2017-12-07 11:42:02 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[[bootstrap-checks-xpack]]
|
|
|
|
== Bootstrap Checks for {xpack}
|
|
|
|
|
|
|
|
In addition to the <<bootstrap-checks,{es} bootstrap checks>>, there are
|
|
|
|
checks that are specific to {xpack} features.
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== Encrypt sensitive data check
|
|
|
|
//See EncryptSensitiveDAtaBootstrapCheck.java
|
|
|
|
|
|
|
|
If you use {watcher} and have chosen to encrypt sensitive data (by setting
|
|
|
|
`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
|
|
|
|
the secure settings store.
|
|
|
|
|
|
|
|
To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
|
2019-09-30 13:18:50 -04:00
|
|
|
on each node in the cluster. For more information, see <<encrypting-data>>.
|
2017-12-07 11:42:02 -05:00
|
|
|
|
|
|
|
[float]
|
|
|
|
=== PKI realm check
|
|
|
|
//See PkiRealmBootstrapCheckTests.java
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
If you use {es} {security-features} and a Public Key Infrastructure (PKI) realm,
|
|
|
|
you must configure Transport Layer Security (TLS) on your cluster and enable
|
|
|
|
client authentication on the network layers (either transport or http). For more
|
|
|
|
information, see {stack-ov}/pki-realm.html[PKI user authentication] and
|
|
|
|
{stack-ov}/ssl-tls.html[Setting up TLS on a cluster].
|
2017-12-07 11:42:02 -05:00
|
|
|
|
|
|
|
To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS
|
|
|
|
and enable client authentication on at least one network communication layer.
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== Role mappings check
|
|
|
|
|
|
|
|
If you authenticate users with realms other than `native` or `file` realms, you
|
|
|
|
must create role mappings. These role mappings define which roles are assigned
|
|
|
|
to each user.
|
|
|
|
|
|
|
|
If you use files to manage the role mappings, you must configure a YAML file
|
|
|
|
and copy it to each node in the cluster. By default, role mappings are stored in
|
2018-05-14 16:07:27 -04:00
|
|
|
`ES_PATH_CONF/role_mapping.yml`. Alternatively, you can specify a
|
2017-12-07 11:42:02 -05:00
|
|
|
different role mapping file for each type of realm and specify its location in
|
|
|
|
the `elasticsearch.yml` file. For more information, see
|
2018-12-19 17:53:37 -05:00
|
|
|
{stack-ov}/mapping-roles.html#mapping-roles-file[Using role mapping files].
|
2017-12-07 11:42:02 -05:00
|
|
|
|
|
|
|
To pass this bootstrap check, the role mapping files must exist and must be
|
|
|
|
valid. The Distinguished Names (DNs) that are listed in the role mappings files
|
|
|
|
must also be valid.
|
|
|
|
|
|
|
|
[float]
|
2018-11-28 12:38:58 -05:00
|
|
|
[[bootstrap-checks-tls]]
|
2017-12-07 11:42:02 -05:00
|
|
|
=== SSL/TLS check
|
|
|
|
//See TLSLicenseBootstrapCheck.java
|
|
|
|
|
2019-05-20 09:06:42 -04:00
|
|
|
If you enable {es} {security-features}, unless you have a trial license, you
|
|
|
|
must configure SSL/TLS for internode-communication.
|
2017-12-07 11:42:02 -05:00
|
|
|
|
|
|
|
NOTE: Single-node clusters that use a loopback interface do not have this
|
|
|
|
requirement. For more information, see
|
2018-12-19 17:53:37 -05:00
|
|
|
{stack-ov}/encrypting-communications.html[Encrypting communications].
|
2017-12-07 11:42:02 -05:00
|
|
|
|
|
|
|
To pass this bootstrap check, you must
|
2018-12-19 17:53:37 -05:00
|
|
|
{stack-ov}/ssl-tls.html[set up SSL/TLS in your cluster].
|
2017-12-07 11:42:02 -05:00
|
|
|
|
|
|
|
|
|
|
|
[float]
|
|
|
|
=== Token SSL check
|
|
|
|
//See TokenSSLBootstrapCheckTests.java
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
If you use {es} {security-features} and the built-in token service is enabled,
|
|
|
|
you must configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is
|
|
|
|
required in order to use the token service.
|
2017-12-07 11:42:02 -05:00
|
|
|
|
2018-05-02 14:42:05 -04:00
|
|
|
In particular, if `xpack.security.authc.token.enabled` is
|
2017-12-07 11:42:02 -05:00
|
|
|
set to `true` in the `elasticsearch.yml` file, you must also set
|
|
|
|
`xpack.security.http.ssl.enabled` to `true`. For more information about these
|
|
|
|
settings, see <<security-settings>> and <<modules-http>>.
|
|
|
|
|
|
|
|
To pass this bootstrap check, you must enable HTTPS or disable the built-in
|
2018-12-19 17:53:37 -05:00
|
|
|
token service.
|