How to configure the SSL/TLS Settings for Elasticsearch

In ADManager Plus, Elasticsearch helps in fetching large amounts of data from the database while generating NTFS reports. This page provides information on how to enable the SSL/TLS settings for Elasticsearch

If required, admins can limit the permitted ciphers and TLS protocols used by Elasticsearch. All these changes have to be done in the elasticsearch.yml configuration file.

Steps to locate and update the configuration file

1. Locate the <ADManager Plus installation directory>\ES\config\elasticsearch.yml file in your machine, which would have been downloaded by default when you installed the product.
2. Take a backup of the elasticsearch.yml file and store it in a separate location.

TLS ciphers and protocols settings

The following section provides a list of all supported ciphers and protocols and how they can be added in a YML file.

• searchguard.ssl.transport.enabled_protocols
  The enabled TLS protocols and supported protocols with current JVM are:
  TLSv1.1, TLSv1.2
• searchguard.ssl.transport.enabled_ciphers
  The enabled TLS cipher suites and supported ciphers are:

1. TLS_AES_128_GCM_SHA256,
2. TLS_AES_256_GCM_SHA384,
3. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
4. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
6. TLS_RSA_WITH_AES_256_GCM_SHA384,
7. TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
8. TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
9. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
10. TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
11. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
12. TLS_RSA_WITH_AES_128_GCM_SHA256,
13. TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
14. TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
15. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
16. TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
17. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
18. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
19. TLS_RSA_WITH_AES_256_CBC_SHA256,
20. TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
21. TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
22. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
23. TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
24. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
25. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
26. TLS_RSA_WITH_AES_256_CBC_SHA,
27. TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
28. TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
29. TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
30. TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
31. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
32. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
33. TLS_RSA_WITH_AES_128_CBC_SHA256,
34. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
35. TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
36. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
37. TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
38. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
39. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
40. TLS_RSA_WITH_AES_128_CBC_SHA,
41. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
42. TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
43. TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
44. TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
45. TLS_EMPTY_RENEGOTIATION_INFO_SCSV

For example if we want to enable only TLSv1.2 protocol along with the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ciphers, we can open the elasticsearch.yml file and paste the following entry at the bottom of the text editor, as shown in the image below:

searchguard.ssl.transport.enabled_protocols: ["TLSv1.2"]
searchguard.ssl.transport.enabled_ciphers: ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"]
searchguard.ssl.http.enabled_protocols: ["TLSv1.2"]