OpenSearch/docs/reference/setup/bootstrap-checks-xes.asciidoc

[role="xpack"]
[[bootstrap-checks-xpack]]
== Bootstrap Checks for {xpack}

In addition to the <<bootstrap-checks,{es} bootstrap checks>>, there are
checks that are specific to {xpack} features.

[float]
=== Encrypt sensitive data check
//See EncryptSensitiveDAtaBootstrapCheck.java

If you use {watcher} and have chosen to encrypt sensitive data (by setting
`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
the secure settings store.

To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
on each node in the cluster. For more information, see
{xpack-ref}/encrypting-data.html[Encrypting Sensitive Data in {watcher}].

[float]
=== PKI realm check
//See PkiRealmBootstrapCheckTests.java

If you use {security} and a Public Key Infrastructure (PKI) realm, you must
configure Transport Layer Security (TLS) on your cluster and enable client
authentication on the network layers (either transport or http). For more
information, see {xpack-ref}/pki-realm.html[PKI User Authentication] and
{xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].

To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS
and enable client authentication on at least one network communication layer.

[float]
=== Role mappings check

If you authenticate users with realms other than `native` or `file` realms, you
must create role mappings. These role mappings define which roles are assigned
to each user.

If you use files to manage the role mappings, you must configure a YAML file
and copy it to each node in the cluster. By default, role mappings are stored in
`ES_PATH_CONF/role_mapping.yml`. Alternatively, you can specify a
different role mapping file for each type of realm and specify its location in
the `elasticsearch.yml` file. For more information, see
{xpack-ref}/mapping-roles.html#mapping-roles-file[Using Role Mapping Files].

To pass this bootstrap check, the role mapping files must exist and must be
valid. The Distinguished Names (DNs) that are listed in the role mappings files
must also be valid.

[float]
[[bootstrap-checks-tls]]
=== SSL/TLS check
//See TLSLicenseBootstrapCheck.java

In 6.0 and later releases, if you have a gold, platinum, or enterprise license
and {security} is enabled, you must configure SSL/TLS for
internode-communication.

NOTE: Single-node clusters that use a loopback interface do not have this
requirement.  For more information, see
{xpack-ref}/encrypting-communications.html[Encrypting Communications].

To pass this bootstrap check, you must
{xpack-ref}/ssl-tls.html[set up SSL/TLS in your cluster].


[float]
=== Token SSL check
//See TokenSSLBootstrapCheckTests.java

If you use {security} and the built-in token service is enabled, you must
configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is required
in order to use the token service.

In particular, if `xpack.security.authc.token.enabled` is
set to `true` in the `elasticsearch.yml` file, you must also set
`xpack.security.http.ssl.enabled` to `true`. For more information about these
settings, see <<security-settings>> and <<modules-http>>.

To pass this bootstrap check, you must enable HTTPS or disable the built-in
token service by using the {security} settings.
[DOCS] Added X-Pack bootstrap checks (elastic/x-pack-elasticsearch#2747) * [DOCS] Added X-Pack bootstrap checks * [DOCS] Added more bootstrap checks * [DOCS] Added link to TLS configuration * [DOCS] Added Encrypt Sensitive Data bootstrap check * [DOCS] Added link to watcher encryption task * [DOCS] Added role mapping bootstrap check * [DOCS] Added PKI realm boostrap check * [DOCS] Added token SSL bootstrap check * [DOCS] Added role mapping bootstrap check * [DOCS] Added bootstrap check file names Original commit: elastic/x-pack-elasticsearch@4f3eb72d9459503a954696d8104a43efe2fecef9 2017-12-07 11:42:02 -05:00			`[role="xpack"]`
			`[[bootstrap-checks-xpack]]`
			`== Bootstrap Checks for {xpack}`

			`In addition to the <<bootstrap-checks,{es} bootstrap checks>>, there are`
			`checks that are specific to {xpack} features.`

			`[float]`
			`=== Encrypt sensitive data check`
			`//See EncryptSensitiveDAtaBootstrapCheck.java`

			`If you use {watcher} and have chosen to encrypt sensitive data (by setting`
			`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
			`the secure settings store.`

			To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
			`on each node in the cluster. For more information, see`
			`{xpack-ref}/encrypting-data.html[Encrypting Sensitive Data in {watcher}].`

			`[float]`
			`=== PKI realm check`
			`//See PkiRealmBootstrapCheckTests.java`

			`If you use {security} and a Public Key Infrastructure (PKI) realm, you must`
			`configure Transport Layer Security (TLS) on your cluster and enable client`
			`authentication on the network layers (either transport or http). For more`
			`information, see {xpack-ref}/pki-realm.html[PKI User Authentication] and`
			`{xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].`

			`To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS`
			`and enable client authentication on at least one network communication layer.`

			`[float]`
			`=== Role mappings check`

			If you authenticate users with realms other than `native` or `file` realms, you
			`must create role mappings. These role mappings define which roles are assigned`
			`to each user.`

			`If you use files to manage the role mappings, you must configure a YAML file`
			`and copy it to each node in the cluster. By default, role mappings are stored in`
[DOCS] Fix path info for various security files (#30502) 2018-05-14 16:07:27 -04:00			`ES_PATH_CONF/role_mapping.yml`. Alternatively, you can specify a
[DOCS] Added X-Pack bootstrap checks (elastic/x-pack-elasticsearch#2747) * [DOCS] Added X-Pack bootstrap checks * [DOCS] Added more bootstrap checks * [DOCS] Added link to TLS configuration * [DOCS] Added Encrypt Sensitive Data bootstrap check * [DOCS] Added link to watcher encryption task * [DOCS] Added role mapping bootstrap check * [DOCS] Added PKI realm boostrap check * [DOCS] Added token SSL bootstrap check * [DOCS] Added role mapping bootstrap check * [DOCS] Added bootstrap check file names Original commit: elastic/x-pack-elasticsearch@4f3eb72d9459503a954696d8104a43efe2fecef9 2017-12-07 11:42:02 -05:00			`different role mapping file for each type of realm and specify its location in`
			the `elasticsearch.yml` file. For more information, see
			`{xpack-ref}/mapping-roles.html#mapping-roles-file[Using Role Mapping Files].`

			`To pass this bootstrap check, the role mapping files must exist and must be`
			`valid. The Distinguished Names (DNs) that are listed in the role mappings files`
			`must also be valid.`

			`[float]`
[DOCS] Adds TLS warning to rolling upgrades (#35841) 2018-11-28 12:38:58 -05:00			`[[bootstrap-checks-tls]]`
[DOCS] Added X-Pack bootstrap checks (elastic/x-pack-elasticsearch#2747) * [DOCS] Added X-Pack bootstrap checks * [DOCS] Added more bootstrap checks * [DOCS] Added link to TLS configuration * [DOCS] Added Encrypt Sensitive Data bootstrap check * [DOCS] Added link to watcher encryption task * [DOCS] Added role mapping bootstrap check * [DOCS] Added PKI realm boostrap check * [DOCS] Added token SSL bootstrap check * [DOCS] Added role mapping bootstrap check * [DOCS] Added bootstrap check file names Original commit: elastic/x-pack-elasticsearch@4f3eb72d9459503a954696d8104a43efe2fecef9 2017-12-07 11:42:02 -05:00			`=== SSL/TLS check`
			`//See TLSLicenseBootstrapCheck.java`

			`In 6.0 and later releases, if you have a gold, platinum, or enterprise license`
			`and {security} is enabled, you must configure SSL/TLS for`
			`internode-communication.`

			`NOTE: Single-node clusters that use a loopback interface do not have this`
			`requirement. For more information, see`
			`{xpack-ref}/encrypting-communications.html[Encrypting Communications].`

			`To pass this bootstrap check, you must`
			`{xpack-ref}/ssl-tls.html[set up SSL/TLS in your cluster].`


			`[float]`
			`=== Token SSL check`
			`//See TokenSSLBootstrapCheckTests.java`

			`If you use {security} and the built-in token service is enabled, you must`
			`configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is required`
			`in order to use the token service.`

Network: Remove http.enabled setting (#29601) This commit removes the http.enabled setting. While all real nodes (started with bin/elasticsearch) will always have an http binding, there are many tests that rely on the quickness of not actually needing to bind to 2 ports. For this case, the MockHttpTransport.TestPlugin provides a dummy http transport implementation which is used by default in ESIntegTestCase. closes #12792 2018-05-02 14:42:05 -04:00			In particular, if `xpack.security.authc.token.enabled` is
[DOCS] Added X-Pack bootstrap checks (elastic/x-pack-elasticsearch#2747) * [DOCS] Added X-Pack bootstrap checks * [DOCS] Added more bootstrap checks * [DOCS] Added link to TLS configuration * [DOCS] Added Encrypt Sensitive Data bootstrap check * [DOCS] Added link to watcher encryption task * [DOCS] Added role mapping bootstrap check * [DOCS] Added PKI realm boostrap check * [DOCS] Added token SSL bootstrap check * [DOCS] Added role mapping bootstrap check * [DOCS] Added bootstrap check file names Original commit: elastic/x-pack-elasticsearch@4f3eb72d9459503a954696d8104a43efe2fecef9 2017-12-07 11:42:02 -05:00			set to `true` in the `elasticsearch.yml` file, you must also set
			`xpack.security.http.ssl.enabled` to `true`. For more information about these
			`settings, see <<security-settings>> and <<modules-http>>.`

			`To pass this bootstrap check, you must enable HTTPS or disable the built-in`
			`token service by using the {security} settings.`