honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-05 18:39:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc
Albert Zaharovits d9ab1469c9
[DOCS] Clarify not all PKCS12 usable as truststores (#30750) 
Although elasticsearch-certutil generates PKCS#12
files which are usable as both keystore and truststore
this is uncommon in practice. Settle these expectations
for the users following our security guides.
2018-05-31 21:49:27 +03:00

102 lines
4.3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[role="xpack"]
[[tls-transport]]
==== Encrypting Communications Between Nodes in a Cluster
The transport networking layer is used for internal communication between nodes
in a cluster. When {security} is enabled, you must use TLS to ensure that
communication between the nodes is encrypted.
. <<node-certificates,Generate node certificates>>.
. Enable TLS and specify the information required to access the nodes
certificate.
** If the signed certificate is in PKCS#12 format, add the following information to the
`elasticsearch.yml` file on each node:
+
--
[source,yaml]
-----------------------------------------------------------
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate <1>
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 <2>
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 <3>
-----------------------------------------------------------
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
and you want to enable strict hostname checking, set the verification mode to
`full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
<2> If you created a separate certificate for each node, then you might need to
customize this path on each node. If the filename matches the node name, you can
use the `certs/${node.name}.p12` format, for example.
<3> The `elasticsearch-certutil` outputs a PKCS#12 keystore which includes the
CA certificate as a trusted certificate entry. This allows for the keystore to
also be used as a truststore. In this case, the path value should match
the `keystore.path` value.
Note, however, that this is not the general rule. There are keystores that cannot be
used as trustores, only
{ref}/security-settings.html#pkcs12-truststore-note[specifically crafted ones can]
--
** If the certificate is in PEM format, add the following information to the
`elasticsearch.yml` file on each node:
+
--
[source, yaml]
--------------------------------------------------
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate <1>
xpack.security.transport.ssl.key: /home/es/config/node01.key <2>
xpack.security.transport.ssl.certificate: /home/es/config/node01.crt <3>
xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <4>
--------------------------------------------------
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
and you want to enable strict hostname checking, set the verification mode to
`full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
<2> The full path to the node key file. This must be a location within the
{es} configuration directory.
<3> The full path to the node certificate. This must be a location within the
{es} configuration directory.
<4> An array of paths to the CA certificates that should be trusted. These paths
must be a location within the {es} configuration directory.
--
. If you secured the node's certificate with a password, add the password to
your {es} keystore:
** If the signed certificate is in PKCS#12 format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
-----------------------------------------------------------
--
** If the certificate is in PEM format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase
-----------------------------------------------------------
--
. Restart {es}.
+
--
You must perform a full cluster restart. Nodes which are configured to use TLS
cannot communicate with nodes that are using unencrypted networking (and
vice-versa). After enabling TLS you must restart all nodes in order to maintain
communication across the cluster.
--
NOTE: All TLS-related node settings are considered to be highly sensitive and
therefore are not exposed via the
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API] For more
information about any of these settings, see <<security-settings>>.
Reference in New Issue View Git Blame Copy Permalink