Logstash Input Pipeline mTLS Use Case
This is a post on setting up an input listener that uses mTLS for Elastic’s Logstash application. Mutual TLS (mTLS) is best described as when both client and server verifies + validates each other’s identity before communication between the two nodes is allowed to happen. This type of authentication is used typically for communication with IOT devices, and other cloud technologies. It’s also found in scenarios where source device(s) without a static address needs to access a resource. mTLS allows (or restricts) access to the resource using certificates for access on the application layer instead of network layer — firewall.
If you’d like to know more about mTLS there a number of good articles that have been added below that will shed more light on the topic.
As far as our scenario, we will be using a CentOS Logstash node server to create our root CA.
Create Certificate Authority:
openssl genrsa -aes256 -out ca/ca.key 4096 — Creates CA Key with passphrase
openssl req -new -x509 -sha256 -days 960 -key ca.key -out ca.crt — Create CA Certificate using CA Key with passphrase
ONE LINER:
sudo openssl req -new -x509 -sha256 -days 960 -key logstash-02-ca.key -out logstash-02-ca.crt -subj /C=US/ST=NC/L=Charlotte/O=EXO/OU=EXOU/CN=’localhost’
Create Node Private Key and Certificate Signing Request (CSR) for the CA:
openssl genrsa -out logstash-02.key 2048
openssl req -new -key logstash-02.key -sha256 -out logstash-02.csr
Use the CA and CA Key to sign the CSR, which gives you a certificate to use for each listener:
openssl x509 -req -days 960 -sha256 -in logstash-02.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -set_serial 1 -out logstash-02.crt
Be sure to convert the key to a format Logstash likes — pem format:
openssl pkcs8 -in logstash-02.key -topk8 -out logstash-pkcs8-key.pem -nocrypt
Add the following option(s) to your Logstash input config:
ssl_certificate => “logstash-02.crt”
ssl_key => “logstash-02.pem” (.key in .pem format)
ssl_certificate_authorities => “logstash-02-ca.crt”
ssl_verify_mode => “force_peer”
Generate certificate(s) for the connecting client(s) by generating a CSR for CA to sign:
openssl genrsa -out client.key 2048
openssl req -new -key client.key -sha256 -out client.csr
Use the CA and CA Key to sign the csr, which gives you a certificate to use for connecting client(s):
openssl x509 -req -days 960 -sha256 -in client.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -set_serial 1 -out client.crt
To create multiple keys / csr from a list in one line, you can use the following command on a Unix machine, where list.txt is name of keys you want to create:
for i in $(cat ../list.txt); do openssl genrsa -out $list.key 2048 && openssl req -new -key $list.key -sha256 -out $list.csr -subj /C=US/ST=NC/L=Charlotte/O=EXO/OU=EXOU/CN=’$list.example.com’; done
To sign multiple csrs from a list in one line, you can use the following command on a Unix machine, where list.txt is name of keys you want to create:
set +o history
for i in $(cat ../list.txt); do openssl x509 -req -days 960 -sha256 -in $i.csr -CA ../mtls_practice_2/ca/ca.crt -CAkey ../mtls_practice_2/ca/ca.key -set_serial 1 -out $i.crt -passin pass:test123; done
set -o history
How to Test:
curl https://X.X.X.X:XXXX -H “Content-Type: application/json” -d ‘{“test”:”A Log to”}’ — cacert ../ca/ca.crt — cert ./logstash.crt — key ./logstash-key.key
curl https://X.X.X.X:XXXX -H “Content-Type: application/json” -d ‘{“test”:”A Log to”}’ — cacert ../ca/ca.crt — cert ./logstash.crt — key ./logstash-key.key — insecure — verbose
openssl s_client -cert logstash.crt -key logstash-key.key -CAfile ../ca/ca.crt X.X.X.X:XXXX
And to test each key against Logstash:
for i in $(cat ../list.txt); do curl https://X.X.X.X:XXXX -H “Content-Type: application/json” -d ‘{“id”:”’$i’”}’ — cacert ./logstash-02-ca.crt — cert ./$i.crt — key ./$i.key — insecure — verbose; done
Convert .CRT to .PEM for upload to Source Appliances:
openssl x509 -in cert.crt -out cert.pem
Upload both the certificate and key to source appliances to allow for mutual TLS.
Additional notes:
You can also use your own CA to sign certificates and also have recently discovered Amazon’s AWS ACM — Amazon Certificate Manager, that can be leveraged to create your own CA and issue certificates with.
Certificates are a great way to allow/disallow access to public resources! More to come.
