[role="xpack"] [[tls-http]] ==== Encrypting HTTP client communications When {security-features} are enabled, you can optionally use TLS to ensure that communication between HTTP clients and the cluster is encrypted. NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required. If you enable TLS on the HTTP layer in {es}, then you might need to make configuration changes in other parts of the {stack} and in any {es} clients that you use. . If you have not done so already, <>. + -- In particular, you need the files that are generated by the following command: [source,shell] ---------------------------------------------------------- bin/elasticsearch-certutil http ---------------------------------------------------------- This command generates a zip file that contains certificates and keys for use in {es} and {kib}. Each folder contains a readme that explains how to use the files. -- . Verify that you've copied the output files to the appropriate locations, as specified in the readme files. + -- For example, copy the `http.p12` file from the `elasticsearch` folder into a directory within the {es} configuration directory on each node. If you chose to generate one certificate per node, copy the appropriate `http.p12` file to each node. If you want to use {kib} to access this cluster, copy the `elasticsearch-ca.pem` file from the `kibana` folder into the {kib} configuration directory. -- . Enable TLS and specify the information required to access the node’s certificate. For example: .. Update the `elasticsearch.yml` file on each node with the location of the certificates. + -- If the certificates are in PKCS#12 format: [source, yaml] -------------------------------------------------- xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: "http.p12" -------------------------------------------------- If you have certificates in PEM format: [source, yaml] -------------------------------------------------- xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /home/es/config/node1_http.key <1> xpack.security.http.ssl.certificate: /home/es/config/node1_http.crt <2> xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3> -------------------------------------------------- <1> The full path to the node key file. This must be a location within the {es} configuration directory. <2> The full path to the node certificate. This must be a location within the {es} configuration directory. <3> An array of paths to the CA certificates that should be trusted. These paths must be a location within the {es} configuration directory. -- .. If you secured the keystore or the private key with a password, add that password to a secure setting in {es}. + -- If the certificates are in PKCS#12 format: [source,shell] ----------------------------------------------------------- bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password ----------------------------------------------------------- If the certificates are in PEM format: [source,shell] ----------------------------------------------------------- bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase ----------------------------------------------------------- -- . Optional: If you want to use {kib}, follow the instructions in the readme provided by the `elasticsearch-certutil http` command or see {kibana-ref}/configuring-tls.html[Encrypting communications in {kib}]. . Restart {es}. [NOTE] =============================== * All TLS-related node settings are considered to be highly sensitive and therefore are not exposed via the {ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API] For more information about any of these settings, see <>. * {es} monitors all files such as certificates, keys, keystores, or truststores that are configured as values of TLS-related node settings. If you update any of these files (for example, when your hostnames change or your certificates are due to expire), {es} reloads them. The files are polled for changes at a frequency determined by the global {es} `resource.reload.interval.high` setting, which defaults to 5 seconds. ===============================