2018-05-01 12:15:13 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[tls-active-directory]]
|
|
|
|
==== Encrypting communications between {es} and Active Directory
|
|
|
|
|
|
|
|
To protect the user credentials that are sent for authentication, it's highly
|
|
|
|
recommended to encrypt communications between {es} and your Active Directory
|
|
|
|
server. Connecting via SSL/TLS ensures that the identity of the Active Directory
|
|
|
|
server is authenticated before {security} transmits the user credentials and the
|
|
|
|
usernames and passwords are encrypted in transit.
|
|
|
|
|
|
|
|
Clients and nodes that connect via SSL/TLS to the Active Directory server need
|
|
|
|
to have the Active Directory server's certificate or the server's root CA
|
|
|
|
certificate installed in their keystore or truststore.
|
|
|
|
|
|
|
|
. Create the realm configuration for the `xpack.security.authc.realms` namespace
|
|
|
|
in the `elasticsearch.yml` file. See <<configuring-ad-realm>>.
|
|
|
|
|
|
|
|
. Set the `url` attribute in the realm configuration to specify the LDAPS protocol
|
|
|
|
and the secure port number. For example, `url: ldaps://ad.example.com:636`.
|
|
|
|
|
|
|
|
. Configure each node to trust certificates signed by the certificate authority
|
|
|
|
(CA) that signed your Active Directory server certificates.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
The following example demonstrates how to trust a CA certificate (`cacert.pem`),
|
|
|
|
which is located within the configuration directory:
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
--------------------------------------------------
|
|
|
|
xpack:
|
|
|
|
security:
|
|
|
|
authc:
|
|
|
|
realms:
|
|
|
|
active_directory:
|
|
|
|
type: active_directory
|
|
|
|
order: 0
|
|
|
|
domain_name: ad.example.com
|
|
|
|
url: ldaps://ad.example.com:636
|
|
|
|
ssl:
|
2018-06-28 11:27:04 -04:00
|
|
|
certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
|
2018-05-01 12:15:13 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
The CA cert must be a PEM encoded certificate.
|
|
|
|
|
|
|
|
For more information about these settings, see <<ref-ad-settings>>.
|
|
|
|
--
|
|
|
|
|
|
|
|
. Restart {es}.
|
|
|
|
|
|
|
|
NOTE: By default, when you configure {security} to connect to Active Directory
|
|
|
|
using SSL/TLS, {security} attempts to verify the hostname or IP address
|
|
|
|
specified with the `url` attribute in the realm configuration with the
|
|
|
|
values in the certificate. If the values in the certificate and realm
|
|
|
|
configuration do not match, {security} does not allow a connection to the
|
|
|
|
Active Directory server. This is done to protect against man-in-the-middle
|
|
|
|
attacks. If necessary, you can disable this behavior by setting the
|
|
|
|
`ssl.verification_mode` property to `certificate`.
|