2017-12-07 11:42:02 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[[bootstrap-checks-xpack]]
|
|
|
|
== Bootstrap Checks for {xpack}
|
|
|
|
++++
|
|
|
|
<titleabbrev>Bootstrap Checks</titleabbrev>
|
|
|
|
++++
|
|
|
|
|
|
|
|
|
|
|
|
In addition to the <<bootstrap-checks,{es} bootstrap checks>>, there are
|
|
|
|
checks that are specific to {xpack} features.
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== Encrypt sensitive data check
|
|
|
|
//See EncryptSensitiveDAtaBootstrapCheck.java
|
|
|
|
|
|
|
|
If you use {watcher} and have chosen to encrypt sensitive data (by setting
|
|
|
|
`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
|
|
|
|
the secure settings store.
|
|
|
|
|
|
|
|
To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
|
|
|
|
on each node in the cluster. For more information, see
|
|
|
|
{xpack-ref}/encrypting-data.html[Encrypting Sensitive Data in {watcher}].
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== PKI realm check
|
|
|
|
//See PkiRealmBootstrapCheckTests.java
|
|
|
|
|
|
|
|
If you use {security} and a Public Key Infrastructure (PKI) realm, you must
|
|
|
|
configure Transport Layer Security (TLS) on your cluster and enable client
|
|
|
|
authentication on the network layers (either transport or http). For more
|
|
|
|
information, see {xpack-ref}/pki-realm.html[PKI User Authentication] and
|
|
|
|
{xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].
|
|
|
|
|
|
|
|
To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS
|
|
|
|
and enable client authentication on at least one network communication layer.
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== Role mappings check
|
|
|
|
|
|
|
|
If you authenticate users with realms other than `native` or `file` realms, you
|
|
|
|
must create role mappings. These role mappings define which roles are assigned
|
|
|
|
to each user.
|
|
|
|
|
|
|
|
If you use files to manage the role mappings, you must configure a YAML file
|
|
|
|
and copy it to each node in the cluster. By default, role mappings are stored in
|
|
|
|
`ES_PATH_CONF/x-pack/role_mapping.yml`. Alternatively, you can specify a
|
|
|
|
different role mapping file for each type of realm and specify its location in
|
|
|
|
the `elasticsearch.yml` file. For more information, see
|
|
|
|
{xpack-ref}/mapping-roles.html#mapping-roles-file[Using Role Mapping Files].
|
|
|
|
|
|
|
|
To pass this bootstrap check, the role mapping files must exist and must be
|
|
|
|
valid. The Distinguished Names (DNs) that are listed in the role mappings files
|
|
|
|
must also be valid.
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== SSL/TLS check
|
|
|
|
//See TLSLicenseBootstrapCheck.java
|
|
|
|
|
|
|
|
In 6.0 and later releases, if you have a gold, platinum, or enterprise license
|
|
|
|
and {security} is enabled, you must configure SSL/TLS for
|
|
|
|
internode-communication.
|
|
|
|
|
|
|
|
NOTE: Single-node clusters that use a loopback interface do not have this
|
|
|
|
requirement. For more information, see
|
|
|
|
{xpack-ref}/encrypting-communications.html[Encrypting Communications].
|
|
|
|
|
|
|
|
To pass this bootstrap check, you must
|
|
|
|
{xpack-ref}/ssl-tls.html[set up SSL/TLS in your cluster].
|
|
|
|
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== Token SSL check
|
|
|
|
//See TokenSSLBootstrapCheckTests.java
|
|
|
|
|
|
|
|
If you use {security} and the built-in token service is enabled, you must
|
|
|
|
configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is required
|
|
|
|
in order to use the token service.
|
|
|
|
|
2018-05-02 14:42:05 -04:00
|
|
|
In particular, if `xpack.security.authc.token.enabled` is
|
2017-12-07 11:42:02 -05:00
|
|
|
set to `true` in the `elasticsearch.yml` file, you must also set
|
|
|
|
`xpack.security.http.ssl.enabled` to `true`. For more information about these
|
|
|
|
settings, see <<security-settings>> and <<modules-http>>.
|
|
|
|
|
|
|
|
To pass this bootstrap check, you must enable HTTPS or disable the built-in
|
|
|
|
token service by using the {security} settings.
|