Transport SSL must be enabled if security is enabled on a [basic] license

Question

I have installed Elasticsearch 7.1 on Ubuntu. I want to password protect the cluster, so I have set: xpack.security.enabled: true in elasticsearch.yml file. Now when I restart Elasticsearch I get the message:

Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled]

I am using the basic license. I have seen this guide which explains how to use elasticsearch-certutil to install SSL certificates on the nodes.

Questions:

1. Is it possible to password protect the cluster without setting xpack.security.transport.ssl.enabled to true?

2. If I have the guide mentioned above and install SSL certifiactes on elasticsearch cluster, do I need any ssl certificate on my webserver? I don't want the communication between the web server and elasticsearch to use SSL.

Answer 1

According to this answer:

For a cluster that is running in production mode with a production license, once security is enabled, transport TLS/SSL must also be enabled. On the other hand, if we are running with a trial license, then transport TLS/SSL is not obligatory.

---

It's not possible. In production mode, if you want to use any of the xpack security features by enabling (setting xpack.security.enabled: true), then you need to use TLS/SSL certificate.

By default, the web server (and Kibana) can communicate with the cluster without any TLS/SSL certificate (The certificate is used for communication within ES nodes). If you do want to use TLS/SSL between the cluster and your web server, then you need to set xpack.security.http.ssl.enabled which is set to false by default.