github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-25 07:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/security/securing-communications/tls-ad.asciidoc
James Rodewig 255c9a7f95
[DOCS] Move x-pack docs to docs/reference dir (#99209) 
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. 

**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security

Rel: https://github.com/elastic/platform-docs-team/issues/208
2023-09-12 14:53:41 -04:00

57 lines
2.3 KiB
Text
Raw Blame History

[role="xpack"]
[[tls-active-directory]]
==== Encrypting communications between {es} and Active Directory
To protect the user credentials that are sent for authentication, it's highly
recommended to encrypt communications between {es} and your Active Directory
server. Connecting via SSL/TLS ensures that the identity of the Active Directory
server is authenticated before {es} transmits the user credentials and the
usernames and passwords are encrypted in transit.
Clients and nodes that connect via SSL/TLS to the Active Directory server need
to have the Active Directory server's certificate or the server's root CA
certificate installed in their keystore or truststore.
. Create the realm configuration for the `xpack.security.authc.realms` namespace
in the `elasticsearch.yml` file. See <<ad-realm-configuration>>.
. Set the `url` attribute in the realm configuration to specify the LDAPS protocol
and the secure port number. For example, `url: ldaps://ad.example.com:636`.
. Configure each node to trust certificates signed by the certificate authority
(CA) that signed your Active Directory server certificates.
+
--
The following example demonstrates how to trust a CA certificate (`cacert.pem`),
which is located within the configuration directory:
[source,shell]
--------------------------------------------------
xpack:
security:
authc:
realms:
active_directory:
ad_realm:
order: 0
domain_name: ad.example.com
url: ldaps://ad.example.com:636
ssl:
certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
--------------------------------------------------
The CA cert must be a PEM encoded certificate.
For more information about these settings, see <<ref-ad-settings>>.
--
. Restart {es}.
NOTE: By default, when you configure {es} to connect to Active Directory
using SSL/TLS, it attempts to verify the hostname or IP address
specified with the `url` attribute in the realm configuration with the
values in the certificate. If the values in the certificate and realm
configuration do not match, {es} does not allow a connection to the
Active Directory server. This is done to protect against man-in-the-middle
attacks. If necessary, you can disable this behavior by setting the
`ssl.verification_mode` property to `certificate`.
Reference in a new issue View git blame Copy permalink