[DOCS] Adjust packaged installation docs for security on by default (#80195)

* Adjust packaged installation docs for security on by default

This commit introduces necessary changes to guide users through
the installation of our DEB/RPM packages, now that security is
enabled and configured by default.

* Update security docs and configure includes

* Update wording in check-running.asciidoc

* Adding hidden GET request

* Update heading

* Updated reconfigure heading

Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

docs/reference/setup/install/check-running.asciidoc

@@ -1,14 +1,31 @@
 ==== Checking that Elasticsearch is running
 
-You can test that your Elasticsearch node is running by sending an HTTP
-request to port `9200` on `localhost`:
+You can test that your {es} node is running by sending an HTTPS request to port
+`9200` on `localhost`:
+
+[source,shell]
+----
+curl --cacert /etc/elasticsearch/tls_auto_config_<timestamp>/http_ca.crt \
+-u elastic https://localhost:9200 <1>
+----
+// NOTCONSOLE
+<1> Ensure that you use `https` in your call, or the request will fail.
++
+`--cacert`::
+Path to the generated `http_ca.crt` certificate for the HTTP layer.
+
+Enter the password for the `elastic` user that was generated during
+installation, which should return a response like this:
+
+////
+The following hidden request is required before the response. Otherwise, you'll
+get an error because there's a response with no request preceding it.
 
 [source,console]
---------------------------------------------
+----
 GET /
---------------------------------------------
-
-which should give you a response something like this:
+----
+////
 
 ["source","js",subs="attributes,callouts"]
 --------------------------------------------

docs/reference/setup/install/deb.asciidoc

@@ -130,6 +130,9 @@ sudo dpkg -i elasticsearch-{version}-amd64.deb
 
 endif::[]
 
+[[deb-security-configuration]]
+include::package-security.asciidoc[]
+
 ifdef::include-xpack[]
 [role="xpack"]
 [[deb-enable-indices]]
@@ -190,6 +193,11 @@ locations for a Debian-based system:
   | /etc/default/elasticsearch
  d|
 
+| conf
+| Generated TLS keys and certificates for the transport and http layer.
+| /etc/elasticsearch/auto_config_tls_<timestamp>
+d|
+
 | data
   | The location of the data files of each index / shard allocated
     on the node.
@@ -220,4 +228,5 @@ locations for a Debian-based system:
 
 |=======================================================================
 
+include::security-files-reference.asciidoc[]
 include::next-steps.asciidoc[]

docs/reference/setup/install/package-security.asciidoc

@@ -0,0 +1,71 @@
+[role="exclude"]
+==== Start {es} with security enabled
+
+When installing {es}, security features are enabled and configured by default.
+When you start {es} for the first time, the following security configuration
+occurs automatically: 
+
+* Authentication and authorization are enabled, and a password is generated for
+the `elastic` built-in superuser.
+* Certificates and keys for TLS are generated for the transport and HTTP layer,
+and TLS is enabled and configured with these keys and certificates.
+
+The password and certificate and keys are output to your terminal. For example:
+
+[source,sh]
+----
+            -------Security autoconfiguration information-------
+
+Authentication and authorization are enabled.
+TLS for the transport and HTTP layers is enabled and configured.
+
+The generated password for the elastic built-in superuser is : 0zq1L_CkDujyYiVoYlZo
+
+If this node should join an existing cluster, you can reconfigure this with
+'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
+after creating an enrollment token on your existing cluster.
+
+You can complete the following actions at any time:
+
+Reset the password of the elastic built-in superuser with
+'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.
+
+Generate an enrollment token for Kibana instances with
+ '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.
+
+Generate an enrollment token for Elasticsearch nodes with
+'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.
+----
+
+===== Reconfigure a node to join an existing cluster
+
+When you start {es} for the first time, the installation process configures a
+single-node cluster by default. If you want a node to join an existing cluster
+instead, generate an enrollment token on an existing node _before_ you start
+the new node for the first time.
+
+. On any node in your existing cluster, generate a node enrollment token:
++
+[source, sh]
+----
+bin/elasticsearch-create-enrollment-token -s node
+----
+
+. Copy the enrollment token, which is output to your terminal.
+
+. On your new {es} node, pass the enrollment token as a parameter to the 
+`elasticsearch-reconfigure-node` tool:
++
+[source, sh]
+----
+bin/elasticsearch-reconfigure-node --enrollment-token <enrollment-token>
+----
++
+{es} is now configured to join the existing cluster.
+
+. Start your new node.
++
+[source, sh]
+----
+bin/elasticsearch
+----

docs/reference/setup/install/rpm.asciidoc

@@ -123,6 +123,9 @@ endif::[]
 
 include::skip-set-kernel-parameters.asciidoc[]
 
+[[rpm-security-configuration]]
+include::package-security.asciidoc[]
+
 ifdef::include-xpack[]
 [role="xpack"]
 [[rpm-enable-indices]]
@@ -183,6 +186,11 @@ locations for an RPM-based system:
   | /etc/sysconfig/elasticsearch
  d|
 
+| conf
+| Generated TLS keys and certificates for the transport and http layer.
+| /etc/elasticsearch/auto_config_tls_<timestamp>
+d|
+
 | data
   | The location of the data files of each index / shard allocated
     on the node.
@@ -213,4 +221,5 @@ locations for an RPM-based system:
 
 |=======================================================================
 
+include::security-files-reference.asciidoc[]
 include::next-steps.asciidoc[]

docs/reference/setup/install/security-files-reference.asciidoc

@@ -0,0 +1,18 @@
+[role="exclude"]
+===== Security certificates and keys
+
+When you install {es}, the following certificates and keys are
+generated in the `/etc/elasticsearch/tls_auto_config_<timestamp>` directory,
+which are used to connect a {kib} instance to your secured {es} cluster and
+to encrypt internode communication. The files are listed here for reference.
+
+`http_ca.crt`::
+The CA certificate that is used to sign the certificates for the HTTP layer of
+this {es} cluster.
+
+`http_keystore_local_node.p12`::
+Keystore that contains the key and certificate for the HTTP layer for this node.
+
+`transport_keystore_all_nodes.p12`::
+Keystore that contains the key and certificate for the transport layer for all
+the nodes in your cluster.