浏览代码

Include removal of PKCS#11 in breaking changes doc (#75440)

Relates: #75404
Tim Vernum 4 年之前
父节点
当前提交
c5796645cf
共有 1 个文件被更改,包括 26 次插入0 次删除
  1. 26 0
      docs/reference/migration/migrate_8_0/security.asciidoc

+ 26 - 0
docs/reference/migration/migrate_8_0/security.asciidoc

@@ -232,6 +232,32 @@ settings. If certificate and key is not provided, {es} will return in an error
 on startup.
 ====
 
+[discrete]
+[[ssl-misc-changes]]
+==== Other SSL/TLS changes 
+
+.PKCS#11 keystores and trustores cannot be configured in `elasticsearch.yml`
+[%collapsible]
+====
+*Details* +
+The settings `*.ssl.keystore.type` and `*.ssl.truststore.type` no longer accept "PKCS11" as a valid type.
+This applies to all SSL settings in Elasticsearch, including
+
+- `xpack.security.http.keystore.type`
+- `xpack.security.transport.keystore.type`
+- `xpack.security.http.truststore.type`
+- `xpack.security.transport.truststore.type`
+
+As well as SSL settings for security realms, watcher and monitoring.
+
+Use of a PKCS#11 keystore or truststore as the JRE's default store is not affected.
+
+*Impact* +
+If you have a PKCS#11 keystore configured within your `elasticsearch.yml` file, you must remove that
+configuration and switch to a supported keystore type, or configure your PKCS#11 keystore as the 
+JRE default store.
+====
+
 [discrete]
 [[builtin-users-changes]]
 ===== Changes to built-in users