Connect Elastic Cloud Hosted deployments to self-managed clusters

Follow these steps to configure the API key security model for remote clusters. If you run into any issues, refer to Troubleshooting.

• The local and remote deployments must be on Elastic Stack 8.14 or later.
• Unlike the certificate-based security model, the API key model does not require mutual trust between clusters; only the local cluster is required to trust the remote cluster's certificate.

1. On the remote cluster, use the Elasticsearch API or Kibana to create a cross-cluster API key. Configure it to include access to the indices you want to use for cross-cluster search or cross-cluster replication.
2. Copy the encoded key (encoded in the response) to a safe location. It is required for the local cluster configuration.

The API key created previously is needed by the local deployment to authenticate with the corresponding set of permissions to the remote cluster. To enable this, add the API key to the local deployment's keystore.

The steps to follow depend on whether the Certificate Authority (CA) of the remote environment’s Elasticsearch remote cluster server, proxy, or load balancing infrastructure is public or private.

To use TLS certificates for remote clusters, you must establish mutual TLS trust. The local Elastic Cloud Hosted deployment must trust the Certificate Authority (CA) used by the remote self-managed cluster, and the remote self-managed cluster must trust the CA used by the local Elastic Cloud Hosted deployment.

The steps below guide you through both sides of this configuration.

1. Download the transport CA certificate associated with your deployment. This CA is required by the self-managed cluster to establish trust with the deployment.

   1. Open your deployment management page in the Elastic Cloud UI and go to Security.
   2. Under CA certificates, select the download icon to save the CA into a local file.

2. Obtain the CA certificate of the self-managed cluster (the CA used to sign all transport certificates of your cluster). The CA needs to be in PEM format and should not contain the private key. If you only have the CA with the key in p12 format, then you can create the necessary file with the following command:

   openssl pkcs12 -in elastic-stack-ca.p12 -out newfile.crt.pem -clcerts -nokeys
   		

   Tip

   The transport CA used by your self-managed cluster is part of its existing transport TLS/SSL configuration.

A deployment can be configured to trust all or specific deployments in any environment:

1. From the Security page, select Remote Connections > Add trusted environment and choose Self-managed. Then click Next.

2. Select Certificates as authentication mechanism and click Next.

3. Upload the transport CA certificate of the self-managed environment you obtained earlier. The CA must be in PEM format and should not contain the private key.

4. Select the clusters to trust. There are two options depending on the subject name of the certificates presented by the nodes in your self-managed cluster:

   • Following the Elastic Cloud pattern. In Elastic Cloud, the certificates of all Elasticsearch nodes follow this convention: CN = {{node_id}}.node.{{cluster_id}}.cluster.{{scope_id}}. If you follow the same convention in your self-managed environment, then choose this option and select the clusters to trust.

   • If your clusters don’t follow the previous convention for the certificates subject name of your nodes, you can still specify the node name of each of the nodes that should be trusted by this deployment.

     Tip

     If possible, reissue your self-managed node certificates to follow the Elastic Cloud subject name pattern. This greatly simplifies trust management, because otherwise you must keep the list of trusted node names up to date as your self-managed cluster topology changes.

     Important

     Trust management based on certificate restrictions requires the certificates to include a specific X.509 Subject Alternative Name (SAN) entry of type otherName. This attribute is not present by default in certificates generated by an out-of-the-box Elasticsearch installation.

     If your self-managed cluster certificates do not include otherName, you must reissue them. To generate compatible certificates, refer to Optional: reissue self-managed node certificates.

5. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment’s Security page.

6. Select Create trust to complete the configuration.

{
  "trust":{
    "accounts":[
      {
         "account_id":"ec38dd0aa45f4a69909ca5c81c27138a",
         "trust_all":true
      }
    ],
    "direct": [
      {
        "type" : "generic",
        "name" : "My Self-managed environment",
        "additional_node_names" : ["node1.<CLUSTER_FQDN>", "node2.<CLUSTER_FQDN>", "node3.<CLUSTER_FQDN>",],
        "certificates" : [
            {
                "pem" : "-----BEGIN CERTIFICATE-----\nMIIDTzCCA...H0=\n-----END CERTIFICATE-----"
            }
         ],
         "trust_all":false
       }
    ]
  }
}
		

Reissuing the transport certificates for your self-managed nodes is recommended in the following cases:

• Your current certificates do not include the required X.509 SAN entry of type otherName, which is needed for Elastic Cloud trust restrictions to work correctly.
• You want your node certificates to follow the same subject name pattern used in Elastic Cloud, which simplifies trust management by allowing you to select clusters instead of listing individual node names.

You can use the Elasticsearch certutil tool to generate new certificates that meet both requirements:

1. Create a file called instances.yaml describing all the nodes in your self-managed cluster. The dns and ip fields are optional, but the cn field is required. When provided through this file, certutil automatically adds the corresponding otherName SAN entry used by Elasticsearch for trust restrictions:

   instances:
     - name: "node1"
       dns: ["<NODE1_FQDN>"]
       ip: ["192.0.2.1"]
       cn: ["node1.node.1234567abcd.cluster.myscope.account"]
     - name: "node2"
       dns: ["<NODE2_FQDN>"]
       ip: ["192.0.2.2"]
       cn: ["node2.node.1234567abcd.cluster.myscope.account"]
   		

   The value specified under cn should follow the Elastic Cloud naming pattern:

   <node_id>.node.<cluster_id>.cluster.<scope_id>.account
   		

2. Generate the new nodes certificates, using your existing self-managed transport CA:

   ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -in instances.yaml
   		

   This command generates a certificate and private key for each node listed in instances.yaml.

3. Distribute the certificates to each node:

   Copy the generated certificate and key files to their corresponding nodes and update your Elasticsearch TLS configuration to use them. Then restart each node to apply the changes.

After the new certificates are in place with the desired naming pattern, you can configure trust on your Elastic Cloud deployment to align with the updated names.

Follow these steps to configure trust in your self-managed cluster:

1. Trust the deployment CA you downloaded previously by either configuring the setting xpack.security.transport.ssl.certificate_authorities in elasticsearch.yml, or by adding it to the trust store.

2. Configure trust restrictions in the self-managed cluster:

   All the clusters in an Elastic Cloud Hosted region or an Elastic Cloud Enterprise environment are signed by the same certificate authority. As a result, if you only add this CA to your self-managed cluster, it would trust every cluster in that region or environment, including clusters that belong to other organizations.

   To avoid this, use the setting xpack.security.transport.ssl.trust_restrictions.path, which points to a file that limits the certificates that are trusted based on their otherName attribute.

   The following is an example of a trust restrictions file, with an explanation of what each entry allows:

   trust.subject_name:
   - *.node.aaaabbbbaaaabbbb.cluster.1053523734.account
   - *.node.xxxxyyyyxxxxyyyy.cluster.1053523734.account
   - *.node.*.cluster.83988631.account
   - node*.<CLUSTER_FQDN>
   		

   1. Two specific clusters with cluster ids aaaabbbbaaaabbbb and xxxxyyyyxxxxyyyy from an ECE environment or ECH organization with ID 1053523734
   2. Any cluster from an ECE environment or ECH organization with ID 83988631
   3. The nodes from its own cluster (whose certificates follow a different convention: CN = node1.<CLUSTER_FQDN>, CN = node2.<CLUSTER_FQDN> and CN = node3.<CLUSTER_FQDN>)