| navigation_title | applies_to | sub | mapped_pages | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Automatic security setup |
|
|
% Scope: Automatic setup % Original title: Start the {{stack}} with security enabled automatically
:::{include} /deploy-manage/deploy/self-managed/_snippets/auto-security-config.md :::
:::{note}
In {{es}} RPM and Debian package installations, the elastic user password is not output at startup and must be manually reset.
:::
To learn how to start {{es}} and {{kib}} with security enabled, follow one of our installation guides. Select the product that you want to install, and then select the guide your preferred installation method:
:::{include} /deploy-manage/deploy/self-managed/_snippets/security-files.md :::
When you start {{es}} for the first time, the node startup process tries to automatically configure security for you. The process runs some checks to determine:
- If this is the first time that the node is starting
- Whether security is already configured
- If the startup process can modify the node configuration
If any of those checks fail, there’s a good indication that you manually configured security, or don’t want security to be configured automatically. In these cases, the node starts normally using the existing configuration.
::::{important} If you redirect {{es}} output to a file, security autoconfiguration is skipped. Autoconfigured credentials can only be viewed on the terminal the first time you start {{es}}. If you need to redirect output to a file, start {{es}} without redirection the first time and use redirection on all subsequent starts. ::::
If certain directories already exist, there’s a strong indication that the node was started previously. Similarly, if certain files don’t exist, or we can’t read or write to specific files or directories, then we’re likely not running as the user who installed {{es}} or an administrator imposed restrictions. If any of the following environment checks are true, security isn’t configured automatically.
The {{es}} /data directory exists and isn’t empty
: The existence of this directory is a strong indicator that the node was started previously, and might already be part of a cluster.
The elasticsearch.yml file doesn’t exist (or isn’t readable), or the elasticsearch.keystore isn’t readable
: If either of these files aren’t readable, we can’t determine whether {{es}} security features are already enabled. This state can also indicate that the node startup process isn’t running as a user with sufficient privileges to modify the node configuration.
The {{es}} configuration directory isn’t writable : This state likely indicates that an administrator made this directory read-only, or that the user who is starting {{es}} is not the user that installed {{es}}.
The following settings are incompatible with security auto configuration. If any of these settings exist, the node startup process skips configuring security automatically and the node starts normally.
-
node.rolesis set to a value where the node can’t be elected asmaster, or if the node can’t hold data -
xpack.security.autoconfiguration.enabledis set tofalse -
xpack.security.enabledhas a value set -
Any of the
xpack.security.transport.ssl.*orxpack.security.http.ssl.*settings have a value set in theelasticsearch.ymlconfiguration file or in theelasticsearch.keystore -
Any of the
discovery.type,discovery.seed_hosts, orcluster.initial_master_nodesdiscovery and cluster formation settings have a value set::::{note} Exceptions are when
discovery.typeis set tosingle-node, or whencluster.initial_master_nodesexists but contains only the name of the current node.::::