Hypertext Transfer Protocol Secure (HTTPS) is a security-enhanced version of HTTP. HTTPS works with Secure Socket Layer (SSL) to ensure the security of data transmission. HTTPS uses HTTP for communications. SSL is used to encrypt the data. To ensure data security, we recommend that you enable HTTPS. This topic describes how to enable HTTPS for an Elasticsearch cluster.

Prerequisites

  • An Alibaba Cloud Elasticsearch cluster is created.

    For more information, see Create an Alibaba Cloud Elasticsearch cluster.

  • A client node is purchased for the Elasticsearch cluster.
    You can purchase a client node when you create an Elasticsearch cluster or upgrade the configuration of an Elasticsearch cluster. For more information, see Parameters on the buy page and Upgrade the configuration of a cluster.
    Note For security purposes, after you enable HTTPS for an Elasticsearch cluster, Alibaba Cloud Elasticsearch maintains and updates the certificates on which the Elasticsearch cluster depends on a regular basis. To reduce the impacts of node restart caused by certificate update on online business, Alibaba Cloud Elasticsearch deploys the certificates on client nodes that are used to forward requests. If you have not purchased client nodes for your Elasticsearch cluster and you want to enable HTTPS for the cluster, the system prompts you to purchase client nodes when you enable HTTPS for the cluster. You must follow the instructions to purchase client nodes.
  • Modify the code of your client that you want to use to access the Elasticsearch cluster. If you do not modify the code, you cannot use the client to access the cluster.
    In the following code, the REST client of open source Elasticsearch is used. After you enable HTTPS, you must include the https parameter in HttpHost, such as new HttpHost("es-cn-xxxxx.elasticsearch.aliyuncs.com", 9200, "https"));. Sample code:
    • Code before HTTPS is enabled 
      final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY,
            new UsernamePasswordCredentials("elastic", "Your password"));
RestClientBuilder restClientBuilder = RestClient.builder(
            new HttpHost("es-cn-xxxxx.elasticsearch.aliyuncs.com", 9200));
        RestClient restClient = restClientBuilder.setHttpClientConfigCallback(
            new RestClientBuilder.HttpClientConfigCallback() {
                @Override
                public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                    return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
                }
            }).build();
    • Code after HTTPS is enabled 
      final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY,
            new UsernamePasswordCredentials("elastic", "Your password"));
RestClientBuilder restClientBuilder = RestClient.builder(
            new HttpHost("es-cn-xxxxx.elasticsearch.aliyuncs.com", 9200, "https"));
        RestClient restClient = restClientBuilder.setHttpClientConfigCallback(
            new RestClientBuilder.HttpClientConfigCallback() {
                @Override
                public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                    return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
                }
            }).build();

Procedure

  1. Log on to the Elasticsearch console.
  2. In the left-side navigation pane, click Elasticsearch Clusters.
  3. Navigate to the desired cluster.
    1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
    2. In the left-side navigation pane, click Elasticsearch Clusters. On the Elasticsearch Clusters page, find the cluster and click its ID.
  4. In the left-side navigation pane of the page that appears, click Security.
  5. In the Network Settings section of the page that appears, turn on the HTTPS switch.
    Warning During the process of enabling or disabling HTTPS, the services that run on the cluster are interrupted, and the Elasticsearch cluster is restarted. Make sure that the enabling or disabling operation does not affect your services.
  6. In the Note dialog box, select the I have created an HTTPS client check box and click OK.
    Note
    Note If you have not purchased client nodes, the system prompts you to purchase client nodes when you turn on the HTTPS switch. You must follow the instructions to purchase client nodes.
    After you confirm the operation, the Elasticsearch cluster is restarted. You can view the restart progress in the Tasks dialog box. After the restart is complete, you can access the Elasticsearch cluster over HTTPS.

FAQ

Q: How do I obtain the required certificates after I enable HTTPS for my Elasticsearch cluster?

A: To ensure the security and stability of Alibaba Cloud Elasticsearch clusters, Alibaba Cloud Elasticsearch does not provide certificates for the public.