Enable SSL, but only on some nodes

ronald.vanboven · March 30, 2020, 5:40am

Hi,

When we started building our Elasticsearch cluster we did not enable SSL.
Now the cluster has grown, security demands change a bit and we would like to enable SSL.
But we have a backwards compatibility issue.
It is impossible for us to change all Filebeats, Logstashes and data reading applications all at once to SSL.

So we would like to do this gradually, we are introducing new search and ingest nodes that will be purely SSL (ideally )

From documentation I can see:

http.type: ssl_netty4

Needs to be configured in elasticsearch.yml and

readonlyrest:
    ssl:
      keystore_file: "keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest

Needs to be configured in readonlyrest.yml.
But we have readonlyrest configured in the readonlyrest index.
We have readonlyrest enabled on all nodes.
But on the currently existing nodes we don’t want to enable SSL.

Should we put the readonlyrest ssl config in the index and just not put the ssl config in elasticsearch.yml on the existing nodes?
Would this cause any issues, is this supported?

sscarduzio · March 30, 2020, 12:53pm

I don’t know, you could try. But what I would do is:

in elasticsearch.yml

readonlyrest.force_load_from_file: true

ronald.vanboven · March 31, 2020, 12:15pm

Oke, we will run some experiments and find out what works best.
If we reach a conclusion I will report back here.
Might take some months/weeks though as we are currently in the design phase of the expansion.