diff --git a/docs/en/security/getting-started.asciidoc b/docs/en/security/getting-started.asciidoc index 0a10e910f86..1375008b682 100644 --- a/docs/en/security/getting-started.asciidoc +++ b/docs/en/security/getting-started.asciidoc @@ -98,7 +98,8 @@ IMPORTANT: Once you get these basic security measures in place, we strongly recommend that you secure communications to and from nodes by configuring your cluster to use {xpack-ref}/ssl-tls.html[SSL/TLS encryption]. Nodes that do not have encryption enabled send passwords in plain - text! + text and will not be able to install a non-trial license that enables the use + of {security}. Depending on your security requirements, you might also want to: diff --git a/docs/en/security/securing-communications.asciidoc b/docs/en/security/securing-communications.asciidoc index f28221939d2..18c0f67eb08 100644 --- a/docs/en/security/securing-communications.asciidoc +++ b/docs/en/security/securing-communications.asciidoc @@ -4,8 +4,8 @@ Elasticsearch nodes store data that may be confidential. Attacks on the data may come from the network. These attacks could include sniffing of the data, manipulation of the data, and attempts to gain access to the server and thus the -files storing the data. Securing your nodes with the procedures below helps to -reduce risk from network-based attacks. +files storing the data. Securing your nodes is required in order to use a production +license that enables {security} and helps reduce the risk from network-based attacks. This section shows how to: diff --git a/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc b/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc index 8afb089ce9c..b5e126c1761 100644 --- a/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc +++ b/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc @@ -38,19 +38,6 @@ transport.profiles.client.bind_host: 1.1.1.1 <2> If separate networks are not available, then <> can be enabled to limit access to the profiles. -The TCP transport profiles also allow for enabling SSL on a per profile basis. -This is useful if you have a secured network for the node-to-node communication, -but the client is on an unsecured network. To enable SSL on a client profile when -SSL is disabled for node-to-node communication, add the following to -`elasticsearch.yml`: - -[source, yaml] --------------------------------------------------- -transport.profiles.client.xpack.security.ssl.enabled: true <1> --------------------------------------------------- -<1> This enables SSL on the client profile. The default value for this setting - is the value of `xpack.security.transport.ssl.enabled`. - When using SSL for transport, a different set of certificates can also be used for the client traffic by adding the following to `elasticsearch.yml`: diff --git a/docs/en/security/securing-communications/setting-up-ssl.asciidoc b/docs/en/security/securing-communications/setting-up-ssl.asciidoc index adde309bbaf..4c55ada41ca 100644 --- a/docs/en/security/securing-communications/setting-up-ssl.asciidoc +++ b/docs/en/security/securing-communications/setting-up-ssl.asciidoc @@ -6,7 +6,7 @@ cluster. Connections are secured using Transport Layer Security (TLS), which is commonly referred to as "SSL". WARNING: Clusters that do not have encryption enabled send all data in plain text -including passwords. +including passwords and will not be able to install a license that enables {security}. To enable encryption, you need to perform the following steps on each node in the cluster: diff --git a/docs/en/settings/security-settings.asciidoc b/docs/en/settings/security-settings.asciidoc index 8c0102d852d..52f6063bdaa 100644 --- a/docs/en/settings/security-settings.asciidoc +++ b/docs/en/settings/security-settings.asciidoc @@ -715,11 +715,11 @@ are also available for each transport profile. By default, the settings for a transport profile will be the same as the default transport unless they are specified. -As an example, lets look at the enabled setting. For the default transport -this is `xpack.security.transport.ssl.enabled`. In order to use this setting in a +As an example, lets look at the key setting. For the default transport +this is `xpack.security.transport.ssl.key`. In order to use this setting in a transport profile, use the prefix `transport.profiles.$PROFILE.xpack.security.` and -append the portion of the setting after `xpack.security.transport.`. For the enabled -setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.enabled`. +append the portion of the setting after `xpack.security.transport.`. For the key +setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`. [float] [[ip-filtering-settings]]