How to Transition from Elasticsearch Enterprise to SearchGuard Community Edition Without Losing Key Features
How to Transition from Elasticsearch Enterprise to the SearchGuard Community Edition Without Losing Key Features
Migrating from Elasticsearch Enterprise to the SearchGuard Community Edition is a smart choice for many organizations, especially for those looking to reduce costs without compromising on security features. While Elasticsearch Enterprise can be costly, the SearchGuard Community Edition offers enterprise-grade security for free. This guide outlines the key steps involved in making the switch while preserving the security configurations and certificates from your existing Elasticsearch setup.
Why Make the Switch?
1. Cost Savings
One of the most immediate benefits of transitioning to SearchGuard Community Edition is the significant reduction in licensing costs. Unlike Elasticsearch Enterprise, which requires expensive licenses based on deployment size, SearchGuard Community Edition provides robust security capabilities at no cost.
2. Retaining Key Security Features
SearchGuard Community Edition is not a watered-down version. It supports the core security features that are essential for protecting your Elasticsearch cluster:
1.Encryption (for both REST and transport layers)
2.Role-based access control (RBAC)
3.Authentication (including PKI and proxy authentication)
4.Alerting and Monitoring
By switching to SearchGuard Community Edition, you can retain these crucial features without incurring any additional costs.
Step-by-Step Guide to Transition from Elasticsearch Enterprise to SearchGuard Community Edition
Step 1: Disable Shard Allocation
Disable shard allocation to prevent Elasticsearch from attempting to redistribute shards. This can be done using either
sgctl
orcurl
.Using sgctl
copy
./sgctl.sh rest put _cluster/settings --json '{"persistent":{"cluster.routing.allocation.enable": "none"}}'
Using curl
copy
curl -Ss -XPUT 'https://localhost:9200/_cluster/settings?pretty' \ -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "none" } }'
Step 2: Stop Elasticsearch
Once shard allocation has been disabled, you can safely shut down the Elasticsearch cluster. Depending on how Elasticsearch was started, use one of the following methods:
If you are running Elasticsearch with systemd:
copy
sudo systemctl stop elasticsearch.service
If you are running Elasticsearch with SysV init:
copy
sudo -i service elasticsearch stop
If you are running Elasticsearch as a daemon:
copy
kill $(cat pid)
Step 3: Install SearchGuard Plugin
More information about the installation can be found here.
Before configuring SearchGuard, you'll need to install the plugin on your Elasticsearch nodes. This can be done by running the following command:
copy
sudo bin/elasticsearch-plugin install com.searchguard:search-guard-<version>
Make sure to replace
<version>
with the version that matches your Elasticsearch installation.Step 4: Prepare Certificates
SearchGuard requires certificates to secure your Elasticsearch cluster. You’ll need certificates for both the transport and REST layers. These certificates can either be generated using OpenSSL or through your existing PKI infrastructure.
Transport Layer: Ensures encrypted communication between Elasticsearch nodes.
REST Layer (Optional): Enables HTTPS for the REST API layer if required.
Step 5: Add TLS Configuration
Once you have your certificates ready, you need to configure TLS (Transport Layer Security) for both the transport and REST layers. Here's how you can do it in your
elasticsearch.yml
file:5.1 Transport Layer Encryption & Admin Certificate Configuration
This ensures secure communication between nodes by enabling TLS on the transport layer and specifying the admin certificate.
Add the following configuration to
elasticsearch.yml
:copy
searchguard.ssl.transport.pemcert_filepath: <path_to_node_certificate> searchguard.ssl.transport.pemkey_filepath: <path_to_node_certificate_key> searchguard.ssl.transport.pemtrustedcas_filepath: <path_to_root_ca> searchguard.ssl.transport.enforce_hostname_verification: true searchguard.ssl.transport.pemkey_password: <password> # Optional, if your private key is password-protected searchguard.authcz.admin_dn: - CN=kirk,OU=client,O=client,L=test,C=de
searchguard.ssl.transport.pemcert_filepath
: Path to the node certificate.searchguard.ssl.transport.pemkey_filepath
: Path to the node certificate's private key.searchguard.ssl.transport.pemtrustedcas_filepath
: Path to the root certificate authority (CA) certificate.searchguard.ssl.transport.enforce_hostname_verification
: Enforces hostname verification for added security.searchguard.ssl.transport.pemkey_password
: Password for the private key, if it’s protected (optional).searchguard.authcz.admin_dn
: Distinguished name (DN) for the admin certificate, used to configure and manage SearchGuard.5.2 REST Layer Encryption (Optional)
If you want to enable HTTPS for the REST API, you’ll need to configure the TLS settings for the HTTP layer. Add this to
elasticsearch.yml
:copy
searchguard.ssl.http.enabled: true searchguard.ssl.http.pemcert_filepath: <path_to_http_certificate> searchguard.ssl.http.pemkey_filepath: <path_to_http_certificate_key> searchguard.ssl.http.pemtrustedcas_filepath: <path_to_http_root_ca>
Step 6: Restart Elasticsearch Nodes
After configuring the certificates and the TLS settings, restart all Elasticsearch nodes to apply the changes. Ensure that every node has the correct certificate configuration.
Step 7: Re-enable Shard Allocation
Once the cluster has restarted, re-enable shard allocation to allow Elasticsearch to distribute the data across nodes. Use the following command to re-enable shard allocation:
copy
./sgctl.sh rest put _cluster/settings --json '{"persistent":{"cluster.routing.allocation.enable": "all"}}'
Transferring Elasticsearch Configurations to SearchGuard Community Edition
In addition to setting up TLS and certificates, you’ll also need to transfer your existing configurations from Elasticsearch to SearchGuard. This includes:
1.Roles and Permissions: If you were using role-based access control (RBAC) in Elasticsearch Enterprise, you will need to migrate these settings to SearchGuard. You can use SearchGuard’s
sgctl
tool to upload your role definitions, user permissions, and other configurations.2.Users and Authentication Methods: You can configure SearchGuard to use the same authentication methods you had in Elasticsearch Enterprise, such as PKI-based authentication or proxy authentication. These settings should be replicated in the SearchGuard configuration.
3.SearchGuard Index Initialization: The first time you use SearchGuard, you’ll need to initialize the SearchGuard index by using the
sgctl
tool. This step is crucial for setting up the user authentication and authorization system:copy
./sgctl.sh rest put _cluster/settings --json '{"persistent":{"cluster.routing.allocation.enable": "none"}}'
Once the SearchGuard index is initialized, you can manage your roles, permissions, and authentication methods using the SearchGuard configuration GUI or through
sgctl
.Final Thoughts
Migrating from Elasticsearch Enterprise to SearchGuard Community Edition provides several benefits, including significant cost savings and continued access to essential security features. By carefully transferring your certificates, configurations, and user settings to SearchGuard, you can ensure a smooth transition without compromising on security.
SearchGuard’s Community Edition provides enterprise-grade protection, robust authentication mechanisms, and a flexible configuration system—all at no cost. With proper planning and execution, your migration will be straightforward and allow you to continue managing your Elasticsearch cluster securely.
For more information on configuring SearchGuard or transitioning from Elasticsearch, refer to the official SearchGuard documentation or reach out for additional support.
Published: 2025-04-09
Questions? Drop us a line!
Other posts you may like
Common Elasticsearch Errors and How to Solve Them - Part 1
Jochen Kressin || 2024-04-24
In this blog post series, we’ll cover the most common Elasticsearch errors in detail and provide a step-by-step guide to troubleshooting them.
read more
Changing Elasticsearch TLS certificates at runtime
Jochen Kressin || 2020-07-27
How to change and reload any TLS certificate on a running Elasticsearch cluster without any downtime or rolling restart.
read more
Common Elasticsearch TLS error messages
Jochen Kressin || 2020-09-22
How to debug common error messages when using TLS with Elasticsearch, Logstash, Beats and Search Guard.
read more
