OpenSearch/docs/reference/security/securing-communications/tls-ad.asciidoc

58 lines
2.4 KiB
Plaintext
Raw Normal View History

[role="xpack"]
[[tls-active-directory]]
==== Encrypting communications between {es} and Active Directory
To protect the user credentials that are sent for authentication, it's highly
recommended to encrypt communications between {es} and your Active Directory
server. Connecting via SSL/TLS ensures that the identity of the Active Directory
server is authenticated before {security} transmits the user credentials and the
usernames and passwords are encrypted in transit.
Clients and nodes that connect via SSL/TLS to the Active Directory server need
to have the Active Directory server's certificate or the server's root CA
certificate installed in their keystore or truststore.
. Create the realm configuration for the `xpack.security.authc.realms` namespace
in the `elasticsearch.yml` file. See <<configuring-ad-realm>>.
. Set the `url` attribute in the realm configuration to specify the LDAPS protocol
and the secure port number. For example, `url: ldaps://ad.example.com:636`.
. Configure each node to trust certificates signed by the certificate authority
(CA) that signed your Active Directory server certificates.
+
--
The following example demonstrates how to trust a CA certificate (`cacert.pem`),
which is located within the configuration directory:
[source,shell]
--------------------------------------------------
xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: ad.example.com
url: ldaps://ad.example.com:636
ssl:
certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
--------------------------------------------------
The CA cert must be a PEM encoded certificate.
For more information about these settings, see <<ref-ad-settings>>.
--
. Restart {es}.
NOTE: By default, when you configure {security} to connect to Active Directory
using SSL/TLS, {security} attempts to verify the hostname or IP address
specified with the `url` attribute in the realm configuration with the
values in the certificate. If the values in the certificate and realm
configuration do not match, {security} does not allow a connection to the
Active Directory server. This is done to protect against man-in-the-middle
attacks. If necessary, you can disable this behavior by setting the
`ssl.verification_mode` property to `certificate`.