Production Hardening

chaos · September 2, 2019, 2:02am

Hello,

I followed the guides on the documentation, I replaced all the .yml files to do with internal users and their roles, and I now use SSL for all nodes. However on startup I still get this warning:

elasticsearch_1  | OpenDistro for Elasticsearch Security Demo Installer
elasticsearch_1  |  ** Warning: Do not use on production or public reachable systems **
elasticsearch_1  | Basedir: /usr/share/elasticsearch
elasticsearch_1  | Elasticsearch install type: rpm/deb on CentOS Linux release 7.6.1810 (Core)
elasticsearch_1  | Elasticsearch config dir: /usr/share/elasticsearch/config
elasticsearch_1  | Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml
elasticsearch_1  | Elasticsearch bin dir: /usr/share/elasticsearch/bin
elasticsearch_1  | Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
elasticsearch_1  | Elasticsearch lib dir: /usr/share/elasticsearch/lib
elasticsearch_1  | Detected Elasticsearch Version: x-content-7.1.1
elasticsearch_1  | Detected Open Distro Security Version: 1.1.0.0
elasticsearch_1  | /usr/share/elasticsearch/config/elasticsearch.yml seems to be already configured for Security. Quit.

Is this okay? I want my system to be secure and there’s a large warning that using this script is insecure. However I did follow the guide and I believe I did everything correctly including changing all the demo user account passwords.

aetter · September 5, 2019, 7:10pm

Hey @chaos, that message indicates that you didn’t swap out the demo certificates for your own. Check out 1-2 here: https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/#get-started

chaos · September 5, 2019, 7:22pm

Hey @aetter

The thing is I did, I replaced the certificates with admin and node certs and used the elasticsearch.yml provided in step 1 of what you linked. I’m able to verify the node certificates with the node.pem so I do know that they are using them.

The warning still appears, but as indicated at the end of the log “elasticsearch.yml seems to be already configured for Security. Quit."

aetter · September 5, 2019, 9:03pm

Eek, my apologies, thanks for clarifying. I was scanning a little too quickly this morning and misread. You should be good to go. The demo installer runs on startup to make it easy for people to get started out of the box, but if it detects any non-default settings in elasticsearch.yml, it assumes you’ve configured the security plugin yourself and exits before creating the demo certificates or adding lines to your configuration. security/install_demo_configuration.sh at cf53d0b74cb801a6888b074fa433e7a3bc6f384c · opendistro-for-elasticsearch/security · GitHub

chaos · September 5, 2019, 9:25pm

You rock! Thanks for the clarification.

Topic		Replies	Views
Seems to be already configured for Security. Quit Security	3	1413	September 24, 2021
How to remove the waring of "OpenDistro for Elasticsearch Security Demo Installer" Security	2	3211	August 10, 2019
My thoughts on installation; Security Plugin General Feedback	7	2023	September 7, 2021
How to configure SSL/TLS? Security	1	3336	April 8, 2019
Add Your Own SSL Certificates to Open Distro for Elasticsearch \| Open Distro General Feedback	1	769	February 7, 2023

Production Hardening

Related topics