==== {component} TLS/SSL settings You can configure the following TLS/SSL settings. ifdef::server[] +{ssl-prefix}.ssl.enabled+:: Used to enable or disable TLS/SSL. The default is `false`. endif::server[] +{ssl-prefix}.ssl.supported_protocols+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-supported-protocols] ifdef::server[] +{ssl-prefix}.ssl.client_authentication+:: Controls the server's behavior in regard to requesting a certificate from client connections. Valid values are `required`, `optional`, and `none`. `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. ifndef::client-auth-default[] Defaults to `none`. endif::client-auth-default[] ifdef::client-auth-default[] Defaults to +{client-auth-default}+. endif::client-auth-default[] endif::server[] ifdef::verifies[] +{ssl-prefix}.ssl.verification_mode+:: Controls the verification of certificates. include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-verification-mode-values] endif::verifies[] +{ssl-prefix}.ssl.cipher_suites+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-cipher-suites-values] [#{ssl-context}-tls-ssl-key-trusted-certificate-settings] ===== {component} TLS/SSL key and trusted certificate settings The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. ifdef::server[] A private key and certificate must be configured. endif::server[] ifndef::server[] A private key and certificate are optional and would be used if the server requires client authentication for PKI authentication. endif::server[] ===== PEM encoded files When using PEM encoded files, use the following settings: +{ssl-prefix}.ssl.key+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-pem] +{ssl-prefix}.ssl.key_passphrase+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-passphrase] +{ssl-prefix}.ssl.secure_key_passphrase+ (<>):: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-secure-key-passphrase] +{ssl-prefix}.ssl.certificate+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate] +{ssl-prefix}.ssl.certificate_authorities+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate-authorities] ===== Java keystore files When using Java keystore files (JKS), which contain the private key, certificate and certificates that should be trusted, use the following settings: +{ssl-prefix}.ssl.keystore.path+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path] +{ssl-prefix}.ssl.keystore.password+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password] +{ssl-prefix}.ssl.keystore.secure_password+ (<>):: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password] +{ssl-prefix}.ssl.keystore.key_password+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password] +{ssl-prefix}.ssl.keystore.secure_key_password+ (<>):: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password] +{ssl-prefix}.ssl.truststore.path+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path] +{ssl-prefix}.ssl.truststore.password+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password] +{ssl-prefix}.ssl.truststore.secure_password+ (<>):: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password] [#{ssl-context}-pkcs12-files] ===== PKCS#12 files {es} can be configured to use PKCS#12 container files (`.p12` or `.pfx` files) that contain the private key, certificate and certificates that should be trusted. PKCS#12 files are configured in the same way as Java keystore files: +{ssl-prefix}.ssl.keystore.path+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path] +{ssl-prefix}.ssl.keystore.type+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-type-pkcs12] +{ssl-prefix}.ssl.keystore.password+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password] +{ssl-prefix}.ssl.keystore.secure_password+ (<>):: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password] +{ssl-prefix}.ssl.keystore.key_password+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password] +{ssl-prefix}.ssl.keystore.secure_key_password+ (<>):: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password] +{ssl-prefix}.ssl.truststore.path+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path] +{ssl-prefix}.ssl.truststore.type+:: Set this to `PKCS12` to indicate that the truststore is a PKCS#12 file. //TBD:Should this use the ssl-truststore-type-pkcs11 or ssl-truststore-type definition and default values? +{ssl-prefix}.ssl.truststore.password+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password] +{ssl-prefix}.ssl.truststore.secure_password+ (<>):: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password] [#{ssl-context}-pkcs11-tokens] ===== PKCS#11 tokens {es} can be configured to use a PKCS#11 token that contains the private key, certificate and certificates that should be trusted. PKCS#11 token require additional configuration on the JVM level and can be enabled via the following settings: +{ssl-prefix}.keystore.type+:: Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore. //TBD: Is the default value `jks`? +{ssl-prefix}.truststore.type+:: include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-type-pkcs11] [NOTE] When configuring the PKCS#11 token that your JVM is configured to use as a keystore or a truststore for Elasticsearch, the PIN for the token can be configured by setting the appropriate value to `ssl.truststore.password` or `ssl.truststore.secure_password` in the context that you are configuring. Since there can only be one PKCS#11 token configured, only one keystore and truststore will be usable for configuration in {es}. This in turn means that only one certificate can be used for TLS both in the transport and the http layer.