[DOCS] Add secure versions of SSL passphrases (elastic/x-pack-elasticsearch#2478)
* [DOCS] Add secure versions of SSL passphrases * [DOCS] Add secure xpack settings * [DOCS] Clarify type of keystore * [DOCS] Added secure settings to security page * [DOCS] Clarify X-Pack secure settings * [DOCS] Reformat secure X-Pack settings Original commit: elastic/x-pack-elasticsearch@efe043fb67
This commit is contained in:
parent
3a6870f0dc
commit
73e819b0bd
|
@ -12,6 +12,11 @@ and perform message authentication,
|
||||||
level security>>, <<realm-settings, configure realms>>,
|
level security>>, <<realm-settings, configure realms>>,
|
||||||
and <<ssl-tls-settings, encrypt communications with SSL>>.
|
and <<ssl-tls-settings, encrypt communications with SSL>>.
|
||||||
|
|
||||||
|
All of these settings can be added to the `elasticsearch.yml` configuration file,
|
||||||
|
with the exception of the secure settings, which you add to the {es} keystore.
|
||||||
|
For more information about creating and updating the {es} keystore, see
|
||||||
|
<<secure-settings>>.
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
[[general-security-settings]]
|
[[general-security-settings]]
|
||||||
==== General Security Settings
|
==== General Security Settings
|
||||||
|
@ -24,6 +29,7 @@ need to disable {security} in those `kibana.yml` files. For more information
|
||||||
about disabling {security} in specific {kib} instances, see
|
about disabling {security} in specific {kib} instances, see
|
||||||
{kibana-ref}/security-settings-kb.html[{kib} Security Settings].
|
{kibana-ref}/security-settings-kb.html[{kib} Security Settings].
|
||||||
|
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
[[password-security-settings]]
|
[[password-security-settings]]
|
||||||
==== Default Password Security Settings
|
==== Default Password Security Settings
|
||||||
|
@ -289,9 +295,12 @@ Defaults to `5s` (5 seconds ).
|
||||||
Path to a PEM encoded file containing the private key.
|
Path to a PEM encoded file containing the private key.
|
||||||
|
|
||||||
`ssl.key_passphrase`::
|
`ssl.key_passphrase`::
|
||||||
The passphrase that will be used to decrypt the private key. This value is
|
The passphrase that is used to decrypt the private key. This value is
|
||||||
optional as the key may not be encrypted.
|
optional as the key may not be encrypted.
|
||||||
|
|
||||||
|
`ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
|
||||||
|
The passphrase that is used to decrypt the private key.
|
||||||
|
|
||||||
`ssl.certificate`::
|
`ssl.certificate`::
|
||||||
Path to a PEM encoded file containing the certificate (or certificate chain)
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
||||||
that will be presented to clients when they connect.
|
that will be presented to clients when they connect.
|
||||||
|
@ -310,20 +319,29 @@ Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
||||||
`ssl.keystore.password`::
|
`ssl.keystore.password`::
|
||||||
The password to the keystore.
|
The password to the keystore.
|
||||||
|
|
||||||
|
`ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
|
The password to the keystore.
|
||||||
|
|
||||||
`ssl.keystore.key_password`::
|
`ssl.keystore.key_password`::
|
||||||
The password for the key in the keystore. Defaults to the keystore password.
|
The password for the key in the keystore. Defaults to the keystore password.
|
||||||
|
|
||||||
|
`ssl.keystore.secure_key_password`::
|
||||||
|
The password for the key in the keystore. Defaults to the keystore password.
|
||||||
|
|
||||||
`ssl.truststore.path`::
|
`ssl.truststore.path`::
|
||||||
The path to the Java Keystore file that contains the certificates to trust.
|
The path to the Java Keystore file that contains the certificates to trust.
|
||||||
`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time.
|
`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time.
|
||||||
|
|
||||||
|
`ssl.truststore.password`::
|
||||||
|
The password to the truststore.
|
||||||
|
|
||||||
|
`ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
|
The password to the truststore.
|
||||||
|
|
||||||
`ssl.truststore.type`::
|
`ssl.truststore.type`::
|
||||||
The format of the keystore file. Should be either `jks` to use the Java
|
The format of the keystore file. Should be either `jks` to use the Java
|
||||||
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
||||||
|
|
||||||
`ssl.truststore.password`::
|
|
||||||
The password to the truststore.
|
|
||||||
|
|
||||||
`ssl.verification_mode`::
|
`ssl.verification_mode`::
|
||||||
Indicates the type of verification when using `ldaps` to protect against man
|
Indicates the type of verification when using `ldaps` to protect against man
|
||||||
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
||||||
|
@ -478,13 +496,6 @@ The LDAP Server enforced timeout period for an LDAP search.
|
||||||
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
|
||||||
Defaults to `5s` (5 seconds ).
|
Defaults to `5s` (5 seconds ).
|
||||||
|
|
||||||
`ssl.key`::
|
|
||||||
Path to the PEM encoded file containing the private key.
|
|
||||||
|
|
||||||
`ssl.key_passphrase`::
|
|
||||||
The passphrase that will be used to decrypt the private key. This value is
|
|
||||||
optional as the key may not be encrypted.
|
|
||||||
|
|
||||||
`ssl.certificate`::
|
`ssl.certificate`::
|
||||||
Path to a PEM encoded file containing the certificate (or certificate chain)
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
||||||
that will be presented to clients when they connect.
|
that will be presented to clients when they connect.
|
||||||
|
@ -492,6 +503,29 @@ that will be presented to clients when they connect.
|
||||||
`ssl.certificate_authorities`::
|
`ssl.certificate_authorities`::
|
||||||
List of paths to PEM encoded certificate files that should be trusted.
|
List of paths to PEM encoded certificate files that should be trusted.
|
||||||
|
|
||||||
|
`ssl.key`::
|
||||||
|
Path to the PEM encoded file containing the private key.
|
||||||
|
|
||||||
|
`ssl.key_passphrase`::
|
||||||
|
The passphrase that is used to decrypt the private key. This value is
|
||||||
|
optional as the key might not be encrypted.
|
||||||
|
|
||||||
|
`ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
|
||||||
|
The passphrase that is used to decrypt the private key. This value is
|
||||||
|
optional as the key might not be encrypted.
|
||||||
|
|
||||||
|
`ssl.keystore.key_password`::
|
||||||
|
The password for the key in the keystore. Defaults to the keystore password.
|
||||||
|
|
||||||
|
`ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
||||||
|
The password for the key in the keystore. Defaults to the keystore password.
|
||||||
|
|
||||||
|
`ssl.keystore.password`::
|
||||||
|
The password to the keystore.
|
||||||
|
|
||||||
|
`ssl.secure_keystore.password` (<<secure-settings,Secure>>)::
|
||||||
|
The password to the keystore.
|
||||||
|
|
||||||
`ssl.keystore.path`::
|
`ssl.keystore.path`::
|
||||||
The path to the Java Keystore file that contains a private key and certificate.
|
The path to the Java Keystore file that contains a private key and certificate.
|
||||||
|
|
||||||
|
@ -499,11 +533,11 @@ The path to the Java Keystore file that contains a private key and certificate.
|
||||||
The format of the keystore file. Should be either `jks` to use the Java
|
The format of the keystore file. Should be either `jks` to use the Java
|
||||||
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
||||||
|
|
||||||
`ssl.keystore.password`::
|
`ssl.truststore.password`::
|
||||||
The password to the keystore.
|
The password to the truststore.
|
||||||
|
|
||||||
`ssl.keystore.key_password`::
|
`ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
The password for the key in the keystore. Defaults to the keystore password.
|
The password to the truststore.
|
||||||
|
|
||||||
`ssl.truststore.path`::
|
`ssl.truststore.path`::
|
||||||
The path to the Java Keystore file that contains the certificates to trust.
|
The path to the Java Keystore file that contains the certificates to trust.
|
||||||
|
@ -512,9 +546,6 @@ The path to the Java Keystore file that contains the certificates to trust.
|
||||||
The format of the truststore file. Should be either `jks` to use the Java
|
The format of the truststore file. Should be either `jks` to use the Java
|
||||||
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
|
||||||
|
|
||||||
`ssl.truststore.password`::
|
|
||||||
The password to the truststore.
|
|
||||||
|
|
||||||
`ssl.verification_mode`::
|
`ssl.verification_mode`::
|
||||||
Indicates the type of verification when using `ldaps` to protect against man
|
Indicates the type of verification when using `ldaps` to protect against man
|
||||||
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
||||||
|
@ -524,7 +555,7 @@ and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
|
||||||
Supported protocols with versions. Defaults to the value of
|
Supported protocols with versions. Defaults to the value of
|
||||||
`xpack.ssl.supported_protocols`.
|
`xpack.ssl.supported_protocols`.
|
||||||
|
|
||||||
`ssl.cipher_suites`
|
`ssl.cipher_suites`::
|
||||||
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
||||||
Java Cryptography Architecture documentation]. Defaults to the value of
|
Java Cryptography Architecture documentation]. Defaults to the value of
|
||||||
`xpack.ssl.cipher_suites`.
|
`xpack.ssl.cipher_suites`.
|
||||||
|
@ -558,16 +589,19 @@ user's certificate as trusted. Defaults to the trusted certificates configured f
|
||||||
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
||||||
This setting may not be used with `truststore.path`.
|
This setting may not be used with `truststore.path`.
|
||||||
|
|
||||||
`truststore.path`::
|
`truststore.algorithm`::
|
||||||
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
|
Algorithm for the truststore. Defaults to `SunX509`.
|
||||||
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
|
||||||
This setting may not be used with `certificate_authorities`.
|
|
||||||
|
|
||||||
`truststore.password`::
|
`truststore.password`::
|
||||||
The password for the truststore. Must be provided if `truststore.path` is set.
|
The password for the truststore. Must be provided if `truststore.path` is set.
|
||||||
|
|
||||||
`truststore.algorithm`::
|
`truststore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
Algorithm for the truststore. Defaults to `SunX509`.
|
The password for the truststore.
|
||||||
|
|
||||||
|
`truststore.path`::
|
||||||
|
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
|
||||||
|
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
|
||||||
|
This setting may not be used with `certificate_authorities`.
|
||||||
|
|
||||||
`files.role_mapping`::
|
`files.role_mapping`::
|
||||||
Specifies the {xpack-ref}/security-files.html[location] of the
|
Specifies the {xpack-ref}/security-files.html[location] of the
|
||||||
|
@ -599,7 +633,7 @@ Defaults to `required`.
|
||||||
Controls the verification of certificates. Valid values are `none`,
|
Controls the verification of certificates. Valid values are `none`,
|
||||||
`certificate`, and `full`. Defaults to `full`.
|
`certificate`, and `full`. Defaults to `full`.
|
||||||
|
|
||||||
`xpack.ssl.cipher_suites`
|
`xpack.ssl.cipher_suites`::
|
||||||
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
||||||
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
|
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
|
||||||
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
|
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
|
||||||
|
@ -628,8 +662,12 @@ When using PEM encoded files, use the following settings:
|
||||||
Path to the PEM encoded file containing the private key.
|
Path to the PEM encoded file containing the private key.
|
||||||
|
|
||||||
`xpack.ssl.key_passphrase`::
|
`xpack.ssl.key_passphrase`::
|
||||||
The passphrase that will be used to decrypt the private key. This value is
|
The passphrase that is used to decrypt the private key. This value is
|
||||||
optional as the key may not be encrypted.
|
optional as the key might not be encrypted.
|
||||||
|
|
||||||
|
`xpack.ssl.secure_key_passphrase` ({<<secure-settings,Secure>>)::
|
||||||
|
The passphrase that is used to decrypt the private key. This value is
|
||||||
|
optional as the key might not be encrypted.
|
||||||
|
|
||||||
`xpack.ssl.certificate`::
|
`xpack.ssl.certificate`::
|
||||||
Path to a PEM encoded file containing the certificate (or certificate chain)
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
||||||
|
@ -650,16 +688,25 @@ Path to the keystore that holds the private key and certificate.
|
||||||
`xpack.ssl.keystore.password`::
|
`xpack.ssl.keystore.password`::
|
||||||
Password to the keystore.
|
Password to the keystore.
|
||||||
|
|
||||||
|
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
|
Password to the keystore.
|
||||||
|
|
||||||
`xpack.ssl.keystore.key_password`::
|
`xpack.ssl.keystore.key_password`::
|
||||||
Password for the private key in the keystore. Defaults to the
|
Password for the private key in the keystore. Defaults to the
|
||||||
same value as `xpack.ssl.keystore.password`.
|
same value as `xpack.ssl.keystore.password`.
|
||||||
|
|
||||||
|
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
||||||
|
Password for the private key in the keystore.
|
||||||
|
|
||||||
`xpack.ssl.truststore.path`::
|
`xpack.ssl.truststore.path`::
|
||||||
Path to the truststore file.
|
Path to the truststore file.
|
||||||
|
|
||||||
`xpack.ssl.truststore.password`::
|
`xpack.ssl.truststore.password`::
|
||||||
Password to the truststore.
|
Password to the truststore.
|
||||||
|
|
||||||
|
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
|
Password to the truststore.
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
===== PKCS#12 Files
|
===== PKCS#12 Files
|
||||||
|
|
||||||
|
@ -676,10 +723,16 @@ Set this to `PKCS12`.
|
||||||
`xpack.ssl.keystore.password`::
|
`xpack.ssl.keystore.password`::
|
||||||
Password to the PKCS#12 file.
|
Password to the PKCS#12 file.
|
||||||
|
|
||||||
|
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
|
Password to the PKCS#12 file.
|
||||||
|
|
||||||
`xpack.ssl.keystore.key_password`::
|
`xpack.ssl.keystore.key_password`::
|
||||||
Password for the private key in the PKCS12 file.
|
Password for the private key in the PKCS12 file.
|
||||||
Defaults to the same value as `xpack.ssl.keystore.password`.
|
Defaults to the same value as `xpack.ssl.keystore.password`.
|
||||||
|
|
||||||
|
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
||||||
|
Password for the private key in the PKCS12 file.
|
||||||
|
|
||||||
`xpack.ssl.truststore.path`::
|
`xpack.ssl.truststore.path`::
|
||||||
Path to the truststore file.
|
Path to the truststore file.
|
||||||
|
|
||||||
|
@ -689,6 +742,9 @@ Set this to `PKCS12`.
|
||||||
`xpack.ssl.truststore.password`::
|
`xpack.ssl.truststore.password`::
|
||||||
Password to the truststore.
|
Password to the truststore.
|
||||||
|
|
||||||
|
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
|
Password to the truststore.
|
||||||
|
|
||||||
[[http-tls-ssl-settings]]
|
[[http-tls-ssl-settings]]
|
||||||
:ssl-prefix: xpack.security.http
|
:ssl-prefix: xpack.security.http
|
||||||
:component: HTTP
|
:component: HTTP
|
||||||
|
|
|
@ -63,8 +63,12 @@ When using PEM encoded files, use the following settings:
|
||||||
Path to a PEM encoded file containing the private key.
|
Path to a PEM encoded file containing the private key.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.key_passphrase+::
|
+{ssl-prefix}.ssl.key_passphrase+::
|
||||||
The passphrase that will be used to decrypt the private key. This value is
|
The passphrase that is used to decrypt the private key. This value is optional
|
||||||
optional as the key may not be encrypted.
|
as the key might not be encrypted.
|
||||||
|
|
||||||
|
+{ssl-prefix}.ssl.secure_key_passphrase+ (<<secure-settings,Secure>>)::
|
||||||
|
The passphrase that is used to decrypt the private key. This value is optional
|
||||||
|
as the key might not be encrypted.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.certificate+::
|
+{ssl-prefix}.ssl.certificate+::
|
||||||
Path to a PEM encoded file containing the certificate (or certificate chain)
|
Path to a PEM encoded file containing the certificate (or certificate chain)
|
||||||
|
@ -84,16 +88,25 @@ Path to the keystore that holds the private key and certificate.
|
||||||
+{ssl-prefix}.ssl.keystore.password+::
|
+{ssl-prefix}.ssl.keystore.password+::
|
||||||
Password to the keystore.
|
Password to the keystore.
|
||||||
|
|
||||||
|
+{ssl-prefix}.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
||||||
|
Password to the keystore.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.keystore.key_password+::
|
+{ssl-prefix}.ssl.keystore.key_password+::
|
||||||
Password for the private key in the keystore. Defaults to the
|
Password for the private key in the keystore. Defaults to the
|
||||||
same value as +{ssl-prefix}.ssl.keystore.password+.
|
same value as +{ssl-prefix}.ssl.keystore.password+.
|
||||||
|
|
||||||
|
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>)::
|
||||||
|
Password for the private key in the keystore.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.truststore.path+::
|
+{ssl-prefix}.ssl.truststore.path+::
|
||||||
Path to the truststore file.
|
Path to the truststore file.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.truststore.password+::
|
+{ssl-prefix}.ssl.truststore.password+::
|
||||||
Password to the truststore.
|
Password to the truststore.
|
||||||
|
|
||||||
|
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>)::
|
||||||
|
Password to the truststore.
|
||||||
|
|
||||||
===== PKCS#12 Files
|
===== PKCS#12 Files
|
||||||
|
|
||||||
{security} can be configured to use PKCS#12 container files (`.p12` or `.pfx` files)
|
{security} can be configured to use PKCS#12 container files (`.p12` or `.pfx` files)
|
||||||
|
@ -110,10 +123,16 @@ Set this to `PKCS12` to indicate that the keystore is a PKCS#12 file.
|
||||||
+{ssl-prefix}.ssl.keystore.password+::
|
+{ssl-prefix}.ssl.keystore.password+::
|
||||||
Password to the PKCS#12 file.
|
Password to the PKCS#12 file.
|
||||||
|
|
||||||
|
+{ssl-prefix}.ssl.keystore.secure_password+ (<<secure-settings,Secure>>)::
|
||||||
|
Password to the PKCS#12 file.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.keystore.key_password+::
|
+{ssl-prefix}.ssl.keystore.key_password+::
|
||||||
Password for the private key stored in the PKCS#12 file.
|
Password for the private key stored in the PKCS#12 file.
|
||||||
Defaults to the same value as +{ssl-prefix}.ssl.keystore.password+.
|
Defaults to the same value as +{ssl-prefix}.ssl.keystore.password+.
|
||||||
|
|
||||||
|
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>)::
|
||||||
|
Password for the private key stored in the PKCS#12 file.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.truststore.path+::
|
+{ssl-prefix}.ssl.truststore.path+::
|
||||||
Path to the PKCS#12 file that holds the certificates to be trusted.
|
Path to the PKCS#12 file that holds the certificates to be trusted.
|
||||||
|
|
||||||
|
@ -122,3 +141,6 @@ Set this to `PKCS12` to indicate that the truststore is a PKCS#12 file.
|
||||||
|
|
||||||
+{ssl-prefix}.ssl.truststore.password+::
|
+{ssl-prefix}.ssl.truststore.password+::
|
||||||
Password to the PKCS#12 file.
|
Password to the PKCS#12 file.
|
||||||
|
|
||||||
|
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>)::
|
||||||
|
Password to the PKCS#12 file.
|
||||||
|
|
Loading…
Reference in New Issue