[role="xpack"] [[security-settings]] === Security Settings in Elasticsearch ++++ Security Settings ++++ By default, {security} is disabled when you have a basic or trial license. To enable {security}, use the `xpack.security.enabled` setting. You configure `xpack.security` settings to <> and perform message authentication, <>, <>, <>, and <>. All of these settings can be added to the `elasticsearch.yml` configuration file, with the exception of the secure settings, which you add to the {es} keystore. For more information about creating and updating the {es} keystore, see <>. [float] [[general-security-settings]] ==== General Security Settings `xpack.security.enabled`:: Set to `true` to enable {security} on the node. + + If set to `false`, which is the default value for basic and trial licenses, {security} is disabled. It also affects all {kib} instances that connect to this {es} instance; you do not need to disable {security} in those `kibana.yml` files. For more information about disabling {security} in specific {kib} instances, see {kibana-ref}/security-settings-kb.html[{kib} Security Settings]. `xpack.security.hide_settings`:: A comma-separated list of settings that are omitted from the results of the <>. You can use wildcards to include multiple settings in the list. For example, the following value hides all the settings for the ad1 realm: `xpack.security.authc.realms.ad1.*`. The API already omits all `ssl` settings, `bind_dn`, and `bind_password` due to the sensitive nature of the information. [float] [[password-security-settings]] ==== Default Password Security Settings `xpack.security.authc.accept_default_password`:: In `elasticsearch.yml`, set this to `false` to disable support for the default "changeme" password. [float] [[anonymous-access-settings]] ==== Anonymous Access Settings You can configure the following anonymous access settings in `elasticsearch.yml`. For more information, see {xpack-ref}/anonymous-access.html[ Enabling Anonymous Access]. `xpack.security.authc.anonymous.username`:: The username (principal) of the anonymous user. Defaults to `_es_anonymous_user`. `xpack.security.authc.anonymous.roles`:: The roles to associate with the anonymous user. Required. `xpack.security.authc.anonymous.authz_exception`:: When `true`, an HTTP 403 response is returned if the anonymous user does not have the appropriate permissions for the requested action. The user is not prompted to provide credentials to access the requested resource. When set to `false`, a HTTP 401 is returned and the user can provide credentials with the appropriate permissions to gain access. Defaults to `true`. [float] [[field-document-security-settings]] ==== Document and Field Level Security Settings You can set the following document and field level security settings in `elasticsearch.yml`. For more information, see {xpack-ref}/field-and-document-access-control.html[Setting Up Document and Field Level Security]. `xpack.security.dls_fls.enabled`:: Set to `false` to prevent document and field level security from being configured. Defaults to `true`. [float] [[token-service-settings]] ==== Token Service Settings You can set the following token service settings in `elasticsearch.yml`. `xpack.security.authc.token.enabled`:: Set to `false` to disable the built-in token service. Defaults to `true` unless `xpack.security.http.ssl.enabled` is `false` and `http.enabled` is `true`. This prevents sniffing the token from a connection over plain http. `xpack.security.authc.token.timeout`:: The length of time that a token is valid for. By default this value is `20m` or 20 minutes. The maximum value is 1 hour. [float] [[realm-settings]] ==== Realm Settings You configure realm settings in the `xpack.security.authc.realms` namespace in `elasticsearch.yml`. For example: [source,yaml] ---------------------------------------- xpack.security.authc.realms: realm1: type: native order: 0 ... realm2: type: ldap order: 1 ... realm3: type: active_directory order: 2 ... ... ---------------------------------------- The valid settings vary depending on the realm type. For more information, see {xpack-ref}/setting-up-authentication.html[Setting Up Authentication]. [float] ===== Settings Valid for All Realms `type`:: The type of the realm: `native, `ldap`, `active_directory`, `pki`, or `file`. Required. `order`:: The priority of the realm within the realm chain. Realms with a lower order are consulted first. Although not required, use of this setting is strongly recommended when you configure multiple realms. Defaults to `Integer.MAX_VALUE`. `enabled`:: Indicates whether a realm is enabled. You can use this setting to disable a realm without removing its configuration information. Defaults to `true`. [[ref-users-settings]] [float] ===== File Realm Settings `cache.ttl`:: The time-to-live for cached user entries--user credentials are cached for this configured period of time. Defaults to `20m`. Specify values using the standard Elasticsearch {ref}/common-options.html#time-units[time units]. Defaults to `20m`. `cache.max_users`:: The maximum number of user entries that can live in the cache at a given time. Defaults to 100,000. `cache.hash_algo`:: (Expert Setting) The hashing algorithm that is used for the in-memory cached user credentials. See the {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for all possible values. Defaults to `ssha256`. [[ref-ldap-settings]] [float] ===== LDAP Realm Settings `url`:: An LDAP URL in the format `ldap[s]://:`. Required. `load_balance.type`:: The behavior to use when there are multiple LDAP URLs defined. For supported values see {xpack-ref}/ldap-realm.html#ldap-load-balancing[LDAP load balancing and failover types]. Defaults to `failover`. `load_balance.cache_ttl`:: When using `dns_failover` or `dns_round_robin` as the load balancing type, this setting controls the amount of time to cache DNS lookups. Defaults to `1h`. `bind_dn`:: The DN of the user that will be used to bind to the LDAP and perform searches. Only applicable in {xpack-ref}/ldap-realm.html#ldap-user-search[user search mode]. If this is not specified, an anonymous bind will be attempted. Defaults to Empty. `bind_password`:: The password for the user that will be used to bind to the LDAP directory. Defaults to Empty. *Deprecated.* Use `secure_bind_password` instead. `secure_bind_password` (<>):: The password for the user that will be used to bind to the LDAP directory. Defaults to Empty. `user_dn_templates`:: The DN template that replaces the user name with the string `{0}`. This element is multivalued; you can specify multiple user contexts. Required to operate in user template mode. Not valid if `user_search.base_dn` is specified. For more information on the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms]. `user_group_attribute`:: Specifies the attribute to examine on the user for group membership. The default is `memberOf`. This setting will be ignored if any `group_search` settings are specified. Defaults to `memberOf`. `user_search.base_dn`:: Specifies a container DN to search for users. Required to operated in user search mode. Not valid if `user_dn_templates is specified. For more information on the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms]. `user_search.scope`:: The scope of the user search. Valid values are `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is the user object, and that it is the only user considered. Defaults to `sub_tree`. `user_search.filter`:: Specifies the filter used to search the directory in attempt to match an entry with the username provided by the user. Defaults to `(uid={0})`. `{0}` is substituted with the username provided when searching. `user_search.attribute`:: This setting is deprecated; use `user_search.filter` instead. The attribute to match with the username presented to. Defaults to `uid`. `user_search.pool.enabled`:: Enables or disables connection pooling for user search. When disabled a new connection is created for every search. The default is `true` when `bind_dn` is provided. `user_search.pool.size`:: The maximum number of connections to the LDAP server to allow in the connection pool. Defaults to `20`. `user_search.pool.initial_size`:: The initial number of connections to create to the LDAP server on startup. Defaults to `0`. `user_search.pool.health_check.enabled`:: Flag to enable or disable a health check on LDAP connections in the connection pool. Connections are checked in the background at the specified interval. Defaults to `true`. `user_search.pool.health_check.dn`:: The distinguished name to be retrieved as part of the health check. Defaults to the value of `bind_dn` if present, and if not falls back to `user_search.base_dn`. `user_search.pool.health_check.interval`:: The interval to perform background checks of connections in the pool. Defaults to `60s`. `group_search.base_dn`:: The container DN to search for groups in which the user has membership. When this element is absent, Security searches for the attribute specified by `user_group_attribute` set on the user in order to determine group membership. `group_search.scope`:: Specifies whether the group search should be `sub_tree`, `one_level` or `base`. `one_level` only searches objects directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is a group object, and that it is the only group considered. Defaults to `sub_tree`. `group_search.filter`:: When not set, the realm searches for `group`, `groupOfNames`, `groupOfUniqueNames`, or `posixGroup` with the attributes `member`, `memberOf`, or `memberUid`. Any instance of `{0}` in the filter is replaced by the user attribute defined in `group_search.user_attribute`. `group_search.user_attribute`:: Specifies the user attribute that will be fetched and provided as a parameter to the filter. If not set, the user DN is passed into the filter. Defaults to Empty. `unmapped_groups_as_roles`:: Takes a boolean variable. When this element is set to `true`, the names of any LDAP groups that are not referenced in a role-mapping _file_ are used as role names and assigned to the user. Defaults to `false`. `files.role_mapping`:: The {xpack-ref}/security-files.html[location] for the {xpack-ref}/mapping-roles.html#mapping-roles[ YAML role mapping configuration file]. Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`. `follow_referrals`:: Boolean value that specifies whether Securityshould follow referrals returned by the LDAP server. Referrals are URLs returned by the server that are to be used to continue the LDAP operation (e.g. search). Defaults to `true`. `metadata`:: A list of additional LDAP attributes that should be loaded from the LDAP server and stored in the authenticated user's metadata field. `timeout.tcp_connect`:: The TCP connect timeout period for establishing an LDAP connection. An `s` at the end indicates seconds, or `ms` indicates milliseconds. Defaults to `5s` (5 seconds ). `timeout.tcp_read`:: The TCP read timeout period after establishing an LDAP connection. An `s` at the end indicates seconds, or `ms` indicates milliseconds. Defaults to `5s` (5 seconds ). `timeout.ldap_search`:: The LDAP Server enforced timeout period for an LDAP search. An `s` at the end indicates seconds, or `ms` indicates milliseconds. Defaults to `5s` (5 seconds ). `ssl.key`:: Path to a PEM encoded file containing the private key. `ssl.key_passphrase`:: The passphrase that is used to decrypt the private key. This value is optional as the key may not be encrypted. `ssl.secure_key_passphrase` (<>):: The passphrase that is used to decrypt the private key. `ssl.certificate`:: Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented to clients when they connect. `ssl.certificate_authorities`:: List of paths to PEM encoded certificate files that should be trusted. `ssl.keystore.path`:: The path to the Java Keystore file that contains a private key and certificate. `ssl.key` and `ssl.keystore.path` may not be used at the same time. `ssl.keystore.type`:: The format of the keystore file. Should be either `jks` to use the Java Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`. `ssl.keystore.password`:: The password to the keystore. `ssl.keystore.secure_password` (<>):: The password to the keystore. `ssl.keystore.key_password`:: The password for the key in the keystore. Defaults to the keystore password. `ssl.keystore.secure_key_password`:: The password for the key in the keystore. Defaults to the keystore password. `ssl.truststore.path`:: The path to the Java Keystore file that contains the certificates to trust. `ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time. `ssl.truststore.password`:: The password to the truststore. `ssl.truststore.secure_password` (<>):: The password to the truststore. `ssl.truststore.type`:: The format of the keystore file. Should be either `jks` to use the Java Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`. `ssl.verification_mode`:: Indicates the type of verification when using `ldaps` to protect against man in the middle attacks and certificate forgery. Values are `none`, `certificate`, and `full`. Defaults to the value of `xpack.ssl.verification_mode`. `ssl.supported_protocols`:: Supported protocols with versions. Defaults to the value of `xpack.ssl.supported_protocols`. `ssl.cipher_suites` Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Java Cryptography Architecture documentation]. Defaults to the value of `xpack.ssl.cipher_suites`. `cache.ttl`:: Specifies the time-to-live for cached user entries (a user and its credentials are cached for this period of time). Use the standard Elasticsearch {ref}/common-options.html#time-units[time units]). Defaults to `20m`. `cache.max_users`:: Specifies the maximum number of user entries that the cache can contain. Defaults to `100000`. `cache.hash_algo`:: (Expert Setting) Specifies the hashing algorithm that is used for the in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for all possible values). Defaults to `ssha256`. [[ref-ad-settings]] [float] ===== Active Directory Realm Settings `url`:: A URL in the format `ldap[s]://:`. Defaults to `ldap://:389`. `load_balance.type`:: The behavior to use when there are multiple LDAP URLs defined. For supported values see {xpack-ref}/active-directory-realm.html#ad-load-balancing[load balancing and failover types]. Defaults to `failover`. `load_balance.cache_ttl`:: When using `dns_failover` or `dns_round_robin` as the load balancing type, this setting controls the amount of time to cache DNS lookups. Defaults to `1h`. `domain_name`:: The domain name of Active Directory. The cluster can derive the URL and `user_search_dn` fields from values in this element if those fields are not otherwise specified. Required. `bind_dn`:: The DN of the user that will be used to bind to Active Directory and perform searches. Defaults to Empty. `bind_password`:: The password for the user that will be used to bind to Active Directory. Defaults to Empty. *Deprecated.* Use `secure_bind_password` instead. `secure_bind_password` (<>):: The password for the user that will be used to bind to Active Directory. Defaults to Empty. `unmapped_groups_as_roles`:: Takes a boolean variable. When this element is set to `true`, the names of any LDAP groups that are not referenced in a role-mapping _file_ are used as role names and assigned to the user. Defaults to `false`. `files.role_mapping`:: The {xpack-ref}/security-files.html[location] for the YAML role mapping configuration file. Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`. `user_search.base_dn`:: The context to search for a user. Defaults to the root of the Active Directory domain. `user_search.scope`:: Specifies whether the user search should be `sub_tree`, `one_level` or `base`. `one_level` only searches users directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is a user object, and that it is the only user considered. Defaults to `sub_tree`. `user_search.filter`:: Specifies a filter to use to lookup a user given a username. The default filter looks up `user` objects with either `sAMAccountName` or `userPrincipalName`. `user_search.upn_filter`:: Specifies a filter to use to lookup a user given a user principal name. The default filter looks up `user` objects with a matching `userPrincipalName`. If specified, this must be a valid LDAP user search filter, for example `(&(objectClass=user)(userPrincipalName={1}))`. `{1}` is the full user principal name provided by the user. `user_search.down_level_filter`:: Specifies a filter to use to lookup a user given a down level logon name (DOMAIN\user). The default filter looks up `user` objects with a matching `sAMAccountName` in the domain provided. If specified, this must be a valid LDAP user search filter, for example `(&(objectClass=user)(sAMAccountName={0}))`. `user_search.pool.enabled`:: Enables or disables connection pooling for user search. When disabled a new connection is created for every search. The default is `true` when `bind_dn` is provided. `user_search.pool.size`:: The maximum number of connections to the Active Directory server to allow in the connection pool. Defaults to `20`. `user_search.pool.initial_size`:: The initial number of connections to create to the Active Directory server on startup. Defaults to `0`. `user_search.pool.health_check.enabled`:: Flag to enable or disable a health check on Active Directory connections in the connection pool. Connections are checked in the background at the specified interval. Defaults to `true`. `user_search.pool.health_check.dn`:: The distinguished name to be retrieved as part of the health check. Defaults to the value of `bind_dn` if it is a distinguished name. `user_search.pool.health_check.interval`:: The interval to perform background checks of connections in the pool. Defaults to `60s`. `group_search.base_dn`:: The context to search for groups in which the user has membership. Defaults to the root of the Active Directory domain. `group_search.scope`:: Specifies whether the group search should be `sub_tree`, `one_level` or `base`. `one_level` searches for groups directly contained within the `base_dn`. `sub_tree` searches all objects contained under `base_dn`. `base` specifies that the `base_dn` is a group object, and that it is the only group considered. Defaults to `sub_tree`. `metadata`:: A list of additional LDAP attributes that should be loaded from the LDAP server and stored in the authenticated user's metadata field. `timeout.tcp_connect`:: The TCP connect timeout period for establishing an LDAP connection. An `s` at the end indicates seconds, or `ms` indicates milliseconds. Defaults to `5s` (5 seconds ). `timeout.tcp_read`:: The TCP read timeout period after establishing an LDAP connection. An `s` at the end indicates seconds, or `ms` indicates milliseconds. Defaults to `5s` (5 seconds ). `timeout.ldap_search`:: The LDAP Server enforced timeout period for an LDAP search. An `s` at the end indicates seconds, or `ms` indicates milliseconds. Defaults to `5s` (5 seconds ). `ssl.certificate`:: Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented to clients when they connect. `ssl.certificate_authorities`:: List of paths to PEM encoded certificate files that should be trusted. `ssl.key`:: Path to the PEM encoded file containing the private key. `ssl.key_passphrase`:: The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted. `ssl.secure_key_passphrase` (<>):: The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted. `ssl.keystore.key_password`:: The password for the key in the keystore. Defaults to the keystore password. `ssl.keystore.secure_key_password` (<>):: The password for the key in the keystore. Defaults to the keystore password. `ssl.keystore.password`:: The password to the keystore. `ssl.secure_keystore.password` (<>):: The password to the keystore. `ssl.keystore.path`:: The path to the Java Keystore file that contains a private key and certificate. `ssl.keystore.type`:: The format of the keystore file. Should be either `jks` to use the Java Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`. `ssl.truststore.password`:: The password to the truststore. `ssl.truststore.secure_password` (<>):: The password to the truststore. `ssl.truststore.path`:: The path to the Java Keystore file that contains the certificates to trust. `ssl.truststore.type`:: The format of the truststore file. Should be either `jks` to use the Java Keystore format, or `PKCS12` to use PKCS#12 files. The default is `jks`. `ssl.verification_mode`:: Indicates the type of verification when using `ldaps` to protect against man in the middle attacks and certificate forgery. Values are `none`, `certificate`, and `full`. Defaults to the value of `xpack.ssl.verification_mode`. `ssl.supported_protocols`:: Supported protocols with versions. Defaults to the value of `xpack.ssl.supported_protocols`. `ssl.cipher_suites`:: Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Java Cryptography Architecture documentation]. Defaults to the value of `xpack.ssl.cipher_suites`. `cache.ttl`:: Specifies the time-to-live for cached user entries (user credentials are cached for this configured period of time). Use the standard Elasticsearch {ref}/common-options.html#time-units[time units]). Defaults to `20m`. `cache.max_users`:: Specifies the maximum number of user entries that the cache can contain. Defaults to `100000`. `cache.hash_algo`:: (Expert Setting) Specifies the hashing algorithm that will be used for the in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for all possible values). Defaults to `ssha256`. [[ref-pki-settings]] [float] ===== PKI Realm Settings `username_pattern`:: The regular expression pattern used to extract the username from the certificate DN. The first match group is the used as the username. Defaults to `CN=(.*?)(?:,\|$)`. `certificate_authorities`:: List of paths to the PEM certificate files that should be used to authenticate a user's certificate as trusted. Defaults to the trusted certificates configured for SSL. See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information. This setting cannot be used with `truststore.path`. `truststore.algorithm`:: Algorithm for the truststore. Defaults to `SunX509`. `truststore.password`:: The password for the truststore. Must be provided if `truststore.path` is set. `truststore.secure_password` (<>):: The password for the truststore. `truststore.path`:: The path of a truststore to use. Defaults to the trusted certificates configured for SSL. See the {xpack-ref}/pki-realm.html#pki-ssl-config[SSL settings] section of the PKI realm documentation for more information. This setting cannot be used with `certificate_authorities`. `files.role_mapping`:: Specifies the {xpack-ref}/security-files.html[location] of the {xpack-ref}/mapping-roles.html[YAML role mapping configuration file]. Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`. [[ref-saml-settings]] [float] ===== SAML Realm Settings `idp.entity_id`:: The Entity ID of the SAML Identity Provider `idp.metadata.path`:: The path _(recommended)_ or URL to a SAML 2.0 metadata file describing the capabilities and configuration of the Identity Provider. If a path is provided, then it is resolved relative to the {es} config directory. If a URL is provided, then it must be either a `file` URL or a `https` URL. {security} will automatically poll this metadata resource and will reload the IdP configuration when changes are detected. File based resources are polled at a frequency determined by the global {es} `resource.reload.interval.high` setting, which defaults to 5 seconds. HTTPS resources are polled at a frequency determined by the realm's `idp.metadata.http.refresh` setting. `idp.metadata.http.refresh`:: Controls the frequency with which `https` metadata is checked for changes. Defaults to `1h` (1 hour). `idp.use_single_logout`:: Indicates whether to utilise the Identity Provider's Single Logout service (if one exists in the IdP metadata file). Defaults to `true`. `sp.entity_id`:: The Entity ID to use for this SAML Service Provider, entered as a URI. `sp.acs`:: The URL of the Assertion Consumer Service within {kib}. `sp.logout`:: The URL of the Single Logout service within {kib}. `attributes.principal`:: The Name of the SAML attribute that should be used as the {security} user's principal (username) `attributes.groups`:: The Name of the SAML attribute that should be used to populate {security} user's groups `attributes.name`:: The Name of the SAML attribute that should be used to populate {security} user's full name `attributes.mail`:: The Name of the SAML attribute that should be used to populate {security} user's email address `attributes.dn`:: The Name of the SAML attribute that should be used to populate {security} user's X.500 _Distinguished Name_ `attribute_patterns.principal`:: A java regular expression that is matched against the SAML attribute specified by `attributes.pattern` before it is applied to the user's _principal_ property. The attribute value must match the pattern, and the value of the first _capturing group_ is used as the principal. `attribute_patterns.groups`:: As per `attribute_patterns.principal`, but for the _group_ property. `attribute_patterns.name`:: As per `attribute_patterns.principal`, but for the _name_ property. `attribute_patterns.mail`:: As per `attribute_patterns.principal`, but for the _mail_ property. `attribute_patterns.dn`:: As per `attribute_patterns.principal`, but for the _dn_ property. `nameid_format`:: The NameID format that should be requested when asking the IdP to authenticate the current user. Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` `force_authn`:: Whether to set the `ForceAuthn` attribute when requesting that the IdP authenticate the current user. Defaults to `false`. `populate_user_metadata`:: Whether to populate the {es} user's metadata with the values that are provided by the SAML attributes. Defaults to `true`. `allowed_clock_skew`:: The maximum amount of skew that can be tolerated between the IdP's clock and the {es} node's clock. Defaults to `3m` (3 minutes). `signing.saml_messages`:: A list of SAML message types that should be signed, or `*` to sign all messages. Each element in the list should be the local name of a SAML XML Element. Supported element types are `AuthnRequest`, `LogoutRequest` and `LogoutResponse`. Only valid if `signing.key` or `signing.keystore.path` is also specified. Defaults to `*`. `signing.key`:: Specifies the path to the PEM encoded private key to use for SAML message signing. `signing.key` and `signing.keystore.path` may not be used at the same time. `signing.secure_key_passphrase` (<>):: Specifies the passphrase to decrypt the PEM encoded private key (`signing.key`) if it is encrypted. `signing.certificate`:: Specifies the path to the PEM encoded certificate that corresponds to the `signing.key`. May only be used if `signing.key` is set. `signing.keystore.path`:: The path to the keystore that contains a private key and certificate. Must be either a Java Keystore (jks) or a PKCS#12 file. `signing.key` and `signing.keystore.path` may not be used at the same time. `signing.keystore.type`:: The type of the keystore (`signing.keystore.path`). Must be one of "jks" or "PKCS12". Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or "pkcs12", otherwise uses "jks". `signing.keystore.alias`:: Specifies the alias of the key within the keystore that should be used for SAML message signing. Defaults to `key`. `signing.keystore.secure_password` (<>):: The password to the keystore (`signing.keystore.path`). `signing.keystore.secure_key_password` (<>):: The password for the key in the keystore (`signing.keystore.path`). Defaults to the keystore password. `encryption.key`:: Specifies the path to the PEM encoded private key to use for SAML message decryption. `encryption.key` and `encryption.keystore.path` may not be used at the same time. `encryption.secure_key_passphrase` (<>):: Specifies the passphrase to decrypt the PEM encoded private key (`encryption.key`) if it is encrypted. `encryption.certificate`:: Specifies the path to the PEM encoded certificate chain that is associated with the `encryption.key`. May only be used if `encryption.key` is set. `encryption.keystore.path`:: The path to the keystore that contains a private key and certificate. Must be either a Java Keystore (jks) or a PKCS#12 file. `encryption.key` and `encryption.keystore.path` may not be used at the same time. `encryption.keystore.type`:: The type of the keystore (`encryption.keystore.path`). Must be one of "jks" or "PKCS12". Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or "pkcs12", otherwise uses "jks". `encryption.keystore.alias`:: Specifies the alias of the key within the keystore (`encryption.keystore.path`) that should be used for SAML message decryption. Defaults to `key`. `encryption.keystore.secure_password` (<>):: The password to the keystore (`encryption.keystore.path`). `encryption.keystore.secure_key_password` (<>):: The password for the key in the keystore (`encryption.keystore.path`) . `ssl.key`:: If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the path to the PEM encoded private key to use for http client authentication (if required). `ssl.key` and `ssl.keystore.path` may not be used at the same time. `ssl.key_passphrase`:: If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the passphrase to decrypt the PEM encoded private key (`ssl.key`) if it is encrypted. May not be used with `ssl.secure_key_passphrase` `ssl.secure_key_passphrase` (<>):: If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the passphrase to decrypt the PEM encoded private key (`ssl.key`) if it is encrypted. May not be used with `ssl.key_passphrase` `ssl.certificate`:: If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the path to the PEM encoded certificate (or certificate chain) that is associated with the key (`ssl.key`). May only be used if `ssl.key` is set. `ssl.certificate_authorities`:: If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the paths to the PEM encoded certificate authority certificates that should be trusted. `ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time. `ssl.keystore.path`:: If retrieving IDP metadata via https (see `idp.metadata.path`), the path to the keystore that contains a private key and certificate. Must be either a Java Keystore (jks) or a PKCS#12 file. `ssl.key` and `ssl.keystore.path` may not be used at the same time. `ssl.keystore.type`:: The type of the keystore (`ssl.keystore.path`). Must be one of "jks" or "PKCS12". Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or "pkcs12", otherwise uses "jks" `ssl.keystore.password`:: The password to the keystore (`ssl.keystore.path`). May not be used with `ssl.keystore.secure_password`. `ssl.keystore.secure_password` (<>):: The password to the keystore (`ssl.keystore.path`). May not be used with `ssl.keystore.password`. `ssl.keystore.key_password`:: The password for the key in the keystore (`ssl.keystore.path`). Defaults to the keystore password. May not be used with `ssl.keystore.secure_key_password`. `ssl.keystore.secure_key_password` (<>):: The password for the key in the keystore (`ssl.keystore.path`). Defaults to the keystore password. May not be used with `ssl.keystore.key_password`. `ssl.truststore.path`:: If retrieving IDP metadata via https (see `idp.metadata.path`), the path to the keystore that contains the certificates to trust. Must be either a Java Keystore (jks) or a PKCS#12 file. `ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time. `ssl.truststore.type`:: The type of the truststore (`ssl.truststore.path`). Must be one of "jks" or "PKCS12". Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or "pkcs12", otherwise uses "jks" `ssl.truststore.password`:: The password to the truststore (`ssl.truststore.path`). May not be used with `ssl.truststore.secure_password`. `ssl.truststore.secure_password` (<>):: The password to the truststore (`ssl.truststore.path`). May not be used with `ssl.truststore.password`. `ssl.verification_mode`:: If retrieving IDP metadata via https (see `idp.metadata.path`), one of `full` (verify the hostname and the certicate path), `certificate` (verify the certificate path, but not the hostname) or `none` (perform no verification). Defaults to `full`. `ssl.supported_protocols`:: If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the supported protocols for TLS/SSL. `ssl.cipher_suites`:: If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the cipher suites that should be supported. [float] [[ssl-tls-settings]] ==== Default TLS/SSL Settings You can configure the following TLS/SSL settings in `elasticsearch.yml`. For more information, see {xpack-ref}/encrypting-communications.html[Encrypting Communications]. These settings will be used for all of {xpack} unless they have been overridden by more specific settings such as those for HTTP or Transport. `xpack.ssl.supported_protocols`:: Supported protocols with versions. Valid protocols: `SSLv2Hello`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, `TLSv1`. `xpack.ssl.client_authentication`:: Controls the server's behavior in regard to requesting a certificate from client connections. Valid values are `required`, `optional`, and `none`. `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. Defaults to `required`. This global setting is not applicable for HTTP, see <>. `xpack.ssl.verification_mode`:: Controls the verification of certificates. Valid values are `none`, `certificate`, and `full`. Defaults to `full`. `xpack.ssl.cipher_suites`:: Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`. If the _Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`. [float] [[tls-ssl-key-settings]] ===== Default TLS/SSL Key and Trusted Certificate Settings The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. If none of the settings below are specified, this will default to the <>. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be trusted along with the certificate(s) from the <>. The key and certificate must be in place for connections that require client authentication or when acting as a SSL enabled server. [float] ===== PEM Encoded Files When using PEM encoded files, use the following settings: `xpack.ssl.key`:: Path to the PEM encoded file containing the private key. `xpack.ssl.key_passphrase`:: The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted. `xpack.ssl.secure_key_passphrase` ({<>):: The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted. `xpack.ssl.certificate`:: Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented to clients when they connect. `xpack.ssl.certificate_authorities`:: List of paths to the PEM encoded certificate files that should be trusted. [float] ===== Java Keystore Files When using Java keystore files (JKS), which contain the private key, certificate and certificates that should be trusted, use the following settings: `xpack.ssl.keystore.path`:: Path to the keystore that holds the private key and certificate. `xpack.ssl.keystore.password`:: Password to the keystore. `xpack.ssl.keystore.secure_password` (<>):: Password to the keystore. `xpack.ssl.keystore.key_password`:: Password for the private key in the keystore. Defaults to the same value as `xpack.ssl.keystore.password`. `xpack.ssl.keystore.secure_key_password` (<>):: Password for the private key in the keystore. `xpack.ssl.truststore.path`:: Path to the truststore file. `xpack.ssl.truststore.password`:: Password to the truststore. `xpack.ssl.truststore.secure_password` (<>):: Password to the truststore. [float] ===== PKCS#12 Files When using PKCS#12 container files (`.p12` or `.pfx`), which contain the private key, certificate, and certificates that should be trusted, use the following settings: `xpack.ssl.keystore.path`:: Path to the PKCS#12 file that holds the private key and certificate. `xpack.ssl.keystore.type`:: Set this to `PKCS12`. `xpack.ssl.keystore.password`:: Password to the PKCS#12 file. `xpack.ssl.keystore.secure_password` (<>):: Password to the PKCS#12 file. `xpack.ssl.keystore.key_password`:: Password for the private key in the PKCS12 file. Defaults to the same value as `xpack.ssl.keystore.password`. `xpack.ssl.keystore.secure_key_password` (<>):: Password for the private key in the PKCS12 file. `xpack.ssl.truststore.path`:: Path to the truststore file. `xpack.ssl.truststore.type`:: Set this to `PKCS12`. `xpack.ssl.truststore.password`:: Password to the truststore. `xpack.ssl.truststore.secure_password` (<>):: Password to the truststore. [[http-tls-ssl-settings]] :ssl-prefix: xpack.security.http :component: HTTP :client-auth-default: none :verifies!: :server: include::ssl-settings.asciidoc[] [[transport-tls-ssl-settings]] :ssl-prefix: xpack.security.transport :component: Transport :client-auth-default!: :verifies: :server: include::ssl-settings.asciidoc[] [[ssl-tls-profile-settings]] [float] ===== Transport Profile TLS/SSL Settings The same settings that are available for the <> are also available for each transport profile. By default, the settings for a transport profile will be the same as the default transport unless they are specified. As an example, lets look at the key setting. For the default transport this is `xpack.security.transport.ssl.key`. In order to use this setting in a transport profile, use the prefix `transport.profiles.$PROFILE.xpack.security.` and append the portion of the setting after `xpack.security.transport.`. For the key setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`. [float] [[ip-filtering-settings]] ==== IP Filtering Settings You can configure the following settings for {xpack-ref}/ip-filtering.html[IP filtering]. `xpack.security.transport.filter.allow`:: List of IP addresses to allow. `xpack.security.transport.filter.deny`:: List of IP addresses to deny. `xpack.security.http.filter.allow`:: List of IP addresses to allow just for HTTP. `xpack.security.http.filter.deny`:: List of IP addresses to deny just for HTTP. `transport.profiles.$PROFILE.xpack.security.filter.allow`:: List of IP addresses to allow for this profile. `transport.profiles.$PROFILE.xpack.security.filter.deny`:: List of IP addresses to deny for this profile.