[DOCS] Document static/dynamic security settings (#62181) (#62460)

This commit is contained in:
James Rodewig 2020-09-16 09:50:58 -04:00 committed by GitHub
parent 484e74ccaa
commit 61ea9af25b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 378 additions and 59 deletions

View File

@ -6,8 +6,8 @@ Certain realms store user credentials in memory. To limit exposure
to credential theft and mitigate credential compromise, the cache only stores to credential theft and mitigate credential compromise, the cache only stores
a hashed version of the user credentials in memory. By default, the user cache a hashed version of the user credentials in memory. By default, the user cache
is hashed with a salted `sha-256` hash algorithm. You can use a different is hashed with a salted `sha-256` hash algorithm. You can use a different
hashing algorithm by setting the `cache.hash_algo` realm settings to any of the hashing algorithm by setting the <<static-cluster-setting,static>>
following values: `cache.hash_algo` realm settings to any of the following values:
[[cache-hash-algo]] [[cache-hash-algo]]
.Cache hash algorithms .Cache hash algorithms
@ -43,10 +43,11 @@ following values:
memory dumps and using `ptrace`). memory dumps and using `ptrace`).
|======================= |=======================
Likewise, realms that store passwords hash them using cryptographically strong Likewise, realms that store passwords hash them using cryptographically strong
and password-specific salt values. You can configure the algorithm for password and password-specific salt values. You can configure the algorithm for password
hashing by setting the `xpack.security.authc.password_hashing.algorithm` setting hashing by setting the <<static-cluster-setting,static>>
to one of the following: `xpack.security.authc.password_hashing.algorithm` setting to one of the
following:
[[password-hashing-algorithms]] [[password-hashing-algorithms]]
.Password hashing algorithms .Password hashing algorithms

File diff suppressed because it is too large Load Diff

View File

@ -3,14 +3,17 @@ You can configure the following TLS/SSL settings.
ifdef::server[] ifdef::server[]
+{ssl-prefix}.ssl.enabled+:: +{ssl-prefix}.ssl.enabled+::
(<<static-cluster-setting,Static>>)
Used to enable or disable TLS/SSL. The default is `false`. Used to enable or disable TLS/SSL. The default is `false`.
endif::server[] endif::server[]
+{ssl-prefix}.ssl.supported_protocols+:: +{ssl-prefix}.ssl.supported_protocols+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-supported-protocols] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-supported-protocols]
ifdef::server[] ifdef::server[]
+{ssl-prefix}.ssl.client_authentication+:: +{ssl-prefix}.ssl.client_authentication+::
(<<static-cluster-setting,Static>>)
Controls the server's behavior in regard to requesting a certificate Controls the server's behavior in regard to requesting a certificate
from client connections. Valid values are `required`, `optional`, and `none`. from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional` `required` forces a client to present a certificate, while `optional`
@ -25,11 +28,13 @@ endif::server[]
ifdef::verifies[] ifdef::verifies[]
+{ssl-prefix}.ssl.verification_mode+:: +{ssl-prefix}.ssl.verification_mode+::
(<<static-cluster-setting,Static>>)
Controls the verification of certificates. Controls the verification of certificates.
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-verification-mode-values] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-verification-mode-values]
endif::verifies[] endif::verifies[]
+{ssl-prefix}.ssl.cipher_suites+:: +{ssl-prefix}.ssl.cipher_suites+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-cipher-suites-values] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-cipher-suites-values]
[#{ssl-context}-tls-ssl-key-trusted-certificate-settings] [#{ssl-context}-tls-ssl-key-trusted-certificate-settings]
@ -50,18 +55,23 @@ endif::server[]
When using PEM encoded files, use the following settings: When using PEM encoded files, use the following settings:
+{ssl-prefix}.ssl.key+:: +{ssl-prefix}.ssl.key+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-pem] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-pem]
+{ssl-prefix}.ssl.key_passphrase+:: +{ssl-prefix}.ssl.key_passphrase+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-passphrase] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-passphrase]
+{ssl-prefix}.ssl.secure_key_passphrase+ (<<secure-settings,Secure>>):: +{ssl-prefix}.ssl.secure_key_passphrase+ (<<secure-settings,Secure>>)::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-secure-key-passphrase] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-secure-key-passphrase]
+{ssl-prefix}.ssl.certificate+:: +{ssl-prefix}.ssl.certificate+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate]
+{ssl-prefix}.ssl.certificate_authorities+:: +{ssl-prefix}.ssl.certificate_authorities+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate-authorities] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate-authorities]
===== Java keystore files ===== Java keystore files
@ -70,27 +80,35 @@ When using Java keystore files (JKS), which contain the private key, certificate
and certificates that should be trusted, use the following settings: and certificates that should be trusted, use the following settings:
+{ssl-prefix}.ssl.keystore.path+:: +{ssl-prefix}.ssl.keystore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path]
+{ssl-prefix}.ssl.keystore.password+:: +{ssl-prefix}.ssl.keystore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password]
+{ssl-prefix}.ssl.keystore.secure_password+ (<<secure-settings,Secure>>):: +{ssl-prefix}.ssl.keystore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password]
+{ssl-prefix}.ssl.keystore.key_password+:: +{ssl-prefix}.ssl.keystore.key_password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password]
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>):: +{ssl-prefix}.ssl.keystore.secure_key_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password]
+{ssl-prefix}.ssl.truststore.path+:: +{ssl-prefix}.ssl.truststore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path]
+{ssl-prefix}.ssl.truststore.password+:: +{ssl-prefix}.ssl.truststore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password]
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>):: +{ssl-prefix}.ssl.truststore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password]
[#{ssl-context}-pkcs12-files] [#{ssl-context}-pkcs12-files]
@ -102,34 +120,44 @@ that contain the private key, certificate and certificates that should be truste
PKCS#12 files are configured in the same way as Java keystore files: PKCS#12 files are configured in the same way as Java keystore files:
+{ssl-prefix}.ssl.keystore.path+:: +{ssl-prefix}.ssl.keystore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path]
+{ssl-prefix}.ssl.keystore.type+:: +{ssl-prefix}.ssl.keystore.type+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-type-pkcs12] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-type-pkcs12]
+{ssl-prefix}.ssl.keystore.password+:: +{ssl-prefix}.ssl.keystore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password]
+{ssl-prefix}.ssl.keystore.secure_password+ (<<secure-settings,Secure>>):: +{ssl-prefix}.ssl.keystore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password]
+{ssl-prefix}.ssl.keystore.key_password+:: +{ssl-prefix}.ssl.keystore.key_password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password]
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>):: +{ssl-prefix}.ssl.keystore.secure_key_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password]
+{ssl-prefix}.ssl.truststore.path+:: +{ssl-prefix}.ssl.truststore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path]
+{ssl-prefix}.ssl.truststore.type+:: +{ssl-prefix}.ssl.truststore.type+::
(<<static-cluster-setting,Static>>)
Set this to `PKCS12` to indicate that the truststore is a PKCS#12 file. Set this to `PKCS12` to indicate that the truststore is a PKCS#12 file.
//TBD:Should this use the ssl-truststore-type-pkcs11 or ssl-truststore-type definition and default values? //TBD:Should this use the ssl-truststore-type-pkcs11 or ssl-truststore-type definition and default values?
+{ssl-prefix}.ssl.truststore.password+:: +{ssl-prefix}.ssl.truststore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password]
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>):: +{ssl-prefix}.ssl.truststore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password]
[#{ssl-context}-pkcs11-tokens] [#{ssl-context}-pkcs11-tokens]
@ -142,10 +170,12 @@ PKCS#11 token require additional configuration on the JVM level and can be enabl
via the following settings: via the following settings:
+{ssl-prefix}.keystore.type+:: +{ssl-prefix}.keystore.type+::
(<<static-cluster-setting,Static>>)
Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore. Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore.
//TBD: Is the default value `jks`? //TBD: Is the default value `jks`?
+{ssl-prefix}.truststore.type+:: +{ssl-prefix}.truststore.type+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-type-pkcs11] include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-type-pkcs11]
[NOTE] [NOTE]