Production Hardening

Hello,

I followed the guides on the documentation, I replaced all the .yml files to do with internal users and their roles, and I now use SSL for all nodes. However on startup I still get this warning:

elasticsearch_1  | OpenDistro for Elasticsearch Security Demo Installer
elasticsearch_1  |  ** Warning: Do not use on production or public reachable systems **
elasticsearch_1  | Basedir: /usr/share/elasticsearch
elasticsearch_1  | Elasticsearch install type: rpm/deb on CentOS Linux release 7.6.1810 (Core)
elasticsearch_1  | Elasticsearch config dir: /usr/share/elasticsearch/config
elasticsearch_1  | Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml
elasticsearch_1  | Elasticsearch bin dir: /usr/share/elasticsearch/bin
elasticsearch_1  | Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
elasticsearch_1  | Elasticsearch lib dir: /usr/share/elasticsearch/lib
elasticsearch_1  | Detected Elasticsearch Version: x-content-7.1.1
elasticsearch_1  | Detected Open Distro Security Version: 1.1.0.0
elasticsearch_1  | /usr/share/elasticsearch/config/elasticsearch.yml seems to be already configured for Security. Quit.

Is this okay? I want my system to be secure and there’s a large warning that using this script is insecure. However I did follow the guide and I believe I did everything correctly including changing all the demo user account passwords.

Hey @chaos, that message indicates that you didn’t swap out the demo certificates for your own. Check out 1-2 here: https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/#get-started

Hey @aetter

The thing is I did, I replaced the certificates with admin and node certs and used the elasticsearch.yml provided in step 1 of what you linked. I’m able to verify the node certificates with the node.pem so I do know that they are using them.

The warning still appears, but as indicated at the end of the log “elasticsearch.yml seems to be already configured for Security. Quit."

Eek, my apologies, thanks for clarifying. I was scanning a little too quickly this morning and misread. You should be good to go. The demo installer runs on startup to make it easy for people to get started out of the box, but if it detects any non-default settings in elasticsearch.yml, it assumes you’ve configured the security plugin yourself and exits before creating the demo certificates or adding lines to your configuration. https://github.com/opendistro-for-elasticsearch/security/blob/cf53d0b74cb801a6888b074fa433e7a3bc6f384c/tools/install_demo_configuration.sh#L195

1 Like

You rock! Thanks for the clarification.