . We have the CA certificate in p12
format. We need to convert it to X509
. It can be done using openssl
:
In Elastic Cloud deployment security settings, there is a Remote Connections section, where you can add a new trusted environment (see ). The new trusted environment will be the self-managed cluster. To complete the process we need to: