Commit Graph

22 Commits

Author SHA1 Message Date
Tim Vernum 411f683521 Document ssl.verification_mode (elastic/x-pack-elasticsearch#4253)
It is common for users to wish to adjust the verification_mode in SSL
settings, usually with the intention of skipping hostname
verification. This has been supported for a long time, but the
relevant configuration setting was not clearly documented, which would
sometimes lead users to set `verification_mode` to `none`, and disable
more checks than they intended.

This commit adds clearer documentation regarding the options available
for `verification_mode` and actively discourages the use of `none`.

Original commit: elastic/x-pack-elasticsearch@2fdf53b42f
2018-04-10 20:27:23 +10:00
Lisa Cawley bbcb33b519 [DOCS] Security disabled by default (elastic/x-pack-elasticsearch#4288)
Original commit: elastic/x-pack-elasticsearch@110df8a58e
2018-04-05 12:06:43 -07:00
lcawley 90b1dec14b [DOCS] Fixed broken TLS link
Original commit: elastic/x-pack-elasticsearch@34ec651dc9
2018-02-15 12:32:37 -08:00
Lisa Cawley 42f9a990d1 [DOCS] Split TLS instructions for HTTP and transport layers (elastic/x-pack-elasticsearch#3895)
Original commit: elastic/x-pack-elasticsearch@77fe30f7d3
2018-02-15 11:41:01 -08:00
lcawley 56b0f28aa3 [DOCS] More broken link fixes
Original commit: elastic/x-pack-elasticsearch@dd52976660
2018-01-12 13:52:19 -08:00
lcawley d7f81fd95e [DOCS] Fixed broken TLS links
Original commit: elastic/x-pack-elasticsearch@d99a0be781
2018-01-12 11:59:15 -08:00
Lisa Cawley 1369a49b9f [DOCS] Move appropriate TLS content to Elasticsearch Ref (elastic/x-pack-elasticsearch#3416)
Original commit: elastic/x-pack-elasticsearch@a5f96bd7a2
2018-01-12 11:35:16 -08:00
Lisa Cawley dc3d5d67a1 [DOCS] Change certgen references to certutil (elastic/x-pack-elasticsearch#3415)
* [DOCS] Change certgen references to certutil

* [DOCS] Updated TLS page with certutil info

* [DOCS] Added certutil examples to TLS page

* [DOCS] Clarified PEM requirement in TLS setup

* [DOCS] Updated certificate instructions

* [DOCS] Fixed security typo

Original commit: elastic/x-pack-elasticsearch@3a326fc87d
2018-01-08 10:14:51 -08:00
Igor Kupczyński 18103fae7f Invalid value in the docs for transport.profiles...client_authentication (elastic/x-pack-elasticsearch#3091)
The 6.x and 6.0 versions of the documentation show

```yml
transport.profiles.client.xpack.security.ssl.client_authentication: no
```

Which results in 
```
2017-11-22T11:13:33,225][ERROR][org.elasticsearch.bootstrap.Bootstrap] Exception
java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.XPackPlugin]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:142) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.node.Node.<init>(Node.java:302) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.node.Node.<init>(Node.java:245) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:130) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:121) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:69) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.0.0.jar:6.0.0]
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_144]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.0.0.jar:6.0.0]
	... 14 more
Caused by: java.lang.IllegalArgumentException: could not resolve ssl client auth. unknown value [no]
	at org.elasticsearch.xpack.ssl.SSLClientAuth.parse(SSLClientAuth.java:78) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLConfigurationSettings.lambda$null$27(SSLConfigurationSettings.java:183) ~[?:?]
	at org.elasticsearch.common.settings.Setting.get(Setting.java:352) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.common.settings.Setting.get(Setting.java:346) ~[elasticsearch-6.0.0.jar:6.0.0]
	at org.elasticsearch.xpack.ssl.SSLConfiguration.<init>(SSLConfiguration.java:80) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService.lambda$loadSSLConfigurations$1(SSLService.java:462) ~[?:?]
	at java.util.ArrayList.forEach(ArrayList.java:1249) ~[?:1.8.0_144]
	at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:461) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService.<init>(SSLService.java:87) ~[?:?]
	at org.elasticsearch.xpack.XPackPlugin.<init>(XPackPlugin.java:237) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_144]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.0.0.jar:6.0.0]
	... 14 more
```

I think the valid value there is `none`, so

```yml
transport.profiles.client.xpack.security.ssl.client_authentication: none
```

The tests seem to confirm that https://github.com/elastic/x-pack-elasticsearch/blob/elastic/x-pack-elasticsearch@4860e92d906e046a23aa07b39ee6ef637f011dc1/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLServiceTests.java#L269

Original commit: elastic/x-pack-elasticsearch@a35b3ac8c9
2017-11-22 17:09:06 +00:00
Dimitrios Liappis a89bfe84ba [DOCS] Split long lines in Docker TLS getting-started snippet
and add warning for Windows users not using
PowerShell (e.g. `cmd.exe`) to remove the `\` character and join
lines.

Also fix trailing whitespace character in link back to `docker.asciidoc`.

Relates elastic/x-pack-elasticsearch#2999

Original commit: elastic/x-pack-elasticsearch@fe1c5dbc11
2017-11-14 14:25:52 +02:00
Dimitrios Liappis 00ccac9203 [DOCS] Fix wrapped lines in code blocks of TLS getting started guide
Relates elastic/x-pack-elasticsearch#2970

Original commit: elastic/x-pack-elasticsearch@a279e57270
2017-11-13 20:00:35 +02:00
Lisa Cawley fb769be92e [DOCS] Added TLS configuration info for Docker (elastic/x-pack-elasticsearch#2939)
* [DOCS] Add docker TLS configuration info

* [DOCS] Updated layout of TLS docker page

* [DOCS] Clean up docker TLS pages

* [DOCS] Changed nesting of TLS docker info

* [DOCS] More small updates to TLS docker page

Original commit: elastic/x-pack-elasticsearch@2b0504632a
2017-11-10 09:33:56 -08:00
Lisa Cawley 4ffaec5173 [DOCS] Remove redundant certgen info (elastic/x-pack-elasticsearch#2542)
Original commit: elastic/x-pack-elasticsearch@6147e32fd1
2017-09-18 14:22:34 -07:00
Jay Modi 53d6d945f0 Update documentation to reflect the latest TLS changes and licensing (elastic/x-pack-elasticsearch#2508)
This commit updates to documentation and adds notes about TLS being required to install a
license.

Relates elastic/x-pack-elasticsearch#2463

Original commit: elastic/x-pack-elasticsearch@0d8bfb98ea
2017-09-15 08:44:03 -06:00
Jay Modi 7291eb55fe Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137)
This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM
supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the
unlimited policy file needs to be installed. In order to simplify the work a user would need to do
we can detect this support and automatically enable the AES 256 bit versions of the ciphers we
already enable.

Original commit: elastic/x-pack-elasticsearch@5f23b18a1e
2017-08-01 07:36:35 -06:00
Tim Vernum 15f5c5a632 [DOCS] Minor updates to TLS/SSL docs (elastic/x-pack-elasticsearch#2069)
- Fix typo `trustsore` -> `truststore` in several places
- Clarify that enabling TLS requires full restart

Original commit: elastic/x-pack-elasticsearch@0f430a1bea
2017-07-25 13:03:07 +10:00
Tim Vernum 1bbc579cf3 [Security] [certgen] Option to generate PKCSelastic/x-pack-elasticsearch#12 (elastic/x-pack-elasticsearch#2013)
Add an option to the ssl certificate generation tool (certgen) that generates PKCSelastic/x-pack-elasticsearch#12 (.p12) files in addition to the certificate (.crt) and key (.key) files.
A PKCSelastic/x-pack-elasticsearch#12 store is a container format for storing multiple crypto objects in a single file, which means we can put the cert and key into the same file.

These format is particularly useful for .NET environments, where .NET Core requires a single into file for PKI authentication.

Also adds documentation for all the command-line options in certgen.

Original commit: elastic/x-pack-elasticsearch@d10f88f12d
2017-07-19 12:04:31 +10:00
Tim Vernum c5012ac6e8 [DOC] Miscellaneous security doc updates (elastic/x-pack-elasticsearch#1908)
- Document refresh interval for role mapping files
- Fix obsolete shield reference in transport profile example 
- Clarify that AD & PKI don't support run_as
- Fix logstash conf examples
- Clarify interaction of SSL settings and PKI realm settings
- Document PKI DN format, and recommend use of pki_dn metadata
- Provide more details about action.auto_create_index during setup

Original commit: elastic/x-pack-elasticsearch@49ddb12a7e
2017-07-07 13:33:35 +10:00
Tim Brooks f2cbe20ea0 Remove default passwords from reserved users (elastic/x-pack-elasticsearch#1665)
This is related to elastic/x-pack-elasticsearch#1217. This PR removes the default password of
"changeme" from the reserved users.

This PR adds special behavior for authenticating the reserved users. No
ReservedRealm user can be authenticated until its password is set. The
one exception to this is the elastic user. The elastic user can be
authenticated with an empty password if the action is a rest request
originating from localhost. In this scenario where an elastic user is
authenticated with a default password, it will have metadata indicating
that it is in setup mode. An elastic user in setup mode is only
authorized to execute a change password request.

Original commit: elastic/x-pack-elasticsearch@e1e101a237
2017-06-29 15:27:57 -05:00
Deb Adair 806b0bc710 [DOCS] Removed UI and Logstash settings & updated links to that info.
Original commit: elastic/x-pack-elasticsearch@2434e503dd
2017-06-26 09:04:56 -07:00
jaymode d299592c9d Docs: clean up incorrect path in certgen output in the SSL docs
Original commit: elastic/x-pack-elasticsearch@0d2102094c
2017-06-14 14:31:17 -06:00
debadair ee5ab5b1d2 [DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch.
Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a
2017-04-06 18:35:32 -07:00