OpenSearch/docs/reference/security/securing-communications/tls-http.asciidoc

94 lines
3.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[role="xpack"]
[[tls-http]]
==== Encrypting HTTP Client Communications
When {security} is enabled, you can optionally use TLS to ensure that
communication between HTTP clients and the cluster is encrypted.
NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required.
If you enable TLS on the HTTP layer in {es}, then you might need to make
configuration changes in other parts of the Elastic Stack and in any {es}
clients that you use.
. If you have not done so already, <<node-certificates,generate node certificates>>.
. Enable TLS and specify the information required to access the nodes
certificate.
** If the certificate is in PKCS#12 format, add the following information to the
`elasticsearch.yml` file on each node:
+
--
[source, yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 <1>
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 <2>
--------------------------------------------------
<1> If you created a separate certificate for each node, then you might need to
customize this path on each node. If the filename matches the node name, you can
use the `certs/${node.name}.p12` format, for example.
<2> The `elasticsearch-certutil` output includes the CA certificate inside the
PKCS#12 keystore, therefore the keystore can also be used as the truststore.
This name should match the `keystore.path` value.
--
** If the certificate is in PEM format, add the following information to the
`elasticsearch.yml` file on each node:
+
--
[source, yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/es/config/node01.key <1>
xpack.security.http.ssl.certificate: /home/es/config/node01.crt <2>
xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3>
--------------------------------------------------
<1> The full path to the node key file. This must be a location within the
{es} configuration directory.
<2> The full path to the node certificate. This must be a location within the
{es} configuration directory.
<3> An array of paths to the CA certificates that should be trusted. These paths
must be a location within the {es} configuration directory.
--
. If you secured the node's certificate with a password, add the password to
your {es} keystore:
** If the signed certificate is in PKCS#12 format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
-----------------------------------------------------------
--
** If the certificate is in PEM format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
-----------------------------------------------------------
--
. Restart {es}.
[NOTE]
===============================
* All TLS-related node settings are considered to be highly sensitive and
therefore are not exposed via the
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API] For more
information about any of these settings, see <<security-settings>>.
* {es} monitors all files such as certificates, keys, keystores, or truststores
that are configured as values of TLS-related node settings. If you update any of
these files (for example, when your hostnames change or your certificates are
due to expire), {es} reloads them. The files are polled for changes at
a frequency determined by the global {es} `resource.reload.interval.high`
setting, which defaults to 5 seconds.
===============================