honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Migrated settings topics from x-pack repo to x-pack-elasticsearch. 

Original commit: elastic/x-pack-elasticsearch@e56dcf6066
This commit is contained in:
debadair 2017-04-06 17:34:23 -07:00
parent 3986a2a06c
commit 9f505d16d4
7 changed files with 1459 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/en/settings/graph-settings.asciidoc Normal file
View File

@ -0,0 +1,9 @@
[[graph-settings]]
== Graph Settings
You do not need to configure any settings to use {graph}.
[float]
[[general-graph-settings]]
=== General Graph Settings
`xpack.graph.enabled`::
Set to `false` to disable {graph}.

20
docs/en/settings/index.asciidoc Normal file
View File

@ -0,0 +1,20 @@
[[xpack-settings]]
= X-Pack Settings
[partintro]
--
You configure settings for X-Pack features in the `elasticsearch.yml` and `kibana.yml`
configuration files.
* <<security-settings, Security Settings>>
* <<monitoring-settings, Monitoring Settings>>
* <<notification-settings, Watcher Settings>>
* <<reporting-settings, Reporting Settings>>
--
include::security-settings.asciidoc[]
include::monitoring-settings.asciidoc[]
include::graph-settings.asciidoc[]
include::notification-settings.asciidoc[]
include::reporting-settings.asciidoc[]

346
docs/en/settings/monitoring-settings.asciidoc Normal file
View File

@ -0,0 +1,346 @@
[[monitoring-settings]]
== Monitoring Settings
:imagesdir: images/monitoring
You configure <<monitoring-collection-settings, `xpack.monitoring.collection`>>
settings in `elasticsearch.yml` to control how data is collected from your
Elasticsearch nodes. You can adjust how monitoring data is displayed in the
Monitoring UI by configuring <<monitoring-ui-settings, `xpack.monitoring`>>
settings in `kibana.yml`.
For more information, see <<configuring-monitoring, Configuring Monitoring>>.
[float]
[[general-monitoring-settings]]
=== General Monitoring Settings
`xpack.monitoring.enabled`::
Set to `false` to disable {monitoring}.
Configure in both `elasticsearch.yml` and `kibana.yml`.
[float]
[[monitoring-collection-settings]]
=== Monitoring Collection Settings
`xpack.monitoring.collection.cluster.state.timeout`::
Sets the timeout for collecting the cluster state. Defaults to `10m`.
`xpack.monitoring.collection.cluster.stats.timeout`::
Sets the timeout for collecting the cluster statistics. Defaults to `10m`.
`xpack.monitoring.collection.indices`::
Controls which indices Monitoring collects data from. Defaults to all indices. Specify the index names
as a comma-separated list, for example `test1,test2,test3`. Names can include wildcards, for
example `test*`. You can explicitly include or exclude indices by prepending
`+` to include the index, or `-` to exclude the index. For example, to include all indices that
start with `test` except `test3`, you could specify `+test*,-test3`.
+
You can update this setting through the Cluster Update Settings API.
`xpack.monitoring.collection.index.stats.timeout`::
Sets the timeout for collecting index statistics. Defaults to `10m`.
`xpack.monitoring.collection.indices.stats.timeout`::
Sets the timeout for collecting total indices statistics. Defaults to `10m`.
`xpack.monitoring.exporters` ::
Configures where the agent stores monitoring data. By default, the agent uses a local exporter that
indexes monitoring data on the cluster where it is installed. Use an HTTP exporter to send data to
a separate monitoring cluster. For more information, see <<monitoring-cluster, Setting up a Separate
Monitoring Cluster>>.
`xpack.monitoring.collection.index.recovery.active_only`::
Controls whether or not all recoveries are collected. Set to `true` to
collect only active recoveries. Defaults to `false`.
`xpack.monitoring.collection.index.recovery.timeout`::
Sets the timeout for collecting the recovery information. Defaults to `10m`.
`xpack.monitoring.collection.interval`::
Controls how often data samples are collected. Defaults to `10s`. If you
modify the collection interval, set the `xpack.monitoring.min_interval_seconds`
option in `kibana.yml` to the same value. Set to `-1` to temporarily disable
data collection. You can update this setting through the Cluster Update
Settings API.
`xpack.monitoring.history.duration`::
Sets the retention duration beyond which the indices created by a Monitoring exporter will
be automatically deleted. Defaults to `7d` (7 days).
+
This setting has a minimum value of `1d` (1 day) to ensure that something is being monitored,
and it cannot be disabled.
+
IMPORTANT: This setting currently only impacts `local`-type exporters. Indices created using
the `http` exporter will not be deleted automatically.
[float]
[[monitoring-ui-settings]]
=== Monitoring UI Settings
You can set the following `xpack.monitoring` settings in `kibana.yml` to adjust
how the Monitoring UI displays monitoring data. However, the defaults work best
in most circumstances. For more information about configuring Kibana, see
{kibana-ref}/settings.html[Setting Kibana
Server Properties] in the Kibana User Guide.
`xpack.monitoring.elasticsearch.url`::
The location of the Elasticsearch instance(s) where your monitoring data is
stored. By default, this is the same as the `elasticsearch.url`. This setting
enables you to use a single Kibana instance to search and visualize data in
your production cluster as well as monitor data sent to a dedicated monitoring
cluster.
`xpack.monitoring.max_bucket_size`::
The number of term buckets to return out of the overall terms list when
performing terms aggregations to retrieve index and node metrics. For more
information about the `size` parameter, see {ref}/search-aggregations-bucket-terms-aggregation.html#_size[
Terms Aggregation] in the Elasticsearch Reference. Defaults to 10000.
`xpack.monitoring.min_interval_seconds`::
The minimum number of seconds that a time bucket in a chart can represent.
Defaults to 10. If you modify the `xpack.monitoring.collection.interval`
in `elasticsearch.yml`, set this option to the same value.
`xpack.monitoring.node_resolver`::
The node resolver controls how nodes are considered unique. This can be set to either `uuid`,
`transport_address`, or `name`. `uuid` controls uniqueness based on the node's persistent ID.
`transport_address` controls uniqueness based on the node's published
hostname/IP and port. `name` controls uniqueness based on the node's `node.name` setting. Defaults to
`uuid`.
`xpack.monitoring.report_stats`::
Whether or not to send cluster statistics to Elastic. Reporting your cluster statistics
helps us improve your user experience. Your data is never shared with anyone. Set to
`false` to disable statistics reporting from any browser connected to the Kibana instance.
You can also opt-out on a per-browser basis through the Monitoring user interface. Defaults to `true`.
`xpack.monitoring.kibana.collection.enabled`::
Whether or not to enable data collection from the Kibana NodeJS server for
Kibana Dashboards to be featured in the Monitoring UI. Defaults to `true`.
`xpack.monitoring.kibana.collection.interval`::
Number of milliseconds to wait in between data sampling for Kibana's NodeJS
server for the metrics that are displayed in the Kibana dashboards. Defaults to
`10000` (10 seconds).
[float]
[[monitoring-ui-cgroup-settings]]
==== Monitoring UI Container Settings
The Monitoring UI exposes the Cgroup statistics that we collect for you to make better decisions
about your container performance, rather than guessing based on the overall machine performance.
If you are not running your applications in a container, then Cgroup statistics will not be useful.
`xpack.monitoring.ui.container.elasticsearch.enabled`::
For Elasticsearch clusters that are running in containers, this setting changes the Node Listing to
display the CPU Utilization based on the reported Cgroup statistics. This will also add the calculated
Cgroup CPU Utilization to the Node Overview page instead of the overall operating system's CPU
Utilization. Defaults to `false`.
+
image::monitoring-es-cgroup-true.png["Elasticsearch Inside a Container",link="images/monitoring-es-cgroup-true.png"]
[float]
[[local-exporter-settings]]
==== Local Exporter Settings
The `local` exporter is the default exporter used by Monitoring. As the name is
meant to imply, it exports data to the _local_ cluster, which means that there
is not much needed to be configured.
If you do not supply _any_ exporters, then Monitoring will automatically create
one for you. If any exporter is provided, then no default is added.
[source,yaml]
----------------------------------
xpack.monitoring.exporters.my_local:
type: local
----------------------------------
`type`::
The value for a Local exporter must always be `local` and it is required.
`use_ingest`::
Whether to supply a placeholder pipeline to the cluster and a pipeline processor with
every bulk request. The default value is `true`. If disabled, then it means that it will not
use pipelines, which means that a future release cannot automatically upgrade bulk requests
to future-proof them.
[float]
[[http-exporter-settings]]
==== HTTP Exporter Settings
The following lists settings that can be supplied with the `http` exporter.
All settings are shown as what follows the name you select for your exporter:
[source,yaml]
----------------------------------
xpack.monitoring.exporters.my_remote:
type: http
host: ["host:port", ...]
----------------------------------
`type`::
The value for an HTTP exporter must always be `http` and it is required.
`host`::
Host supports multiple formats, both as an array or as a single value. Supported formats include
`hostname`, `hostname:port`, `http://hostname` `http://hostname:port`, `https://hostname`, and
`https://hostname:port`. Hosts cannot be assumed. The default scheme is always `http` and the default
port is always `9200` if not supplied as part of the `host` string.
+
[source,yaml]
----------------------------------
xpack.monitoring.exporters:
example1:
type: http
host: "10.1.2.3"
example2:
type: http
host: ["http://10.1.2.4"]
example3:
type: http
host: ["10.1.2.5", "10.1.2.6"]
example4:
type: http
host: ["https://10.1.2.3:9200"]
----------------------------------
`auth.username`::
The username is required if a `auth.password` is supplied.
`auth.password`::
The password for the `auth.username`.
`connection.timeout`::
The amount of time that the HTTP connection is supposed to wait for a socket to open for the
request. The default value is `6s`.
`connection.read_timeout`::
The amount of time that the HTTP connection is supposed to wait for a socket to
send back a response. The default value is `10 * connection.timeout` (`60s` if neither are set).
`ssl`::
Each HTTP exporter can define its own TLS / SSL settings or inherit them. See the
<<ssl-monitoring-settings, TLS / SSL section below>>.
`proxy.base_path`::
The base path to prefix any outgoing request, such as `/base/path` (e.g., bulk requests would
then be sent as `/base/path/_bulk`). There is no default value.
`headers`::
Optional headers that are added to every request, which can assist with routing requests through
proxies.
+
[source,yaml]
----------------------------------
xpack.monitoring.exporters.my_remote:
headers:
X-My-Array: [abc, def, xyz]
X-My-Header: abc123
----------------------------------
+
Array-based headers are sent `n` times where `n` is the size of the array. `Content-Type`
and `Content-Length` cannot be set. Any headers created by the Monitoring agent will override
anything defined here.
`index.name.time_format`::
A mechanism for changing the default date suffix for the, by default, daily Monitoring indices.
The default value is `YYYY.MM.DD`, which is why the indices are created daily.
`use_ingest`::
Whether to supply a placeholder pipeline to the monitoring cluster and a pipeline processor with
every bulk request. The default value is `true`. If disabled, then it means that it will not
use pipelines, which means that a future release cannot automatically upgrade bulk requests
to future-proof them.
[[ssl-monitoring-settings]]
:ssl-prefix: xpack.monitoring.exporters.$NAME
:component: {monitoring}
:verifies:
:server!:
include::ssl-settings.asciidoc[]
[float]
[[monitoring-logstash-settings]]
=== Monitoring Logstash Settings
You can set the following `xpack.monitoring` settings in `logstash.yml` to control how monitoring data is
collected from your Logstash nodes. However, the defaults work best in most circumstances. For more
information about configuring Logstash, see {logstash-ref}/logstash-settings-file.html[Settings File]
section.
`xpack.monitoring.enabled`::
Set to `false` to disable X-Pack monitoring.
`xpack.monitoring.collection.interval`::
Controls how often data samples are collected and shipped on the Logstash side. Defaults to `10s`.
`xpack.monitoring.elasticsearch.url`::
The Elasticsearch instance(s) that you want to ship your Logstash metrics to.
This might be the same Elasticsearch instance specified in the `outputs`
section in your Logstash configuration, or a different one. This is *not*
the URL of your dedicated monitoring cluster. Even if you are using a dedicated
monitoring cluster, the Logstash metrics must be routed through your production
cluster. You can specify a single host as a string, or specify multiple
hosts as an array. Defaults to `http://localhost:9200`.
`xpack.monitoring.elasticsearch.username` and `xpack.monitoring.elasticsearch.password`::
If your Elasticsearch is protected with basic authentication, these settings provide the username and
password that the Logstash instance uses to authenticate for shipping monitoring data.
`xpack.monitoring.elasticsearch.ssl.ca`::
Optional setting that enables you to specify a path to the `.pem` file for the certificate authority for your Elasticsearch instance.
`xpack.monitoring.elasticsearch.ssl.truststore.path`::
Optional settings that provide the paths to the Java keystore (JKS) to validate the servers certificate.
`xpack.monitoring.elasticsearch.ssl.truststore.password`::
Optional settings that provide the password to the truststore.
`xpack.monitoring.elasticsearch.ssl.keystore.path`::
Optional settings that provide the paths to the Java keystore (JKS) to validate the clients certificate.
`xpack.monitoring.elasticsearch.ssl.keystore.password`::
Optional settings that provide the password to the keystore.

292
docs/en/settings/notification-settings.asciidoc Normal file
View File

@ -0,0 +1,292 @@
[[notification-settings]]
== {watcher} Settings
You configure `xpack.notification` settings in `elasticsearch.yml` to
send set up {watcher} and send notifications via <<email-notification-settings, email>>, <<hipchat-notification-settings, HipChat>>, <<slack-notification-settings,
Slack>>, and <<pagerduty-notification-settings, PagerDuty>>.
[float]
[[general-notification-settings]]
=== General Watcher Settings
`xpack.watcher.enabled`::
Set to `false` to disable {watcher}.
`xpack.http.proxy.host`::
Specifies the address of the proxy server to use to connect to HTTP services.
`xpack.http.proxy.port`::
Specifies the port number to use to connect to the proxy server.
[[ssl-notification-settings]]
:ssl-prefix: xpack.http
:component: {watcher}
:verifies:
:server!:
include::ssl-settings.asciidoc[]
[float]
[[email-notification-settings]]
=== Email Notification Settings
You can configure the following email notification settings in
`elasticsearch.yml`. For more information about sending notifications
via email, see <<configuring-email, Configuring Email>>.
`xpack.notification.email.account`::
Specifies account information for sending notifications via email. You
can specify the following email account attributes:
[[email-account-attributes]]
`profile`;;
The <<email-profile, profile>> to use to build the MIME messages
that are sent from the account. Valid values: `standard`, `gmail` and
`outlook`. Defaults to `standard`.
`email_defaults.*`;;
An optional set of email attributes to use as defaults
for the emails sent from the account. See <<email-action-attributes, Email Action
Attributes>> for the supported attributes.
`smtp.auth`;;
Set to `true` to attempt to authenticate the user using the
AUTH command. Defaults to `false`.
`smtp.host`;;
The SMTP server to connect to. Required.
`smtp.port`;;
The SMTP server port to connect to. Defaults to 25.
`smtp.user`;;
The user name for SMTP. Required.
`smtp.password`;;
The password for the specified SMTP user.
`smtp.starttls.enable`;;
Set to `true` to enable the use of the `STARTTLS`
command (if supported by the server) to switch the connection to a
TLS-protected connection before issuing any login commands. Note that
an appropriate trust store must configured so that the client will
trust the server's certificate. Defaults to `false`.
`smtp.*`;;
SMTP attributes that enable fine control over the SMTP
protocol when sending messages. See
https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html[com.sun.mail.smtp]
for the full list of SMTP properties you can set. Note that all timeouts
(`writetimeout`, `connection_timeout` and `timeout`) default to 2 minutes.
`xpack.notification.email.html.sanitization.allow`::
Specifies the HTML elements that are allowed in email notifications. For
more information, see <<email-html-sanitization, Configuring HTML
Sanitization Options>>. You can specify individual HTML elements
and the following HTML feature groups:
[[html-feature-groups]]
`_tables`;;
All table related elements: `<table>`, `<th>`, `<tr>`
and `<td>`.
`_blocks`;;
The following block elements: `<p>`, `<div>`, `<h1>`,
`<h2>`, `<h3>`, `<h4>`, `<h5>`, `<h6>`, `<ul>`, `<ol>`,
`<li>`, and `<blockquote>`.
`_formatting`;;
The following inline formatting elements: `<b>`, `<i>`,
`<s>`, `<u>`, `<o>`, `<sup>`, `<sub>`, `<ins>`, `<del>`,
`<strong>`, `<strike>`, `<tt>`, `<code>`, `<big>`,
`<small>`, `<br>`, `<span>`, and `<em>`.
`_links`;;
The `<a>` element with an `href` attribute that points
to a URL using the following protocols: `http`, `https`
and `mailto`.
`_styles`;;
The `style` attribute on all elements. Note that CSS
attributes are also sanitized to prevent XSS attacks.
`img`;;
`img:all`;;
All images (external and embedded).
`img:embedded`;;
Only embedded images. Embedded images can only use the
`cid:` URL protocol in their `src` attribute.
`xpack.notification.email.html.sanitization.disallow`::
Specifies the HTML elements that are NOT allowed in email notifications.
You can specify individual HTML elements and <<html-feature-groups,
HTML feature groups>>.
`xpack.notification.email.html.sanitization.enabled` ::
Set to `false` to completely disable HTML sanitation. Not recommended.
Defaults to `true`.
[float]
[[hipchat-notification-settings]]
=== HipChat Notification Settings
You can configure the following HipChat notification settings in
`elasticsearch.yml`. For more information about sending notifications
via HipChat, see <<configuring-hipchat, Configuring HipChat>>.
`xpack.notification.hipchat` ::
Specifies account information for sending notifications
via HipChat. You can specify the following HipChat account attributes:
[[hipchat-account-attributes]]
`profile`;;
The HipChat account profile to use: `integration`,
`user`, or `v1`. Required.
`auth_token`;;
The authentication token to use to access
the HipChat API. Required.
`host`;;
The HipChat server hostname. Defaults to `api.hipchat.com`.
`port`;;
The HipChat server port number. Defaults to 443.
`room`;;
The room you want to send messages to. Must be specified
if the `profile` is set to `integration`. Not valid for
the `user` or `vi` profiles.
`user`;;
The HipChat user account to use to send messages.
Specified as an email address. Must be specified if the
`profile` is set to `user`. Not valid for the `integration`
or `v1` profiles.
`message.format`;;
The format of the message: `text` or `html`.
Defaults to `html`.
`message.color`;;
The background color of the notification in the room.
Defaults to `yellow`.
`message.notify`;;
Indicates whether people in the room should be
actively notified. Defaults to `false`.
[float]
[[slack-notification-settings]]
=== Slack Notification Settings
You can configure the following Slack notification settings in
`elasticsearch.yml`. For more information about sending notifications
via Slack, see <<configuring-slack, Configuring Slack>>.
`xpack.notification.slack` ::
Specifies account information for sending notifications
via Slack. You can specify the following Slack account attributes:
[[slack-account-attributes]]
`url`;;
The Incoming Webhook URL to use to post
messages to Slack. Required.
`message_defaults.from`;;
The sender name to display in the
Slack message. Defaults to the watch ID.
`message_defaults.to`;;
The default Slack channels or groups you
want to send messages to.
`message_defaults.icon`;;
The icon to display in the Slack messages.
Overrides the incoming webhook's configured
icon. Accepts a public URL to an image.
`message_defaults.text`;;
The default message content.
`message_defaults.attachment`;;
Default message attachments. Slack message attachments
enable you to create more richly-formatted messages.
Specified as an array as defined in the
https://api.slack.com/docs/attachments[
Slack attachments documentation].
[float]
[[jira-notification-settings]]
=== Jira Notification Settings
You can configure the following Jira notification settings in
`elasticsearch.yml`. For more information about using notifications
to create issues in Jira, see <<configuring-jira, Configuring Jira>>.
`xpack.notification.jira` ::
Specifies account information for using notifications to create
issues in Jira. You can specify the following Jira account attributes:
[[jira-account-attributes]]
`url`;;
The URL of the Jira Software server. Required.
`user`;;
The name of the user to connect to the Jira Software server. Required.
`password`;;
The password of the user to connect to the Jira Software server. Required.
`issue_defaults`;;
Default fields values for the issue created in Jira. See
<<jira-action-attributes, Jira Action Attributes>> for more information.
Optional.
[float]
[[pagerduty-notification-settings]]
=== PagerDuty Notification Settings
You can configure the following PagerDuty notification settings in
`elasticsearch.yml`. For more information about sending notifications
via PagerDuty, see <<configuring-pagerduty, Configuring PagerDuty>>.
[[pagerduty-account-attributes]]
`xpack.notification.pagerduty`::
Specifies account information for sending notifications
via PagerDuty. You can specify the following PagerDuty account attributes:
`name`;;
A name for the PagerDuty account associated with the API key you
are using to access PagerDuty. Required.
`service_api_key`;;
The https://developer.pagerduty.com/documentation/rest/authentication[
PagerDuty API key] to use to access PagerDuty. Required.
`event_defaults`;;
Default values for <<pagerduty-event-trigger-incident-attributes,PagerDuty event attributes>>. Optional.
`description`::
A string that contains the default description for PagerDuty events.
If no default is configured, each PagerDuty action must specify a
`description`.
`incident_key`::
A string that contains the default incident key to use when sending
PagerDuty events.
`client`::
A string that specifies the default monitoring client.
`client_url`::
The URL of the default monitoring client.
`event_type`::
The default event type. Valid values: `trigger`,`resolve`, `acknowledge`.
`attach_payload`::
Whether or not to provide the watch payload as context for
the event by default. Valid values: `true`, `false`.

89
docs/en/settings/reporting-settings.asciidoc Normal file
View File

@ -0,0 +1,89 @@
[[reporting-settings]]
== Reporting Settings
You configure `xpack.reporting` settings in `kibana.yml` to
control how {reporting} <<reporting-kibana-server-settings, communicates
with the Kibana server>>, <<reporting-job-queue-settings, manages background
jobs>>, and <<reporting-capture-settings, captures screenshots>>.
[float]
[[general-reporting-settings]]
=== General Reporting Settings
`xpack.reporting.enabled`::
Set to `false` to disable {reporting}.
`xpack.reporting.encryptionKey`::
Set to any text string. By default, Kibana generates a random key when it starts,
which causes any pending reports to fail on restart. Configure this setting to use
the same key across restarts.
[float]
[[reporting-kibana-server-settings]]
=== Kibana Server Settings
Reporting uses the Kibana interface to generate reports. In most cases, you don't need
to configure Reporting to communicate with Kibana, it just works out of the box.
However, if you use a proxy in your stack or otherwise change how you access Kibana, you
might need to configure the following settings.
`xpack.reporting.kibanaApp`::
The root path used to access Kibana, defaults to `/app/kibana`.
`xpack.reporting.kibanaServer.port`::
The port used to access Kibana, if different than the `server.port` value.
`xpack.reporting.kibanaServer.protocol`::
The protocol used to access Kibana, typically `http` or `https`.
`xpack.reporting.kibanaServer.hostname`::
The hostname used to access Kibana, if different than the `server.name` value.
[float]
[[reporting-job-queue-settings]]
=== Background Job Settings
Reporting generates reports in the background and jobs are coordinated using documents
in Elasticsearch. Depending on how often you generate reports and the overall number of
reports, you may need to change some of the following settings.
`xpack.reporting.queue.indexInterval`::
How often the index that stores reporting jobs rolls over to a new index.
Valid values are `year`, `month`, `week`, `day`, and `hour`. Defaults to `week`.
`xpack.reporting.queue.pollInterval`::
How often idle workers poll the index for pending jobs. Defaults to `3000` (3 seconds).
`xpack.reporting.queue.timeout`::
How long each worker has to produce a report. If your machine is slow or under constant
heavy load, you might need to increase this timeout. Specified in milliseconds.
Defaults to `30000` (30 seconds).
[float]
[[reporting-capture-settings]]
=== Capture Settings
Reporting works by capturing screenshots from Kibana. These settings are used to
control various aspects of the capturing process.
`xpack.reporting.capture.concurrency`::
The number of concurrent capture processes to run. Note that jobs are CPU bound,
and exceeding the number of cores available on the machine will likely be very
slow and might cause issues. Defaults to the number of cores on
the machine.
`xpack.reporting.capture.loadDelay`::
When visualizations are not evented, this is the amount of time to before
taking a screenshot. All visualizations that ship with Kibana are evented, so this
setting shouldn't have much effect. If you are seeing empty images instead of
visualizations in your reports, try increasing this value.
Defaults to `3000` (3 seconds).
`xpack.reporting.capture.settleTime`::
When visualizations are evented, this is the amount of time to wait for their rendering
to settle. If visualizations in your PDF are smaller than they should be, try increasing
this value.
Defaults to `1000` (1 second).
`xpack.reporting.capture.timeout`::
The maximum amount of time to wait for things to render in Kibana when capturing
screenshots. Defaults to `6000` (6 seconds).

607
docs/en/settings/security-settings.asciidoc Normal file
View File

@ -0,0 +1,607 @@
[[security-settings]]
== Security Settings
You configure `xpack.security` settings to
<<anonymous-access-settings, enable anonymous access>>
and perform message authentication,
<<field-document-security-settings, set up document and field
level security>>, <<realm-settings, configure realms>>,
and <<ssl-tls-settings, encrypt communications with SSL>>.
[float]
[[general-security-settings]]
=== General Security Settings
`xpack.security.enabled`::
Set to `false` to disable {security}.
Configure in both `elasticsearch.yml` and `kibana.yml`.
[float]
[[password-security-settings]]
=== Default Password Security Settings
`xpack.security.authc.accept_default_password`::
In `elasticsearch.yml`, set this to `false` to disable support for the default "changeme" password.
For more information, see <<disabling-default-password, Disable Default Password Functionality>>.
[float]
[[anonymous-access-settings]]
=== Anonymous Access Settings
You can configure the following anonymous access settings in
`elasticsearch.yml`. For more information, see <<anonymous-access,
Enabling Anonymous Access>>.
`xpack.security.authc.anonymous.username`::
The username (principal) of the anonymous user. Defaults to `_es_anonymous_user`.
`xpack.security.authc.anonymous.roles`::
The roles to associate with the anonymous user. Required.
`xpack.security.authc.anonymous.authz_exception`::
When `true`, an HTTP 403 response is returned if the anonymous user
does not have the appropriate permissions for the requested action. The
user is not prompted to provide credentials to access the requested
resource. When set to `false`, a HTTP 401 is returned and the user
can provide credentials with the appropriate permissions to gain
access. Defaults to `true`.
[float]
[[field-document-security-settings]]
=== Document and Field Level Security Settings
You can set the following document and field level security
settings in `elasticsearch.yml`. For more information, see
<<field-and-document-access-control, Setting Up Document and Field
Level Security>>.
`xpack.security.dls_fls.enabled`::
Set to `false` to prevent document and field level security
from being configured. Defaults to `true`.
[float]
[[realm-settings]]
=== Realm Settings
You configure realm settings in the `xpack.security.authc.realms`
namespace in `elasticsearch.yml`. For example:
[source,yaml]
----------------------------------------
xpack.security.authc.realms:
realm1:
type: native
order: 0
...
realm2:
type: ldap
order: 1
...
realm3:
type: active_directory
order: 2
...
...
----------------------------------------
The valid settings vary depending on the realm type. For more
information, see <<setting-up-authentication, Setting Up Authentication>>.
[float]
==== Settings Valid for All Realms
`type`::
The type of the realm: `native, `ldap`, `active_directory`, `pki`, or `file`. Required.
`order`::
The priority of the realm within the realm chain. Defaults to `Integer.MAX_VALUE`.
`enabled`::
Enable/disable the realm. Defaults to `true`.
[[ref-users-settings]]
[float]
==== File Realm Settings
`cache.ttl`::
The time-to-live for cached user entries--user credentials are cached for
this configured period of time. Defaults to `20m`. Specify values using the
standard Elasticsearch {ref}/common-options.html#time-units[time units].
Defaults to `20m`.
`cache.max_users`::
The maximum number of user entries that can live in the cache at a given time.
Defaults to 100,000.
`cache.hash_algo`::
(Expert Setting) The hashing algorithm that is used for the in-memory cached
user credentials. See the <<cache-hash-algo,Cache hash algorithms>> table f
or all possible values. Defaults to `ssha256`.
[[ref-ldap-settings]]
[float]
==== LDAP Realm Settings
`url`::
An LDAP URL in the format `ldap[s]://<server>:<port>`. Required.
`load_balance.type`::
The behavior to use when there are multiple LDAP URLs defined. For supported
values see <<ldap-load-balancing, LDAP load balancing and failover types>>.
Defaults to `failover`.
`load_balance.cache_ttl`::
When using `dns_failover` or `dns_round_robin` as the load balancing type,
this setting controls the amount of time to cache DNS lookups. Defaults
to `1h`.
`bind_dn`::
The DN of the user that will be used to bind to the LDAP and perform searches.
If this is not specified, an anonymous bind will be attempted.
Defaults to Empty.
`bind_password`::
The password for the user that will be used to bind to the LDAP.
Defaults to Empty.
`user_dn_templates`::
The DN template that replaces the user name with the string `{0}`.
This element is multivalued; you can specify multiple user contexts.
Required to operate in user template mode. Not valid
if `user_search.base_dn` is specified. For more information on
the different modes, see <<ldap-realm, ldap realms>>.
`user_group_attribute`::
Specifies the attribute to examine on the user for group membership.
The default is `memberOf`. This setting will be ignored if any
`group_search` settings are specified. Defaults to `memberOf`.
`user_search.base_dn`::
Specifies a container DN to search for users. Required
to operated in user search mode. Not valid if
`user_dn_templates is specified. For more information on
the different modes, see <<ldap-realm, ldap realms>>.
`user_search.scope`::
The scope of the user search. Valid values are `sub_tree`, `one_level` or
`base`. `one_level` only searches objects directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is the user object, and that it is
the only user considered. Defaults to `sub_tree`.
`user_search.attribute`::
The attribute to match with the username presented to. Defaults to `uid`.
`user_search.pool.enabled`::
Enables or disables connection pooling for user search. When
disabled a new connection is created for every search. The
default is `true`.
`user_search.pool.size`::
The maximum number of connections to the LDAP server to allow in the
connection pool. Defaults to `20`.
`user_search.pool.initial_size`::
The initial number of connections to create to the LDAP server on startup.
Defaults to `5`.
`user_search.pool.health_check.enabled`::
Flag to enable or disable a health check on LDAP connections in the connection
pool. Connections are checked in the background at the specified interval.
Defaults to `true`.
`user_search.pool.health_check.dn`::
The distinguished name to be retrieved as part of the health check.
Defaults to the value of `bind_dn`. Required if `bind_dn` is not
specified.
`user_search.pool.health_check.interval`::
The interval to perform background checks of connections in the pool.
Defaults to `60s`.
`group_search.base_dn`::
The container DN to search for groups in which the user has membership. When
this element is absent, Security searches for the attribute specified by
`user_group_attribute` set on the user in order to determine group membership.
`group_search.scope`::
Specifies whether the group search should be `sub_tree`, `one_level` or
`base`. `one_level` only searches objects directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is a group object, and that it is the
only group considered. Defaults to `sub_tree`.
`group_search.filter`::
When not set, the realm searches for `group`, `groupOfNames`, `groupOfUniqueNames`,
or `posixGroup` with the attributes `member`, `memberOf`, or `memberUid`. Any
instance of `{0}` in the filter is replaced by the user attribute defined in
`group_search.user_attribute`.
`group_search.user_attribute`::
Specifies the user attribute that will be fetched and provided as a parameter to
the filter. If not set, the user DN is passed into the filter. Defaults to Empty.
`unmapped_groups_as_roles`::
Takes a boolean variable. When this element is set to `true`, the names of any
unmapped LDAP groups are used as role names and assigned to the user. Defaults
to `false`.
`files.role_mapping`::
The <<security-files-location,location>> for the <<ldap-role-mapping,
YAML role mapping configuration file>>. Defaults to
`CONFIG_DIR/x-pack/role_mapping.yml`.
`follow_referrals`::
Boolean value that specifies whether Securityshould follow referrals returned
by the LDAP server. Referrals are URLs returned by the server that are to be
used to continue the LDAP operation (e.g. search). Defaults to `true`.
`timeout.tcp_connect`::
The TCP connect timeout period for establishing an LDAP connection.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`timeout.tcp_read`::
The TCP read timeout period after establishing an LDAP connection.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`timeout.ldap_search`::
The LDAP Server enforced timeout period for an LDAP search.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`ssl.key`::
Path to a PEM encoded file containing the private key.
`ssl.key_passphrase`::
The passphrase that will be used to decrypt the private key. This value is
optional as the key may not be encrypted.
`ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect.
`ssl.certificate_authorities`::
List of paths to PEM encoded certificate files that should be trusted.
`ssl.keystore.path`::
The path to the Java Keystore file that contains a private key and certificate.
`ssl.key` and `ssl.keystore.path` may not be used at the same time.
`ssl.keystore.password`::
The password to the keystore.
`ssl.keystore.key_password`::
The password for the key in the keystore. Defaults to the keystore password.
`ssl.truststore.path`::
The path to the Java Keystore file that contains the certificates to trust.
`ssl.certificate_authorities` and `ssl.trustsore.path` may not be used at the same time.
`ssl.truststore.password`::
The password to the truststore.
`ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
`ssl.supported_protocols`::
Supported protocols with versions. Defaults to the value of
`xpack.ssl.supported_protocols`.
`ssl.cipher_suites`
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
`cache.ttl`::
Specifies the time-to-live for cached user entries (a user and its credentials
are cached for this period of time). Use the standard Elasticsearch
{ref}/common-options.html#time-units[time units]). Defaults to `20m`.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
Defaults to `100000`.
`cache.hash_algo`::
(Expert Setting) Specifies the hashing algorithm that is used for the
in-memory cached user credentials (see <<cache-hash-algo,Cache hash algorithms>>
table for all possible values). Defaults to `ssha256`.
[[ref-ad-settings]]
[float]
==== Active Directory Realm Settings
`url`::
A URL in the format `ldap[s]://<server>:<port>`. Defaults to `ldap://<domain_name>:389`.
`load_balance.type`::
The behavior to use when there are multiple LDAP URLs defined. For supported
values see <<ad-load-balancing, LDAP load balancing and failover types>>.
Defaults to `failover`.
`load_balance.cache_ttl`::
When using `dns_failover` or `dns_round_robin` as the load balancing type,
this setting controls the amount of time to cache DNS lookups. Defaults
to `1h`.
`domain_name`::
The domain name of Active Directory. The cluster can derive the URL and
`user_search_dn` fields from values in this element if those fields are not
otherwise specified. Required.
`unmapped_groups_as_roles`::
Takes a boolean variable. When this element is set to `true`, the names of
any unmapped groups and the user's relative distinguished name are used as
role names and assigned to the user. Defaults to `false`.
`files.role_mapping`::
The <<security-files-location,location>> for the <<ad-role-mapping, YAML
role mapping configuration file>>. Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
`user_search.base_dn`::
The context to search for a user. Defaults to the root
of the Active Directory domain.
`user_search.scope`::
Specifies whether the user search should be `sub_tree`, `one_level` or `base`.
`one_level` only searches users directly contained within the `base_dn`.
`sub_tree` searches all objects contained under `base_dn`. `base`
specifies that the `base_dn` is a user object, and that it is the
only user considered. Defaults to `sub_tree`.
`user_search.filter`::
Specifies a filter to use to lookup a user given a username. The default
filter looks up `user` objects with either `sAMAccountName` or
`userPrincipalName`.
`group_search.base_dn`::
The context to search for groups in which the user has membership. Defaults
to the root of the Active Directory domain.
`group_search.scope`::
Specifies whether the group search should be `sub_tree`, `one_level` or
`base`. `one_level` searches for groups directly contained within the
`base_dn`. `sub_tree` searches all objects contained under `base_dn`.
`base` specifies that the `base_dn` is a group object, and that it is
the only group considered. Defaults to `sub_tree`.
`timeout.tcp_connect`::
The TCP connect timeout period for establishing an LDAP connection.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`timeout.tcp_read`::
The TCP read timeout period after establishing an LDAP connection.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`timeout.ldap_search`::
The LDAP Server enforced timeout period for an LDAP search.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`ssl.key`::
Path to the PEM encoded file containing the private key.
`ssl.key_passphrase`::
The passphrase that will be used to decrypt the private key. This value is
optional as the key may not be encrypted.
`ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect.
`ssl.certificate_authorities`::
List of paths to PEM encoded certificate files that should be trusted.
`ssl.keystore.path`::
The path to the Java Keystore file that contains a private key and certificate.
`ssl.keystore.password`::
The password to the keystore.
`ssl.keystore.key_password`::
The password for the key in the keystore. Defaults to the keystore password.
`ssl.truststore.path`::
The path to the Java Keystore file that contains the certificates to trust.
`ssl.truststore.password`::
The password to the truststore.
`ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
`ssl.supported_protocols`::
Supported protocols with versions. Defaults to the value of
`xpack.ssl.supported_protocols`.
`ssl.cipher_suites`
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
`cache.ttl`::
Specifies the time-to-live for cached user entries (user
credentials are cached for this configured period of time). Use the
standard Elasticsearch {ref}/common-options.html#time-units[time units]).
Defaults to `20m`.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
Defaults to `100000`.
`cache.hash_algo`::
(Expert Setting) Specifies the hashing algorithm that will be used for
the in-memory cached user credentials (see <<cache-hash-algo,Cache hash
algorithms>> table for all possible values). Defaults to `ssha256`.
[[ref-pki-settings]]
[float]
==== PKI Realm Settings
`username_pattern`::
The regular expression pattern used to extract the username from the
certificate DN. The first match group is the used as the username.
Defaults to `CN=(.*?)(?:,\|$)`
`certificate_authorities`::
List of PEM certificate files that should be used to authenticate a
user's certificate as trusted. Defaults to the trusted certificates configured for SSL.
This setting may not be used with `truststore.path`.
`truststore.path`::
The path of a truststore to use. Defaults to the trusted certificates configured for SSL.
This setting may not be used with `certificate_authorities`.
`truststore.password`::
The password for the truststore. Must be provided if `truststore.path` is set.
`truststore.algorithm`::
Algorithm for the trustsore. Defaults to `SunX509`.
`files.role_mapping`::
Specifies the <<security-files-location,location>> for the
<<pki-role-mapping, YAML role mapping configuration file>>.
Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
[float]
[[ssl-tls-settings]]
=== Default TLS/SSL Settings
You can configure the following TLS/SSL settings in
`elasticsearch.yml`. For more information, see
<<ssl-tls, Encrypting Communications>>. These settings will be used
for all of {xpack} unless they have been overridden by more specific
settings such as those for HTTP or Transport.
`xpack.ssl.supported_protocols`::
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
`TLSv1`.
`xpack.ssl.client_authentication`::
Controls the server's behavior in regard to requesting a certificate
from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional`
requests a client certificate but the client is not required to present one.
Defaults to `required`.
`xpack.ssl.verification_mode`::
Controls the verification of certificates. Valid values are `none`,
`certificate`, and `full`. Defaults to `full`.
`xpack.ssl.cipher_suites`
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
[float]
[[tls-ssl-key-settings]]
==== Default TLS/SSL Key and Trusted Certificate Settings
The following settings are used to specify a private key, certificate, and the
trusted certificates that should be used when communicating over an SSL/TLS connection.
If none of the settings below are specified, this will default to the <<ssl-tls-settings, {xpack}
defaults>>. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be
trusted along with the certificate(s) from the <<tls-ssl-key-settings, key settings>>. The key and certificate must be in place
for connections that require client authentication or when acting as a SSL enabled server.
[float]
===== PEM Encoded Files
When using PEM encoded files, use the following settings:
`xpack.ssl.key`::
Path to the PEM encoded file containing the private key.
`xpack.ssl.key_passphrase`::
The passphrase that will be used to decrypt the private key. This value is
optional as the key may not be encrypted.
`xpack.ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect.
`xpack.ssl.certificate_authorities`::
List of paths to the PEM encoded certificate files that should be trusted.
[float]
===== Java Keystore Files
When using Java keystore files (JKS), which contain the private key, certificate
and certificates that should be trusted, use the following settings:
`xpack.ssl.keystore.path`::
Path to the keystore that holds the private key and certificate.
`xpack.ssl.keystore.password`::
Password to the keystore.
`xpack.ssl.keystore.key_password`::
Password for the private key in the keystore. Defaults to the
same value as `xpack.ssl.keystore.password`.
`xpack.ssl.truststore.path`::
Path to the truststore file.
`xpack.ssl.truststore.password`::
Password to the truststore.
[[http-tls-ssl-settings]]
:ssl-prefix: xpack.security.http
:component: HTTP
:client-auth-default: none
:verifies!:
:server:
include::ssl-settings.asciidoc[]
[[transport-tls-ssl-settings]]
:ssl-prefix: xpack.security.transport
:component: Transport
:client-auth-default!:
:verifies:
:server:
include::ssl-settings.asciidoc[]
[[ssl-tls-profile-settings]]
[float]
==== Transport Profile TLS/SSL Settings
The same settings that are available for the <<transport-tls-ssl-settings, default transport>>
are also available for each transport profile. By default, the settings for a
transport profile will be the same as the default transport unless they
are specified.
As an example, lets look at the enabled setting. For the default transport
this is `xpack.security.transport.ssl.enabled`. In order to use this setting in a
transport profile, use the prefix `transport.profiles.$PROFILE.xpack.security.` and
append the portion of the setting after `xpack.security.transport.`. For the enabled
setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.enabled`.
[float]
[[ip-filtering-settings]]
=== IP Filtering Settings
You can configure the following settings for <<ip-filtering, IP filtering>>.
`xpack.security.transport.filter.allow`::
List of IP addresses to allow.
`xpack.security.transport.filter.deny`::
List of IP addresses to deny.
`xpack.security.http.filter.allow`::
List of IP addresses to allow just for HTTP.
`xpack.security.http.filter.deny`::
List of IP addresses to deny just for HTTP.
`transport.profiles.$PROFILE.xpack.security.filter.allow`::
List of IP addresses to allow for this profile.
`transport.profiles.$PROFILE.xpack.security.filter.deny`::
List of IP addresses to deny for this profile.

96
docs/en/settings/ssl-settings.asciidoc Normal file
View File

@ -0,0 +1,96 @@
[float]
=== {component} TLS/SSL Settings
You can configure the following TLS/SSL settings. If the settings are not configured,
the <<ssl-tls-settings, {xpack} defaults>> will be used.
ifdef::server[]
+{ssl-prefix}.ssl.enabled+::
Used to enable or disable TLS/SSL. The default is `false`.
endif::server[]
+{ssl-prefix}.ssl.supported_protocols+::
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
`TLSv1`. Defaults to the value of `xpack.ssl.supported_protocols`.
ifdef::server[]
+{ssl-prefix}.ssl.client_authentication+::
Controls the server's behavior in regard to requesting a certificate
from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional`
requests a client certificate but the client is not required to present one.
ifndef::client-auth-default[]
Defaults to the value of `xpack.ssl.client_authentication`.
endif::client-auth-default[]
ifdef::client-auth-default[]
Defaults to +{client-auth-default}+.
endif::client-auth-default[]
endif::server[]
ifdef::verifies[]
+{ssl-prefix}.ssl.verification_mode+::
Controls the verification of certificates. Valid values are `none`,
`certificate`, and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
endif::verifies[]
+{ssl-prefix}.ssl.cipher_suites+::
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
[float]
==== {component} TLS/SSL Key and Trusted Certificate Settings
The following settings are used to specify a private key, certificate, and the
trusted certificates that should be used when communicating over an SSL/TLS connection.
If none of the settings below are specified, this will default to the <<ssl-tls-settings, {xpack}
defaults>>.
ifdef::server[]
A private key and certificate must be configured.
endif::server[]
ifndef::server[]
A private key and certificate are optional and would be used if the server requires client authentication for PKI
authentication.
endif::server[]
If none of the settings below are specified, the <<ssl-tls-settings, {xpack} defaults>> will be used.
[float]
===== PEM Encoded Files
When using PEM encoded files, use the following settings:
+{ssl-prefix}.ssl.key+::
Path to a PEM encoded file containing the private key.
+{ssl-prefix}.ssl.key_passphrase+::
The passphrase that will be used to decrypt the private key. This value is
optional as the key may not be encrypted.
+{ssl-prefix}.ssl.certificate+::
Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented when requested.
+{ssl-prefix}.ssl.certificate_authorities+::
List of paths to the PEM encoded certificate files that should be trusted.
[float]
===== Java Keystore Files
When using Java keystore files (JKS), which contain the private key, certificate
and certificates that should be trusted, use the following settings:
+{ssl-prefix}.ssl.keystore.path+::
Path to the keystore that holds the private key and certificate.
+{ssl-prefix}.ssl.keystore.password+::
Password to the keystore.
+{ssl-prefix}.ssl.keystore.key_password+::
Password for the private key in the keystore. Defaults to the
same value as +{ssl-prefix}.ssl.keystore.password+.
+{ssl-prefix}.ssl.truststore.path+::
Path to the truststore file.
+{ssl-prefix}.ssl.truststore.password+::
Password to the truststore.