[role="xpack"] [[tls-active-directory]] ==== Encrypting communications between {es} and Active Directory To protect the user credentials that are sent for authentication, it's highly recommended to encrypt communications between {es} and your Active Directory server. Connecting via SSL/TLS ensures that the identity of the Active Directory server is authenticated before {security} transmits the user credentials and the usernames and passwords are encrypted in transit. Clients and nodes that connect via SSL/TLS to the Active Directory server need to have the Active Directory server's certificate or the server's root CA certificate installed in their keystore or truststore. . Create the realm configuration for the `xpack.security.authc.realms` namespace in the `elasticsearch.yml` file. See <>. . Set the `url` attribute in the realm configuration to specify the LDAPS protocol and the secure port number. For example, `url: ldaps://ad.example.com:636`. . Configure each node to trust certificates signed by the certificate authority (CA) that signed your Active Directory server certificates. + -- The following example demonstrates how to trust a CA certificate (`cacert.pem`), which is located within the configuration directory: [source,shell] -------------------------------------------------- xpack: security: authc: realms: active_directory: type: active_directory order: 0 domain_name: ad.example.com url: ldaps://ad.example.com:636 ssl: certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ] -------------------------------------------------- The CA cert must be a PEM encoded certificate. For more information about these settings, see <>. -- . Restart {es}. NOTE: By default, when you configure {security} to connect to Active Directory using SSL/TLS, {security} attempts to verify the hostname or IP address specified with the `url` attribute in the realm configuration with the values in the certificate. If the values in the certificate and realm configuration do not match, {security} does not allow a connection to the Active Directory server. This is done to protect against man-in-the-middle attacks. If necessary, you can disable this behavior by setting the `ssl.verification_mode` property to `certificate`.