honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-06 13:08:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/docs/reference/security/securing-communications/tls-ad.asciidoc
Tim Vernum 574ec6686e
Include realm type in Security Realm setting keys (#30241) 
This moves all Realm settings to an Affix definition.
However, because different realm types define different settings
(potentially conflicting settings) this requires that the realm type
become part of the setting key.

Thus, we now need to define realm settings as:

    xpack.security.authc.realms:
      file.file1:
        order: 0

      native.native1:
        order: 1

- This is a breaking change to realm config
- This is also a breaking change to custom security realms (SecurityExtension)
2018-11-06 14:56:50 +11:00

58 lines
2.4 KiB
Plaintext
Raw Blame History

[role="xpack"]
[[tls-active-directory]]
==== Encrypting communications between {es} and Active Directory
To protect the user credentials that are sent for authentication, it's highly
recommended to encrypt communications between {es} and your Active Directory
server. Connecting via SSL/TLS ensures that the identity of the Active Directory
server is authenticated before {security} transmits the user credentials and the
usernames and passwords are encrypted in transit.
Clients and nodes that connect via SSL/TLS to the Active Directory server need
to have the Active Directory server's certificate or the server's root CA
certificate installed in their keystore or truststore.
. Create the realm configuration for the `xpack.security.authc.realms` namespace
in the `elasticsearch.yml` file. See <<configuring-ad-realm>>.
. Set the `url` attribute in the realm configuration to specify the LDAPS protocol
and the secure port number. For example, `url: ldaps://ad.example.com:636`.
. Configure each node to trust certificates signed by the certificate authority
(CA) that signed your Active Directory server certificates.
+
--
The following example demonstrates how to trust a CA certificate (`cacert.pem`),
which is located within the configuration directory:
[source,shell]
--------------------------------------------------
xpack:
security:
authc:
realms:
active_directory:
ad_realm:
order: 0
domain_name: ad.example.com
url: ldaps://ad.example.com:636
ssl:
certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
--------------------------------------------------
The CA cert must be a PEM encoded certificate.
For more information about these settings, see <<ref-ad-settings>>.
--
. Restart {es}.
NOTE: By default, when you configure {security} to connect to Active Directory
using SSL/TLS, {security} attempts to verify the hostname or IP address
specified with the `url` attribute in the realm configuration with the
values in the certificate. If the values in the certificate and realm
configuration do not match, {security} does not allow a connection to the
Active Directory server. This is done to protect against man-in-the-middle
attacks. If necessary, you can disable this behavior by setting the
`ssl.verification_mode` property to `certificate`.
Reference in New Issue View Git Blame Copy Permalink