github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-30 10:23:41 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/setup/bootstrap-checks-xes.asciidoc
Adam Locke 8dd563134c
[DOCS] Overhaul TLS security docs (#68946) 
* Removing security overview and condensing.

* Adding new security file.

* Minor changes.

* Removing link to pass build.

* Adding minimal security page.

* Adding minimal security page.

* Changes to intro.

* Add basic and basic + http configurations.

* Lots of changes, removed files, and redirects.

* Moving some AD and LDAP sections, plus more redirects.

* Redirects for SAML.

* Updating snippet languages and redirects.

* Adding another SAML redirect.

* Hopefully fixing the ci/2 error.

* Fixing another broken link for SAML.

* Adding what's next sections and some cleanup.

* Removes both security tutorials from the TOC.

* Adding redirect for removed tutorial.

* Add graphic for Elastic Security layers.

* Incorporating reviewer feedback.

* Update x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Update x-pack/docs/en/security/securing-communications/security-minimal-setup.asciidoc

Co-authored-by: Yang Wang <ywangd@gmail.com>

* Update x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc

Co-authored-by: Yang Wang <ywangd@gmail.com>

* Update x-pack/docs/en/security/index.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Update x-pack/docs/en/security/securing-communications/security-basic-setup-https.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Apply suggestions from code review

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: Yang Wang <ywangd@gmail.com>

* Additional changes from review feedback.

* Incorporating reviewer feedback.

* Incorporating more reviewer feedback.

* Clarify that TLS is for authenticating nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Clarify security between nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Clarify that TLS is between nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Update title for configuring Kibana with a password

Co-authored-by: Tim Vernum <tim@adjective.org>

* Move section for enabling passwords between Kibana and ES to minimal security.

* Add section for transport description, plus incorporate more reviewer feedback.

* Moving operator privileges lower in the navigation.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: Yang Wang <ywangd@gmail.com>
Co-authored-by: Tim Vernum <tim@adjective.org>
2021-03-25 11:54:39 -04:00

81 lines
3.1 KiB
Text
Raw Blame History

[role="xpack"]
[[bootstrap-checks-xpack]]
== Bootstrap Checks for {xpack}
In addition to the <<bootstrap-checks,{es} bootstrap checks>>, there are
checks that are specific to {xpack} features.
[discrete]
=== Encrypt sensitive data check
//See EncryptSensitiveDAtaBootstrapCheck.java
If you use {watcher} and have chosen to encrypt sensitive data (by setting
`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
the secure settings store.
To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
on each node in the cluster. For more information, see
<<encrypting-data,Encrypting sensitive data in Watcher>>.
[discrete]
=== PKI realm check
//See PkiRealmBootstrapCheckTests.java
If you use {es} {security-features} and a Public Key Infrastructure (PKI) realm,
you must configure Transport Layer Security (TLS) on your cluster and enable
client authentication on the network layers (either transport or http). For more
information, see <<pki-realm,PKI user authentication>> and
<<security-basic-setup-https,Set up basic security plus HTTPS>>.
To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS
and enable client authentication on at least one network communication layer.
[discrete]
=== Role mappings check
If you authenticate users with realms other than `native` or `file` realms, you
must create role mappings. These role mappings define which roles are assigned
to each user.
If you use files to manage the role mappings, you must configure a YAML file
and copy it to each node in the cluster. By default, role mappings are stored in
`ES_PATH_CONF/role_mapping.yml`. Alternatively, you can specify a
different role mapping file for each type of realm and specify its location in
the `elasticsearch.yml` file. For more information, see
<<mapping-roles-file>>.
To pass this bootstrap check, the role mapping files must exist and must be
valid. The Distinguished Names (DNs) that are listed in the role mappings files
must also be valid.
[discrete]
[[bootstrap-checks-tls]]
=== SSL/TLS check
//See TLSLicenseBootstrapCheck.java
If you enable {es} {security-features}, unless you have a trial license, you
must configure SSL/TLS for internode-communication.
NOTE: Single-node clusters that use a loopback interface do not have this
requirement. For more information, see
<<configuring-stack-security>>.
To pass this bootstrap check, you must
<<encrypt-internode-communication,set up SSL/TLS in your cluster>>.
[discrete]
=== Token SSL check
//See TokenSSLBootstrapCheckTests.java
If you use {es} {security-features} and the built-in token service is enabled,
you must configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is
required in order to use the token service.
In particular, if `xpack.security.authc.token.enabled` is
set to `true` in the `elasticsearch.yml` file, you must also set
`xpack.security.http.ssl.enabled` to `true`. For more information about these
settings, see <<security-settings>> and <<http-settings>>.
To pass this bootstrap check, you must enable HTTPS or disable the built-in
token service.
Reference in a new issue View git blame Copy permalink