[[cluster-nodes-reload-secure-settings]]
=== Nodes reload secure settings API
++++
Nodes reload secure settings
++++
The cluster nodes reload secure settings API is used to re-load the keystore on each node.
[source,console]
--------------------------------------------------
POST _nodes/reload_secure_settings
POST _nodes/nodeId1,nodeId2/reload_secure_settings
--------------------------------------------------
// TEST[setup:node]
// TEST[s/nodeId1,nodeId2/*/]
The first command reloads the keystore on each node. The seconds allows
to selectively target `nodeId1` and `nodeId2`. The node selection options are
detailed <>.
NOTE: {es} requires consistent secure settings across the cluster nodes, but this consistency is not enforced.
Hence, reloading specific nodes is not standard. It is only justifiable when retrying failed reload operations.
==== Reload Password Protected Secure Settings
When the {es} keystore is password protected and not simply obfuscated, the password for the keystore needs
to be provided in the request to reload the secure settings.
Reloading the settings for the whole cluster assumes that all nodes' keystores are protected with the same password
and is only allowed when {ref}/configuring-tls.html#tls-transport[node to node communications are encrypted]
[source,js]
--------------------------------------------------
POST _nodes/reload_secure_settings
{
"reload_secure_settings": "s3cr3t" <1>
}
--------------------------------------------------
// NOTCONSOLE
<1> The common password that the {es} keystore is encrypted with in every node of the cluster.
Alternatively the secure settings can be reloaded on a per node basis, locally accessing the API and passing the
node-specific {es} keystore password.
[source,js]
--------------------------------------------------
POST _nodes/_local/reload_secure_settings
{
"reload_secure_settings": "s3cr3t" <1>
}
--------------------------------------------------
// NOTCONSOLE
<1> The password that the {es} keystore is encrypted with on the local node.
[float]
[[rest-reload-secure-settings]]
==== REST Reload Secure Settings Response
The response contains the `nodes` object, which is a map, keyed by the
node id. Each value has the node `name` and an optional `reload_exception`
field. The `reload_exception` field is a serialization of the exception
that was thrown during the reload process, if any.
[source,console-result]
--------------------------------------------------
{
"_nodes": {
"total": 1,
"successful": 1,
"failed": 0
},
"cluster_name": "my_cluster",
"nodes": {
"pQHNt5rXTTWNvUgOrdynKg": {
"name": "node-0"
}
}
}
--------------------------------------------------
// TESTRESPONSE[s/"my_cluster"/$body.cluster_name/]
// TESTRESPONSE[s/"pQHNt5rXTTWNvUgOrdynKg"/\$node_name/]