2017-06-27 12:14:35 -04:00
|
|
|
|
|
|
|
==== {component} TLS/SSL Settings
|
2017-04-06 20:34:23 -04:00
|
|
|
You can configure the following TLS/SSL settings. If the settings are not configured,
|
2017-06-26 20:23:20 -04:00
|
|
|
the {ref}/security-settings.html#ssl-tls-settings[Default TLS/SSL Settings]
|
2017-06-23 14:21:07 -04:00
|
|
|
are used.
|
2017-04-06 20:34:23 -04:00
|
|
|
|
|
|
|
ifdef::server[]
|
|
|
|
+{ssl-prefix}.ssl.enabled+::
|
|
|
|
Used to enable or disable TLS/SSL. The default is `false`.
|
|
|
|
endif::server[]
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.supported_protocols+::
|
|
|
|
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
|
2019-02-01 10:34:11 -05:00
|
|
|
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. Defaults to `TLSv1.3,TLSv1.2,TLSv1.1` if
|
|
|
|
the JVM supports TLSv1.3, otherwise `TLSv1.2,TLSv1.1`.
|
2019-01-24 23:46:39 -05:00
|
|
|
|
2017-04-06 20:34:23 -04:00
|
|
|
|
|
|
|
ifdef::server[]
|
|
|
|
+{ssl-prefix}.ssl.client_authentication+::
|
|
|
|
Controls the server's behavior in regard to requesting a certificate
|
|
|
|
from client connections. Valid values are `required`, `optional`, and `none`.
|
|
|
|
`required` forces a client to present a certificate, while `optional`
|
|
|
|
requests a client certificate but the client is not required to present one.
|
|
|
|
ifndef::client-auth-default[]
|
2019-01-14 16:06:22 -05:00
|
|
|
Defaults to `none``.
|
2017-04-06 20:34:23 -04:00
|
|
|
endif::client-auth-default[]
|
|
|
|
ifdef::client-auth-default[]
|
|
|
|
Defaults to +{client-auth-default}+.
|
|
|
|
endif::client-auth-default[]
|
|
|
|
endif::server[]
|
|
|
|
|
|
|
|
ifdef::verifies[]
|
|
|
|
+{ssl-prefix}.ssl.verification_mode+::
|
|
|
|
Controls the verification of certificates. Valid values are `none`,
|
2019-01-14 16:06:22 -05:00
|
|
|
`certificate`, and `full`. Defaults to `full`.
|
2017-04-06 20:34:23 -04:00
|
|
|
endif::verifies[]
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.cipher_suites+::
|
|
|
|
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
2019-01-14 16:06:22 -05:00
|
|
|
Java Cryptography Architecture documentation]. Defaults to ``.
|
2017-04-06 20:34:23 -04:00
|
|
|
|
2017-06-27 12:14:35 -04:00
|
|
|
|
|
|
|
===== {component} TLS/SSL Key and Trusted Certificate Settings
|
2017-04-06 20:34:23 -04:00
|
|
|
|
|
|
|
The following settings are used to specify a private key, certificate, and the
|
|
|
|
trusted certificates that should be used when communicating over an SSL/TLS connection.
|
|
|
|
ifdef::server[]
|
|
|
|
A private key and certificate must be configured.
|
|
|
|
endif::server[]
|
|
|
|
ifndef::server[]
|
|
|
|
A private key and certificate are optional and would be used if the server requires client authentication for PKI
|
|
|
|
authentication.
|
|
|
|
endif::server[]
|
2017-06-26 20:23:20 -04:00
|
|
|
If none of the settings below are specified, the {ref}/security-settings.html#ssl-tls-settings[Default TLS/SSL Settings] are used.
|
2017-04-06 20:34:23 -04:00
|
|
|
|
2017-06-27 12:14:35 -04:00
|
|
|
|
2017-04-06 20:34:23 -04:00
|
|
|
===== PEM Encoded Files
|
|
|
|
|
|
|
|
When using PEM encoded files, use the following settings:
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.key+::
|
|
|
|
Path to a PEM encoded file containing the private key.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.key_passphrase+::
|
2017-10-24 11:38:37 -04:00
|
|
|
The passphrase that is used to decrypt the private key. This value is optional
|
|
|
|
as the key might not be encrypted.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.secure_key_passphrase+ (<<secure-settings,Secure>>)::
|
|
|
|
The passphrase that is used to decrypt the private key. This value is optional
|
|
|
|
as the key might not be encrypted.
|
2017-04-06 20:34:23 -04:00
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.certificate+::
|
|
|
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
|
|
|
that will be presented when requested.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.certificate_authorities+::
|
|
|
|
List of paths to the PEM encoded certificate files that should be trusted.
|
|
|
|
|
|
|
|
===== Java Keystore Files
|
|
|
|
|
|
|
|
When using Java keystore files (JKS), which contain the private key, certificate
|
|
|
|
and certificates that should be trusted, use the following settings:
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.keystore.path+::
|
|
|
|
Path to the keystore that holds the private key and certificate.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.keystore.password+::
|
|
|
|
Password to the keystore.
|
|
|
|
|
2018-05-23 19:41:04 -04:00
|
|
|
+{ssl-prefix}.ssl.keystore.secure_password+ (<<secure-settings,Secure>>)::
|
2017-10-24 11:38:37 -04:00
|
|
|
Password to the keystore.
|
|
|
|
|
2017-04-06 20:34:23 -04:00
|
|
|
+{ssl-prefix}.ssl.keystore.key_password+::
|
|
|
|
Password for the private key in the keystore. Defaults to the
|
|
|
|
same value as +{ssl-prefix}.ssl.keystore.password+.
|
|
|
|
|
2017-10-24 11:38:37 -04:00
|
|
|
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>)::
|
|
|
|
Password for the private key in the keystore.
|
|
|
|
|
2017-04-06 20:34:23 -04:00
|
|
|
+{ssl-prefix}.ssl.truststore.path+::
|
|
|
|
Path to the truststore file.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.truststore.password+::
|
|
|
|
Password to the truststore.
|
2017-07-25 03:31:37 -04:00
|
|
|
|
2017-10-24 11:38:37 -04:00
|
|
|
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>)::
|
|
|
|
Password to the truststore.
|
|
|
|
|
2017-07-25 03:31:37 -04:00
|
|
|
===== PKCS#12 Files
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
{es} can be configured to use PKCS#12 container files (`.p12` or `.pfx` files)
|
2017-07-25 03:31:37 -04:00
|
|
|
that contain the private key, certificate and certificates that should be trusted.
|
|
|
|
|
|
|
|
PKCS#12 files are configured in the same way as Java Keystore Files:
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.keystore.path+::
|
|
|
|
Path to the PKCS#12 file that holds the private key and certificate.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.keystore.type+::
|
|
|
|
Set this to `PKCS12` to indicate that the keystore is a PKCS#12 file.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.keystore.password+::
|
|
|
|
Password to the PKCS#12 file.
|
|
|
|
|
2017-10-24 11:38:37 -04:00
|
|
|
+{ssl-prefix}.ssl.keystore.secure_password+ (<<secure-settings,Secure>>)::
|
|
|
|
Password to the PKCS#12 file.
|
|
|
|
|
2017-07-25 03:31:37 -04:00
|
|
|
+{ssl-prefix}.ssl.keystore.key_password+::
|
|
|
|
Password for the private key stored in the PKCS#12 file.
|
|
|
|
Defaults to the same value as +{ssl-prefix}.ssl.keystore.password+.
|
|
|
|
|
2017-10-24 11:38:37 -04:00
|
|
|
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>)::
|
|
|
|
Password for the private key stored in the PKCS#12 file.
|
|
|
|
|
2017-07-25 03:31:37 -04:00
|
|
|
+{ssl-prefix}.ssl.truststore.path+::
|
|
|
|
Path to the PKCS#12 file that holds the certificates to be trusted.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.truststore.type+::
|
|
|
|
Set this to `PKCS12` to indicate that the truststore is a PKCS#12 file.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.truststore.password+::
|
2017-10-24 11:38:37 -04:00
|
|
|
Password to the PKCS#12 file.
|
|
|
|
|
|
|
|
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>)::
|
|
|
|
Password to the PKCS#12 file.
|
2018-10-04 03:51:58 -04:00
|
|
|
|
|
|
|
===== PKCS#11 Tokens
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
{es} can be configured to use a PKCS#11 token that contains the private key,
|
2018-10-04 03:51:58 -04:00
|
|
|
certificate and certificates that should be trusted.
|
|
|
|
|
|
|
|
PKCS#11 token require additional configuration on the JVM level and can be enabled
|
|
|
|
via the following settings:
|
|
|
|
|
|
|
|
+{ssl-prefix}.keystore.type+::
|
|
|
|
Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore.
|
|
|
|
|
|
|
|
+{ssl-prefix}.truststore.type+::
|
2019-01-14 16:06:22 -05:00
|
|
|
Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore.
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
When configuring the PKCS#11 token that your JVM is configured to use as
|
|
|
|
a keystore or a truststore for Elasticsearch, the PIN for the token can be
|
|
|
|
configured by setting the appropriate value to `ssl.truststore.password`
|
|
|
|
or `ssl.truststore.secure_password` in the context that you are configuring.
|
|
|
|
Since there can only be one PKCS#11 token configured, only one keystore and
|
|
|
|
truststore will be usable for configuration in {es}. This in turn means
|
|
|
|
that only one certificate can be used for TLS both in the transport and the
|
|
|
|
http layer.
|