icon-pdfDownload PDF lhs-panel
lhs-panel Click here to expand

SSL/TLS Settings for Elasticsearch

If required we can limit the permitted ciphers & TLS protocols used by Elasticsearch.

All these changes have to be done in elasticsearch.yml configuration file.

Locating and updating the configuration file

  • In case of a standalone build of EventLog Analyzer (i.e running without Log360) the change needs to be done in <EventlogAnalyzer>\ES\config\elasticsearch.yml. After making the change, restart EventLog Analyzer.
  • If EventLog Analyzer was installed or integrated with Log360, then the change needs to be done in both \config\elasticsearch.yml, and <EventlogAnalyzer>\ES\config\elasticsearch.yml. After making the change, run stopES.bat from <ManageEngine>\elasticsearch\ES\bin using a admin command prompt. After this, restart Log360 and EventLog Analyzer.

TLS Ciphers & Protocols settings

  • searchguard.ssl.transport.enabled_protocols
    • List of enabled TLS protocols, supported protocols with current JVM are
      TLSv1.1, TLSv1.2
  • searchguard.ssl.transport.enabled_ciphers
    • List of enabled TLS cipher suites, supported ciphers with current JVM (1.8.0_282) are
      TLS_AES_128_GCM_SHA256,
      TLS_AES_256_GCM_SHA384,
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_RSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
      TLS_RSA_WITH_AES_256_CBC_SHA256,
      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
      TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
      TLS_RSA_WITH_AES_256_CBC_SHA,
      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
      TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
      TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
      TLS_RSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_RSA_WITH_AES_128_CBC_SHA,
      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
      TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
      TLS_EMPTY_RENEGOTIATION_INFO_SCSV

For example if we want to enable only TLSv1.2 protocol & TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ciphers.

We can add one of the following entries at the bottom of the elasticsearch.yml file

searchguard.ssl.transport.enabled_protocols: ["TLSv1.2"]
searchguard.ssl.transport.enabled_ciphers: ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"]

or

searchguard.ssl.transport.enabled_protocols:
- TLSv1.2
searchguard.ssl.transport.enabled_ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

SSL/TLS Settings for Elasticsearch

or

SSL/TLS Settings for Elasticsearch

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link