honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-06 13:08:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc
Jay Modi 7291eb55fe Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137) 
This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM
supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the
unlimited policy file needs to be installed. In order to simplify the work a user would need to do
we can detect this support and automatically enable the AES 256 bit versions of the ciphers we
already enable.

Original commit: elastic/x-pack-elasticsearch@5f23b18a1e
2017-08-01 07:36:35 -06:00

26 lines
1.4 KiB
Plaintext
Raw Blame History

[[ciphers]]
=== Enabling Cipher Suites for Stronger Encryption
The TLS and SSL protocols use a cipher suite that determines the strength of
encryption used to protect the data. You may want to increase the strength of
encryption used when using a Oracle JVM; the IcedTea OpenJDK ships without these
restrictions in place. This step is not required to successfully use encrypted
communication.
The _Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
Files_ enable the use of additional cipher suites for Java in a separate JAR file
that you need to add to your Java installation. You can download this JAR file
from Oracle's http://www.oracle.com/technetwork/java/javase/downloads/index.html[download page].
The _JCE Unlimited Strength Jurisdiction Policy Files`_ are required for
encryption with key lengths greater than 128 bits, such as 256-bit AES encryption.
After installation, all cipher suites in the JCE are available for use but requires
configuration in order to use them. To enable the use of stronger cipher suites with
{security}, configure the `cipher_suites` parameter. See the
{ref}/security-settings.html#ssl-tls-settings[Configuration Parameters for TLS/SSL]
section of this document for specific parameter information.
NOTE: The _JCE Unlimited Strength Jurisdiction Policy Files_ must be installed
on all nodes in the cluster to establish an improved level of encryption
strength.
Reference in New Issue View Git Blame Copy Permalink