[DOCS] Add secure versions of SSL passphrases (elastic/x-pack-elasticsearch#2478)

* [DOCS] Add secure versions of SSL passphrases

* [DOCS] Add secure xpack settings

* [DOCS] Clarify type of keystore

* [DOCS] Added secure settings to security page

* [DOCS] Clarify X-Pack secure settings

* [DOCS] Reformat secure X-Pack settings

Original commit: elastic/x-pack-elasticsearch@efe043fb67
This commit is contained in:
Lisa Cawley 2017-10-24 16:38:37 +01:00 committed by GitHub
parent 3a6870f0dc
commit 73e819b0bd
2 changed files with 109 additions and 31 deletions

View File

@ -12,6 +12,11 @@ and perform message authentication,
level security>>, <<realm-settings, configure realms>>, level security>>, <<realm-settings, configure realms>>,
and <<ssl-tls-settings, encrypt communications with SSL>>. and <<ssl-tls-settings, encrypt communications with SSL>>.
All of these settings can be added to the `elasticsearch.yml` configuration file,
with the exception of the secure settings, which you add to the {es} keystore.
For more information about creating and updating the {es} keystore, see
<<secure-settings>>.
[float] [float]
[[general-security-settings]] [[general-security-settings]]
==== General Security Settings ==== General Security Settings
@ -24,6 +29,7 @@ need to disable {security} in those `kibana.yml` files. For more information
about disabling {security} in specific {kib} instances, see about disabling {security} in specific {kib} instances, see
{kibana-ref}/security-settings-kb.html[{kib} Security Settings]. {kibana-ref}/security-settings-kb.html[{kib} Security Settings].
[float] [float]
[[password-security-settings]] [[password-security-settings]]
==== Default Password Security Settings ==== Default Password Security Settings
@ -289,9 +295,12 @@ Defaults to `5s` (5 seconds ).
Path to a PEM encoded file containing the private key. Path to a PEM encoded file containing the private key.
`ssl.key_passphrase`:: `ssl.key_passphrase`::
The passphrase that will be used to decrypt the private key. This value is The passphrase that is used to decrypt the private key. This value is
optional as the key may not be encrypted. optional as the key may not be encrypted.
`ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
The passphrase that is used to decrypt the private key.
`ssl.certificate`:: `ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain) Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect. that will be presented to clients when they connect.
@ -310,20 +319,29 @@ Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
`ssl.keystore.password`:: `ssl.keystore.password`::
The password to the keystore. The password to the keystore.
`ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
The password to the keystore.
`ssl.keystore.key_password`:: `ssl.keystore.key_password`::
The password for the key in the keystore. Defaults to the keystore password. The password for the key in the keystore. Defaults to the keystore password.
`ssl.keystore.secure_key_password`::
The password for the key in the keystore. Defaults to the keystore password.
`ssl.truststore.path`:: `ssl.truststore.path`::
The path to the Java Keystore file that contains the certificates to trust. The path to the Java Keystore file that contains the certificates to trust.
`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time. `ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time.
`ssl.truststore.password`::
The password to the truststore.
`ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
The password to the truststore.
`ssl.truststore.type`:: `ssl.truststore.type`::
The format of the keystore file. Should be either `jks` to use the Java The format of the keystore file. Should be either `jks` to use the Java
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`. Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
`ssl.truststore.password`::
The password to the truststore.
`ssl.verification_mode`:: `ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`, in the middle attacks and certificate forgery. Values are `none`, `certificate`,
@ -478,13 +496,6 @@ The LDAP Server enforced timeout period for an LDAP search.
An `s` at the end indicates seconds, or `ms` indicates milliseconds. An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ). Defaults to `5s` (5 seconds ).
`ssl.key`::
Path to the PEM encoded file containing the private key.
`ssl.key_passphrase`::
The passphrase that will be used to decrypt the private key. This value is
optional as the key may not be encrypted.
`ssl.certificate`:: `ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain) Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect. that will be presented to clients when they connect.
@ -492,6 +503,29 @@ that will be presented to clients when they connect.
`ssl.certificate_authorities`:: `ssl.certificate_authorities`::
List of paths to PEM encoded certificate files that should be trusted. List of paths to PEM encoded certificate files that should be trusted.
`ssl.key`::
Path to the PEM encoded file containing the private key.
`ssl.key_passphrase`::
The passphrase that is used to decrypt the private key. This value is
optional as the key might not be encrypted.
`ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
The passphrase that is used to decrypt the private key. This value is
optional as the key might not be encrypted.
`ssl.keystore.key_password`::
The password for the key in the keystore. Defaults to the keystore password.
`ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
The password for the key in the keystore. Defaults to the keystore password.
`ssl.keystore.password`::
The password to the keystore.
`ssl.secure_keystore.password` (<<secure-settings,Secure>>)::
The password to the keystore.
`ssl.keystore.path`:: `ssl.keystore.path`::
The path to the Java Keystore file that contains a private key and certificate. The path to the Java Keystore file that contains a private key and certificate.
@ -499,11 +533,11 @@ The path to the Java Keystore file that contains a private key and certificate.
The format of the keystore file. Should be either `jks` to use the Java The format of the keystore file. Should be either `jks` to use the Java
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`. Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
`ssl.keystore.password`:: `ssl.truststore.password`::
The password to the keystore. The password to the truststore.
`ssl.keystore.key_password`:: `ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
The password for the key in the keystore. Defaults to the keystore password. The password to the truststore.
`ssl.truststore.path`:: `ssl.truststore.path`::
The path to the Java Keystore file that contains the certificates to trust. The path to the Java Keystore file that contains the certificates to trust.
@ -512,9 +546,6 @@ The path to the Java Keystore file that contains the certificates to trust.
The format of the truststore file. Should be either `jks` to use the Java The format of the truststore file. Should be either `jks` to use the Java
Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`. Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`.
`ssl.truststore.password`::
The password to the truststore.
`ssl.verification_mode`:: `ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`, in the middle attacks and certificate forgery. Values are `none`, `certificate`,
@ -524,7 +555,7 @@ and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
Supported protocols with versions. Defaults to the value of Supported protocols with versions. Defaults to the value of
`xpack.ssl.supported_protocols`. `xpack.ssl.supported_protocols`.
`ssl.cipher_suites` `ssl.cipher_suites`::
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`. `xpack.ssl.cipher_suites`.
@ -558,16 +589,19 @@ user's certificate as trusted. Defaults to the trusted certificates configured f
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information. See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
This setting may not be used with `truststore.path`. This setting may not be used with `truststore.path`.
`truststore.path`:: `truststore.algorithm`::
The path of a truststore to use. Defaults to the trusted certificates configured for SSL. Algorithm for the truststore. Defaults to `SunX509`.
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
This setting may not be used with `certificate_authorities`.
`truststore.password`:: `truststore.password`::
The password for the truststore. Must be provided if `truststore.path` is set. The password for the truststore. Must be provided if `truststore.path` is set.
`truststore.algorithm`:: `truststore.secure_password` (<<secure-settings,Secure>>)::
Algorithm for the truststore. Defaults to `SunX509`. The password for the truststore.
`truststore.path`::
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information.
This setting may not be used with `certificate_authorities`.
`files.role_mapping`:: `files.role_mapping`::
Specifies the {xpack-ref}/security-files.html[location] of the Specifies the {xpack-ref}/security-files.html[location] of the
@ -599,7 +633,7 @@ Defaults to `required`.
Controls the verification of certificates. Valid values are `none`, Controls the verification of certificates. Valid values are `none`,
`certificate`, and `full`. Defaults to `full`. `certificate`, and `full`. Defaults to `full`.
`xpack.ssl.cipher_suites` `xpack.ssl.cipher_suites`::
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
@ -628,8 +662,12 @@ When using PEM encoded files, use the following settings:
Path to the PEM encoded file containing the private key. Path to the PEM encoded file containing the private key.
`xpack.ssl.key_passphrase`:: `xpack.ssl.key_passphrase`::
The passphrase that will be used to decrypt the private key. This value is The passphrase that is used to decrypt the private key. This value is
optional as the key may not be encrypted. optional as the key might not be encrypted.
`xpack.ssl.secure_key_passphrase` ({<<secure-settings,Secure>>)::
The passphrase that is used to decrypt the private key. This value is
optional as the key might not be encrypted.
`xpack.ssl.certificate`:: `xpack.ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain) Path to a PEM encoded file containing the certificate (or certificate chain)
@ -650,16 +688,25 @@ Path to the keystore that holds the private key and certificate.
`xpack.ssl.keystore.password`:: `xpack.ssl.keystore.password`::
Password to the keystore. Password to the keystore.
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
Password to the keystore.
`xpack.ssl.keystore.key_password`:: `xpack.ssl.keystore.key_password`::
Password for the private key in the keystore. Defaults to the Password for the private key in the keystore. Defaults to the
same value as `xpack.ssl.keystore.password`. same value as `xpack.ssl.keystore.password`.
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
Password for the private key in the keystore.
`xpack.ssl.truststore.path`:: `xpack.ssl.truststore.path`::
Path to the truststore file. Path to the truststore file.
`xpack.ssl.truststore.password`:: `xpack.ssl.truststore.password`::
Password to the truststore. Password to the truststore.
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
Password to the truststore.
[float] [float]
===== PKCS#12 Files ===== PKCS#12 Files
@ -676,10 +723,16 @@ Set this to `PKCS12`.
`xpack.ssl.keystore.password`:: `xpack.ssl.keystore.password`::
Password to the PKCS#12 file. Password to the PKCS#12 file.
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
Password to the PKCS#12 file.
`xpack.ssl.keystore.key_password`:: `xpack.ssl.keystore.key_password`::
Password for the private key in the PKCS12 file. Password for the private key in the PKCS12 file.
Defaults to the same value as `xpack.ssl.keystore.password`. Defaults to the same value as `xpack.ssl.keystore.password`.
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
Password for the private key in the PKCS12 file.
`xpack.ssl.truststore.path`:: `xpack.ssl.truststore.path`::
Path to the truststore file. Path to the truststore file.
@ -689,6 +742,9 @@ Set this to `PKCS12`.
`xpack.ssl.truststore.password`:: `xpack.ssl.truststore.password`::
Password to the truststore. Password to the truststore.
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
Password to the truststore.
[[http-tls-ssl-settings]] [[http-tls-ssl-settings]]
:ssl-prefix: xpack.security.http :ssl-prefix: xpack.security.http
:component: HTTP :component: HTTP

View File

@ -63,8 +63,12 @@ When using PEM encoded files, use the following settings:
Path to a PEM encoded file containing the private key. Path to a PEM encoded file containing the private key.
+{ssl-prefix}.ssl.key_passphrase+:: +{ssl-prefix}.ssl.key_passphrase+::
The passphrase that will be used to decrypt the private key. This value is The passphrase that is used to decrypt the private key. This value is optional
optional as the key may not be encrypted. as the key might not be encrypted.
+{ssl-prefix}.ssl.secure_key_passphrase+ (<<secure-settings,Secure>>)::
The passphrase that is used to decrypt the private key. This value is optional
as the key might not be encrypted.
+{ssl-prefix}.ssl.certificate+:: +{ssl-prefix}.ssl.certificate+::
Path to a PEM encoded file containing the certificate (or certificate chain) Path to a PEM encoded file containing the certificate (or certificate chain)
@ -84,16 +88,25 @@ Path to the keystore that holds the private key and certificate.
+{ssl-prefix}.ssl.keystore.password+:: +{ssl-prefix}.ssl.keystore.password+::
Password to the keystore. Password to the keystore.
+{ssl-prefix}.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
Password to the keystore.
+{ssl-prefix}.ssl.keystore.key_password+:: +{ssl-prefix}.ssl.keystore.key_password+::
Password for the private key in the keystore. Defaults to the Password for the private key in the keystore. Defaults to the
same value as +{ssl-prefix}.ssl.keystore.password+. same value as +{ssl-prefix}.ssl.keystore.password+.
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>)::
Password for the private key in the keystore.
+{ssl-prefix}.ssl.truststore.path+:: +{ssl-prefix}.ssl.truststore.path+::
Path to the truststore file. Path to the truststore file.
+{ssl-prefix}.ssl.truststore.password+:: +{ssl-prefix}.ssl.truststore.password+::
Password to the truststore. Password to the truststore.
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>)::
Password to the truststore.
===== PKCS#12 Files ===== PKCS#12 Files
{security} can be configured to use PKCS#12 container files (`.p12` or `.pfx` files) {security} can be configured to use PKCS#12 container files (`.p12` or `.pfx` files)
@ -110,10 +123,16 @@ Set this to `PKCS12` to indicate that the keystore is a PKCS#12 file.
+{ssl-prefix}.ssl.keystore.password+:: +{ssl-prefix}.ssl.keystore.password+::
Password to the PKCS#12 file. Password to the PKCS#12 file.
+{ssl-prefix}.ssl.keystore.secure_password+ (<<secure-settings,Secure>>)::
Password to the PKCS#12 file.
+{ssl-prefix}.ssl.keystore.key_password+:: +{ssl-prefix}.ssl.keystore.key_password+::
Password for the private key stored in the PKCS#12 file. Password for the private key stored in the PKCS#12 file.
Defaults to the same value as +{ssl-prefix}.ssl.keystore.password+. Defaults to the same value as +{ssl-prefix}.ssl.keystore.password+.
+{ssl-prefix}.ssl.keystore.secure_key_password+ (<<secure-settings,Secure>>)::
Password for the private key stored in the PKCS#12 file.
+{ssl-prefix}.ssl.truststore.path+:: +{ssl-prefix}.ssl.truststore.path+::
Path to the PKCS#12 file that holds the certificates to be trusted. Path to the PKCS#12 file that holds the certificates to be trusted.
@ -122,3 +141,6 @@ Set this to `PKCS12` to indicate that the truststore is a PKCS#12 file.
+{ssl-prefix}.ssl.truststore.password+:: +{ssl-prefix}.ssl.truststore.password+::
Password to the PKCS#12 file. Password to the PKCS#12 file.
+{ssl-prefix}.ssl.truststore.secure_password+ (<<secure-settings,Secure>>)::
Password to the PKCS#12 file.