[DOCS] Added X-Pack bootstrap checks (elastic/x-pack-elasticsearch#2747)
* [DOCS] Added X-Pack bootstrap checks * [DOCS] Added more bootstrap checks * [DOCS] Added link to TLS configuration * [DOCS] Added Encrypt Sensitive Data bootstrap check * [DOCS] Added link to watcher encryption task * [DOCS] Added role mapping bootstrap check * [DOCS] Added PKI realm boostrap check * [DOCS] Added token SSL bootstrap check * [DOCS] Added role mapping bootstrap check * [DOCS] Added bootstrap check file names Original commit: elastic/x-pack-elasticsearch@4f3eb72d94
This commit is contained in:
parent
eaf67f8bc2
commit
c7b100a8c3
|
@ -0,0 +1,85 @@
|
|||
[role="xpack"]
|
||||
[[bootstrap-checks-xpack]]
|
||||
== Bootstrap Checks for {xpack}
|
||||
++++
|
||||
<titleabbrev>Bootstrap Checks</titleabbrev>
|
||||
++++
|
||||
|
||||
|
||||
In addition to the <<bootstrap-checks,{es} bootstrap checks>>, there are
|
||||
checks that are specific to {xpack} features.
|
||||
|
||||
[float]
|
||||
=== Encrypt sensitive data check
|
||||
//See EncryptSensitiveDAtaBootstrapCheck.java
|
||||
|
||||
If you use {watcher} and have chosen to encrypt sensitive data (by setting
|
||||
`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
|
||||
the secure settings store.
|
||||
|
||||
To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
|
||||
on each node in the cluster. For more information, see
|
||||
{xpack-ref}/encrypting-data.html[Encrypting Sensitive Data in {watcher}].
|
||||
|
||||
[float]
|
||||
=== PKI realm check
|
||||
//See PkiRealmBootstrapCheckTests.java
|
||||
|
||||
If you use {security} and a Public Key Infrastructure (PKI) realm, you must
|
||||
configure Transport Layer Security (TLS) on your cluster and enable client
|
||||
authentication on the network layers (either transport or http). For more
|
||||
information, see {xpack-ref}/pki-realm.html[PKI User Authentication] and
|
||||
{xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].
|
||||
|
||||
To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS
|
||||
and enable client authentication on at least one network communication layer.
|
||||
|
||||
[float]
|
||||
=== Role mappings check
|
||||
|
||||
If you authenticate users with realms other than `native` or `file` realms, you
|
||||
must create role mappings. These role mappings define which roles are assigned
|
||||
to each user.
|
||||
|
||||
If you use files to manage the role mappings, you must configure a YAML file
|
||||
and copy it to each node in the cluster. By default, role mappings are stored in
|
||||
`ES_PATH_CONF/x-pack/role_mapping.yml`. Alternatively, you can specify a
|
||||
different role mapping file for each type of realm and specify its location in
|
||||
the `elasticsearch.yml` file. For more information, see
|
||||
{xpack-ref}/mapping-roles.html#mapping-roles-file[Using Role Mapping Files].
|
||||
|
||||
To pass this bootstrap check, the role mapping files must exist and must be
|
||||
valid. The Distinguished Names (DNs) that are listed in the role mappings files
|
||||
must also be valid.
|
||||
|
||||
[float]
|
||||
=== SSL/TLS check
|
||||
//See TLSLicenseBootstrapCheck.java
|
||||
|
||||
In 6.0 and later releases, if you have a gold, platinum, or enterprise license
|
||||
and {security} is enabled, you must configure SSL/TLS for
|
||||
internode-communication.
|
||||
|
||||
NOTE: Single-node clusters that use a loopback interface do not have this
|
||||
requirement. For more information, see
|
||||
{xpack-ref}/encrypting-communications.html[Encrypting Communications].
|
||||
|
||||
To pass this bootstrap check, you must
|
||||
{xpack-ref}/ssl-tls.html[set up SSL/TLS in your cluster].
|
||||
|
||||
|
||||
[float]
|
||||
=== Token SSL check
|
||||
//See TokenSSLBootstrapCheckTests.java
|
||||
|
||||
If you use {security} and the built-in token service is enabled, you must
|
||||
configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is required
|
||||
in order to use the token service.
|
||||
|
||||
In particular, if `xpack.security.authc.token.enabled` and `http.enabled` are
|
||||
set to `true` in the `elasticsearch.yml` file, you must also set
|
||||
`xpack.security.http.ssl.enabled` to `true`. For more information about these
|
||||
settings, see <<security-settings>> and <<modules-http>>.
|
||||
|
||||
To pass this bootstrap check, you must enable HTTPS or disable the built-in
|
||||
token service by using the {security} settings.
|
|
@ -13,4 +13,5 @@ easy-to-install package. To access this functionality, you must
|
|||
include::installing-xes.asciidoc[]
|
||||
include::{xes-repo-dir}/settings/configuring-xes.asciidoc[]
|
||||
include::setup-xclient.asciidoc[]
|
||||
include::bootstrap-checks-xes.asciidoc[]
|
||||
include::{xes-repo-dir}/security/configuring-es.asciidoc[]
|
||||
|
|
Loading…
Reference in New Issue