[role="xpack"]
[[tls-active-directory]]
==== Encrypting communications between {es} and Active Directory

To protect the user credentials that are sent for authentication, it's highly
recommended to encrypt communications between {es} and your Active Directory 
server. Connecting via SSL/TLS ensures that the identity of the Active Directory 
server is authenticated before {security} transmits the user credentials and the 
usernames and passwords are encrypted in transit. 

Clients and nodes that connect via SSL/TLS to the Active Directory server need 
to have the Active Directory server's certificate or the server's root CA 
certificate installed in their keystore or truststore. 

. Create the realm configuration for the `xpack.security.authc.realms` namespace 
in the `elasticsearch.yml` file. See <<configuring-ad-realm>>. 

. Set the `url` attribute in the realm configuration to specify the LDAPS protocol
and the secure port number. For example, `url: ldaps://ad.example.com:636`.

. Configure each node to trust certificates signed by the certificate authority 
(CA) that signed your Active Directory server certificates. 
+
--
The following example demonstrates how to trust a CA certificate (`cacert.pem`), 
which is located within the configuration directory:

[source,shell]
--------------------------------------------------
xpack:
  security:
    authc:
      realms:
        active_directory:
          ad_realm:
            order: 0
            domain_name: ad.example.com
            url: ldaps://ad.example.com:636
            ssl:
              certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
--------------------------------------------------

The CA cert must be a PEM encoded certificate.

For more information about these settings, see <<ref-ad-settings>>. 
--

. Restart {es}.

NOTE: By default, when you configure {security} to connect to Active Directory
      using SSL/TLS, {security} attempts to verify the hostname or IP address
      specified with the `url` attribute in the realm configuration with the
      values in the certificate. If the values in the certificate and realm
      configuration do not match, {security} does not allow a connection to the
      Active Directory server. This is done to protect against man-in-the-middle
      attacks. If necessary, you can disable this behavior by setting the 
      `ssl.verification_mode` property to `certificate`.