Security: remove SSL settings fallback (#36846)

This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.

Closes #29797

client/rest-high-level/build.gradle

@@ -105,7 +105,7 @@ integTestCluster {
   setting 'xpack.security.enabled', 'true'
   setting 'xpack.security.authc.token.enabled', 'true'
   // Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API
-  setting 'xpack.ssl.certificate_authorities', 'testnode.crt'
+  setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
   setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks'
   keystoreSetting 'xpack.security.transport.ssl.truststore.secure_password', 'testnode'
   setupCommand 'setupDummyUser',

docs/reference/migration/migrate_7_0/settings.asciidoc

@@ -121,3 +121,13 @@ xpack.security.authc.realms:
 Any realm specific secure settings that have been stored in the elasticsearch
 keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated
 in a similar way.
+
+[float]
+[[tls-setting-fallback]]
+==== TLS/SSL settings
+
+The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed.
+The removal of these default settings also removes the ability for a component to
+fallback to a default configuration when using TLS. Each component (realm, transport, http,
+http client, etc) must now be configured with their own settings for TLS if it is being
+used.

docs/reference/security/securing-communications/configuring-tls-docker.asciidoc

@@ -114,11 +114,14 @@ services:
       - xpack.license.self_generated.type=trial <2>
       - xpack.security.enabled=true
       - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
+      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
+      - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
       - xpack.security.transport.ssl.enabled=true
       - xpack.security.transport.ssl.verification_mode=certificate <3>
-      - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
-      - xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
-      - xpack.ssl.key=$CERTS_DIR/es01/es01.key
+      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
+      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
+      - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
     volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
     ports:
       - 9200:9200
@@ -140,11 +143,14 @@ services:
       - xpack.license.self_generated.type=trial
       - xpack.security.enabled=true
       - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
+      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
+      - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
       - xpack.security.transport.ssl.enabled=true
-      - xpack.security.transport.ssl.verification_mode=certificate
-      - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
-      - xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
-      - xpack.ssl.key=$CERTS_DIR/es02/es02.key
+      - xpack.security.transport.ssl.verification_mode=certificate <3>
+      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
+      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
+      - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
     volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
 
   wait_until_ready:
@@ -199,9 +205,9 @@ WARNING: Windows users not running PowerShell will need to remove `\` and join l
 ----
 docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
 auto --batch \
--Expack.ssl.certificate=certificates/es01/es01.crt \
--Expack.ssl.certificate_authorities=certificates/ca/ca.crt \
--Expack.ssl.key=certificates/es01/es01.key \
+-Expack.security.http.ssl.certificate=certificates/es01/es01.crt \
+-Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt \
+-Expack.security.http.ssl.key=certificates/es01/es01.key \
 --url https://localhost:9200"
 ----
 --

docs/reference/security/securing-communications/tls-transport.asciidoc

@@ -25,7 +25,7 @@ xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 <3>
 <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
 and you want to enable strict hostname checking, set the verification mode to
 `full`.
-See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
+See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
 
 <2> If you created a separate certificate for each node, then you might need to
 customize this path on each node. If the filename matches the node name, you can
@@ -54,7 +54,7 @@ xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt"
 <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
 and you want to enable strict hostname checking, set the verification mode to
 `full`.
-See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
+See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
 <2> The full path to the node key file. This must be a location within the
     {es} configuration directory.
 <3> The full path to the node certificate. This must be a location within the

docs/reference/settings/security-settings.asciidoc

@@ -475,20 +475,18 @@ The default is `jks`.
 `ssl.verification_mode`::
 Indicates the type of verification when using `ldaps` to protect against man
 in the middle attacks and certificate forgery. Values are `none`, `certificate`,
-and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
+and `full`. Defaults to `full`.
 +
-See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of
-these values.
+See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
 
 `ssl.supported_protocols`::
-Supported protocols for TLS/SSL (with versions). Defaults to the value of
-`xpack.ssl.supported_protocols`.
+Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2,TLSv1.1,TLSv1`.
 
 `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when 
 communicating with the LDAP server. 
 Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
-Java Cryptography Architecture documentation]. Defaults to the value of
-`xpack.ssl.cipher_suites`.
+Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>>
+for the default value.
 
 `cache.ttl`::
 Specifies the time-to-live for cached user entries. A user and a hash of its 
@@ -721,20 +719,18 @@ The default is `jks`.
 `ssl.verification_mode`::
 Indicates the type of verification when using `ldaps` to protect against man
 in the middle attacks and certificate forgery. Values are `none`, `certificate`,
-and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
+and `full`. Defaults to `full`.
 +
-See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of
-these values.
+See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
 
 `ssl.supported_protocols`::
-Supported protocols for TLS/SSL (with versions). Defaults to the value of
-`xpack.ssl.supported_protocols`.
+Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2, TLSv1.1, TLSv1`.
 
 `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when 
 communicating with the Active Directory server. 
 Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
-Java Cryptography Architecture documentation]. Defaults to the value of
-`xpack.ssl.cipher_suites`.
+Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>> for
+the default values.
 
 `cache.ttl`::
 Specifies the time-to-live for cached user entries. A user and a hash of its 
@@ -1133,8 +1129,7 @@ One of `full`
 certificate path, but not the hostname) or `none` (perform no verification).
 Defaults to `full`.
 +
-See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for a more detailed
-explanation of these values.
+See <<ssl-tls-settings,`ssl.verification_mode`>> for a more detailed explanation of these values.
 
 `ssl.supported_protocols`::
 Specifies the supported protocols for TLS/SSL.
@@ -1204,14 +1199,12 @@ through the list of URLs will continue until a successful connection is made.
 
 [float]
 [[ssl-tls-settings]]
-==== Default TLS/SSL settings
-You can configure the following TLS/SSL settings in
-`elasticsearch.yml`. For more information, see
-{stack-ov}/encrypting-communications.html[Encrypting communications]. These
-settings are used unless they have been overridden by more specific
-settings such as those for HTTP or Transport.
-
-`xpack.ssl.supported_protocols`::
+==== Default values for TLS/SSL settings
+In general, the values below represent the default values for the various TLS
+settings. For more information, see
+{stack-ov}/encrypting-communications.html[Encrypting communications].
+
+`ssl.supported_protocols`::
 Supported protocols with versions. Valid protocols: `SSLv2Hello`,
 `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
 `TLSv1`. 
@@ -1221,15 +1214,15 @@ NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hell
 or `SSLv3`. See <<fips-140-compliance>>.
 --
 
-`xpack.ssl.client_authentication`::
+`ssl.client_authentication`::
 Controls the server's behavior in regard to requesting a certificate
 from client connections. Valid values are `required`, `optional`, and `none`.
 `required` forces a client to present a certificate, while `optional`
 requests a client certificate but the client is not required to present one.
-Defaults to `required`. This global setting is not applicable for HTTP, see
+Defaults to `required`, except for HTTP, which defaults to `none`. See
  <<http-tls-ssl-settings>>.
 
-`xpack.ssl.verification_mode`::
+`ssl.verification_mode`::
 Controls the verification of certificates. Valid values are:
 - `full`, which verifies that the provided certificate is signed by a trusted
        authority (CA) and also verifies that the server's hostname (or IP
@@ -1244,7 +1237,7 @@ Controls the verification of certificates. Valid values are:
 +
 The default value is `full`.
 
-`xpack.ssl.cipher_suites`::
+`ssl.cipher_suites`::
 Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
 Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
 `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
@@ -1255,112 +1248,15 @@ Jurisdiction Policy Files_ has been installed, the default value also includes `
 
 [float]
 [[tls-ssl-key-settings]]
-===== Default TLS/SSL key and trusted certificate settings
+===== TLS/SSL key and trusted certificate settings
 
 The following settings are used to specify a private key, certificate, and the
-trusted certificates that should be used when communicating over an SSL/TLS connection.
-If none of the settings below are specified, the 
-<<ssl-tls-settings,default settings>> are used. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be
-trusted along with the certificate(s) from the <<tls-ssl-key-settings, key settings>>. The key and certificate must be in place
-for connections that require client authentication or when acting as a SSL enabled server.
-
-[float]
-===== PEM encoded files
-
-When using PEM encoded files, use the following settings:
-
-`xpack.ssl.key`::
-Path to the PEM encoded file containing the private key.
-
-`xpack.ssl.key_passphrase`::
-The passphrase that is used to decrypt the private key. This value is
-optional as the key might not be encrypted.
-
-`xpack.ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
-The passphrase that is used to decrypt the private key. This value is
-optional as the key might not be encrypted.
-
-`xpack.ssl.certificate`::
-Path to a PEM encoded file containing the certificate (or certificate chain)
-that will be presented to clients when they connect.
-
-`xpack.ssl.certificate_authorities`::
-List of paths to the PEM encoded certificate files that should be trusted.
-
-[float]
-===== Java keystore files
-
-When using Java keystore files (JKS), which contain the private key, certificate
-and certificates that should be trusted, use the following settings:
-
-`xpack.ssl.keystore.path`::
-Path to the keystore that holds the private key and certificate.
-
-`xpack.ssl.keystore.password`::
-Password to the keystore.
-
-`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
-Password to the keystore.
-
-`xpack.ssl.keystore.key_password`::
-Password for the private key in the keystore. Defaults to the
-same value as `xpack.ssl.keystore.password`.
-
-`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
-Password for the private key in the keystore.
-
-`xpack.ssl.truststore.path`::
-Path to the truststore file.
-
-`xpack.ssl.truststore.password`::
-Password to the truststore.
-
-`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
-Password to the truststore.
-
-WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use Java 
-keystore files. See <<fips-140-compliance>>. 
-
-[float]
-===== PKCS#12 files
-
-When using PKCS#12 container files (`.p12` or `.pfx`), which contain the
-private key, certificate, and certificates that should be trusted, use
-the following settings:
-
-`xpack.ssl.keystore.path`::
-Path to the PKCS#12 file that holds the private key and certificate.
-
-`xpack.ssl.keystore.type`::
-Set this to `PKCS12`.
-
-`xpack.ssl.keystore.password`::
-Password to the PKCS#12 file.
-
-`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
-Password to the PKCS#12 file.
-
-`xpack.ssl.keystore.key_password`::
-Password for the private key in the PKCS12 file.
-Defaults to the same value as `xpack.ssl.keystore.password`.
-
-`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
-Password for the private key in the PKCS12 file.
-
-`xpack.ssl.truststore.path`::
-Path to the truststore file.
-
-`xpack.ssl.truststore.type`::
-Set this to `PKCS12`.
-
-`xpack.ssl.truststore.password`::
-Password to the truststore.
-
-`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
-Password to the truststore.
-
-WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use PKCS#12 
-keystore files. See <<fips-140-compliance>>. 
+trusted certificates that should be used when communicating over an SSL/TLS
+connection. If no trusted certificates are configured, the default certificates
+that are trusted by the JVM will be trusted along with the certificate(s)
+associated with a key in the same context. The key and certificate must be in
+place for connections that require client authentication or when acting as a
+SSL enabled server.
 
 [[pkcs12-truststore-note]]
 [NOTE]
@@ -1375,33 +1271,6 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for
 `openssl pkcs12 -info` output, or `trustedCertEntry` in the
 `keytool -list` output.
 
-[float]
-===== PKCS#11 tokens
-
-When using a PKCS#11 cryptographic token, which contains the
-private key, certificate, and certificates that should be trusted, use
-the following settings:
-
-`xpack.ssl.keystore.type`::
-Set this to `PKCS11`.
-
-`xpack.ssl.truststore.type`::
-Set this to `PKCS11`.
-
-
-[[pkcs11-truststore-note]]
-[NOTE]
-When configuring the PKCS#11 token that your JVM is configured to use as
-a keystore or a truststore for Elasticsearch, the PIN for the token can be
-configured by setting the appropriate value to `xpack.ssl.truststore.password`
-or `xpack.ssl.truststore.secure_password`. In the absence of the above, {es} will
-fallback to use he appropriate JVM setting (`-Djavax.net.ssl.trustStorePassword`)
-if that is set.
-Since there can only be one PKCS#11 token configured, only one keystore and
-truststore will be usable for configuration in {es}. This in turn means
-that only one certificate can be used for TLS both in the transport and the
-http layer.
-
 [[http-tls-ssl-settings]]
 :ssl-prefix:             xpack.security.http
 :component:              HTTP
@@ -1435,7 +1304,7 @@ append the portion of the setting after `xpack.security.transport.`. For the key
 setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`.
 
 [[auditing-tls-ssl-settings]]
-:ssl-prefix:             xpack.security.audit.index.client.xpack
+:ssl-prefix:             xpack.security.audit.index.client.xpack.security.transport
 :component:              Auditing
 :client-auth-default!:
 :server!:

docs/reference/settings/ssl-settings.asciidoc

@@ -12,7 +12,7 @@ endif::server[]
 +{ssl-prefix}.ssl.supported_protocols+::
 Supported protocols with versions. Valid protocols: `SSLv2Hello`,
 `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
-`TLSv1`. Defaults to the value of `xpack.ssl.supported_protocols`.
+`TLSv1`.
 
 ifdef::server[]
 +{ssl-prefix}.ssl.client_authentication+::
@@ -21,7 +21,7 @@ from client connections. Valid values are `required`, `optional`, and `none`.
 `required` forces a client to present a certificate, while `optional`
 requests a client certificate but the client is not required to present one.
 ifndef::client-auth-default[]
-Defaults to the value of `xpack.ssl.client_authentication`.
+Defaults to `none``.
 endif::client-auth-default[]
 ifdef::client-auth-default[]
 Defaults to +{client-auth-default}+.
@@ -31,15 +31,12 @@ endif::server[]
 ifdef::verifies[]
 +{ssl-prefix}.ssl.verification_mode+::
 Controls the verification of certificates. Valid values are `none`,
-`certificate`, and `full`.
-See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
-Defaults to the value of `xpack.ssl.verification_mode`.
+`certificate`, and `full`. Defaults to `full`.
 endif::verifies[]
 
 +{ssl-prefix}.ssl.cipher_suites+::
 Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
-Java Cryptography Architecture documentation]. Defaults to the value of
-`xpack.ssl.cipher_suites`.
+Java Cryptography Architecture documentation]. Defaults to ``.
 
 
 ===== {component} TLS/SSL Key and Trusted Certificate Settings
@@ -158,4 +155,14 @@ via the following settings:
 Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore.
 
 +{ssl-prefix}.truststore.type+::
-Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore.
+Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore.
+
+[NOTE]
+When configuring the PKCS#11 token that your JVM is configured to use as
+a keystore or a truststore for Elasticsearch, the PIN for the token can be
+configured by setting the appropriate value to `ssl.truststore.password`
+or `ssl.truststore.secure_password` in the context that you are configuring.
+Since there can only be one PKCS#11 token configured, only one keystore and
+truststore will be usable for configuration in {es}. This in turn means
+that only one certificate can be used for TLS both in the transport and the
+http layer.

x-pack/docs/en/rest-api/security/ssl.asciidoc

@@ -22,16 +22,16 @@ Transport Layer Security (TLS), see
 The API returns a list that includes certificates from all TLS contexts
 including:
 
-* Default {es} TLS settings
 * Settings for transport and HTTP interfaces
 * TLS settings that are used within authentication realms
 * TLS settings for remote monitoring exporters
 
 The list includes certificates that are used for configuring trust, such as
-those configured in the `xpack.ssl.truststore` and
-`xpack.ssl.certificate_authorities` settings. It also includes certificates that
-that are used for configuring server identity, such as `xpack.ssl.keystore` and
-`xpack.ssl.certificate` settings.
+those configured in the `xpack.security.transport.ssl.truststore` and
+`xpack.security.transport.ssl.certificate_authorities` settings. It also
+includes certificates that are used for configuring server identity, such as
+`xpack.security.http.ssl.keystore` and
+`xpack.security.http.ssl.certificate` settings.
 
 The list does not include certificates that are sourced from the default SSL
 context of the Java Runtime Environment (JRE), even if those certificates are in

x-pack/docs/en/security/auditing/forwarding-logs.asciidoc

@@ -46,8 +46,8 @@ to the `elasticsearch.yml` file:
 [source,yaml]
 -----------------------------------------------------------
 xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
-xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 
-xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
+xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.path: certs/remote-elastic-certificates.p12
+xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.path: certs/remote-elastic-certificates.p12
 -----------------------------------------------------------
 
 For more information about these settings, see 
@@ -61,9 +61,9 @@ For more information about these settings, see
 [source, yaml]
 --------------------------------------------------
 xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
-xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key 
-xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt 
-xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] 
+xpack.security.audit.index.client.xpack.security.transport.ssl.key: /home/es/config/audit-client.key
+xpack.security.audit.index.client.xpack.security.transport.ssl.certificate: /home/es/config/audit-client.crt
+xpack.security.audit.index.client.xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
 --------------------------------------------------
     
 For more information about these settings, see 
@@ -78,9 +78,9 @@ your {es} keystore:
 --
 [source,shell]
 -----------------------------------------------------------
-bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
+bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.secure_password
 
-bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
+bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.secure_password
 -----------------------------------------------------------
 --
 
@@ -89,7 +89,7 @@ bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.trust
 --
 [source,shell]
 -----------------------------------------------------------
-bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
+bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.secure_key_passphrase
 -----------------------------------------------------------
 --
 

x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc

@@ -90,7 +90,7 @@ In particular this means:
 * The interface must _trust_ the certificate that is presented by the client
   by configuring either the `truststore` or `certificate_authorities` paths,
   or by setting `verification_mode` to `none`. See 
-  <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of this 
+  <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of this
   setting.
 * The _protocols_ supported by the interface must be compatible with those
   used by the client.

x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc

@@ -105,9 +105,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
 TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
         .put("cluster.name", "myClusterName")
         .put("xpack.security.user", "transport_client_user:x-pack-test-password")
-        .put("xpack.ssl.key", "/path/to/client.key")
-        .put("xpack.ssl.certificate", "/path/to/client.crt")
-        .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
+        .put("xpack.security.transport.ssl.enabled", true)
+        .put("xpack.security.transport.ssl.key", "/path/to/client.key")
+        .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
+        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
         ...
         .build());
 --------------------------------------------------------------------------------------------------
@@ -125,9 +126,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
 TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
         .put("cluster.name", "myClusterName")
         .put("xpack.security.user", "transport_client_user:x-pack-test-password")
-        .put("xpack.ssl.key", "/path/to/client.key")
-        .put("xpack.ssl.certificate", "/path/to/client.crt")
-        .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
+        .put("xpack.security.transport.ssl.enabled", true)
+        .put("xpack.security.transport.ssl.key", "/path/to/client.key")
+        .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
+        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
         .put("xpack.security.transport.ssl.enabled", "true")
         ...
         .build())
@@ -155,7 +157,7 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
 TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
         .put("cluster.name", "myClusterName")
         .put("xpack.security.user", "test_user:x-pack-test-password")
-        .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
+        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
         .put("xpack.security.transport.ssl.enabled", "true")
         ...
         .build())
@@ -164,7 +166,7 @@ TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
 ------------------------------------------------------------------------------------------------------
 
 NOTE: If you are using a public CA that is already trusted by the Java runtime,
-      you do not need to set the `xpack.ssl.certificate_authorities`.
+      you do not need to set the `xpack.security.transport.ssl.certificate_authorities`.
 
 [float]
 [[connecting-anonymously]]

x-pack/docs/en/security/fips-140-compliance.asciidoc

@@ -50,12 +50,12 @@ and able to run {es} successfully in a FIPS 140-2 enabled JVM.
 ==== TLS
 
 SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot
-be used for <<ssl-tls-settings, xpack.ssl.supported_protocols>>
+be used for <<ssl-tls-settings, `ssl.supported_protocols`>>
 
 NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module
 (the FIPS Approved Security Provider that your JVM uses). All the ciphers that
 are configured by default in {es} are FIPS 140-2 compliant and as such can be
-used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, xpack.ssl.cipher_suites>>)
+used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, `ssl.cipher_suites`>>)
 
 [float]
 ==== TLS Keystores and keys
@@ -71,7 +71,7 @@ options, and for trust material you can use `*.certificate_authorities`.
 
 FIPS 140-2 compliance dictates that the length of the public keys used for TLS
 must correspond to the strength of the symmetric key algorithm in use in TLS.
-Depending on the value of <<ssl-tls-settings, xpack.ssl.cipher_suites>> that
+Depending on the value of <<ssl-tls-settings, `ssl.cipher_suites`>> that
 you select to use, the TLS keys must have corresponding length according to
 the following table:
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java

@@ -159,10 +159,6 @@ public class XPackSettings {
     public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE;
     public static final VerificationMode VERIFICATION_MODE_DEFAULT = VerificationMode.FULL;
 
-    // global settings that apply to everything!
-    public static final String GLOBAL_SSL_PREFIX = "xpack.ssl.";
-    private static final SSLConfigurationSettings GLOBAL_SSL = SSLConfigurationSettings.withPrefix(GLOBAL_SSL_PREFIX);
-
     // http specific settings
     public static final String HTTP_SSL_PREFIX = SecurityField.setting("http.ssl.");
     private static final SSLConfigurationSettings HTTP_SSL = SSLConfigurationSettings.withPrefix(HTTP_SSL_PREFIX);
@@ -174,7 +170,6 @@ public class XPackSettings {
     /** Returns all settings created in {@link XPackSettings}. */
     public static List<Setting<?>> getAllSettings() {
         ArrayList<Setting<?>> settings = new ArrayList<>();
-        settings.addAll(GLOBAL_SSL.getAllSettings());
         settings.addAll(HTTP_SSL.getAllSettings());
         settings.addAll(TRANSPORT_SSL.getAllSettings());
         settings.add(SECURITY_ENABLED);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java

@@ -83,13 +83,22 @@ public class SecurityNetty4Transport extends Netty4Transport {
         Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet();
         Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileNames.size() + 1);
         for (String profileName : profileNames) {
+            if (profileName.equals(TransportSettings.DEFAULT_PROFILE)) {
+                // don't attempt to parse ssl settings from the profile;
+                // profiles need to be killed with fire
+                if (settings.getByPrefix("transport.profiles.default.xpack.security.ssl.").isEmpty()) {
+                    continue;
+                } else {
+                    throw new IllegalArgumentException("SSL settings should not be configured for the default profile. " +
+                        "Use the [xpack.security.transport.ssl] settings instead.");
+                }
+            }
             SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl"));
             profileConfiguration.put(profileName, configuration);
         }
 
-        if (profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false) {
-            profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
-        }
+        assert profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false;
+        profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
         return profileConfiguration;
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java

@@ -25,6 +25,7 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.Objects;
 
 /**
  * This class represents a trust configuration that corresponds to the default trusted certificates of the JDK
@@ -71,12 +72,15 @@ class DefaultJDKTrustConfig extends TrustConfig {
 
     @Override
     public boolean equals(Object o) {
-        return o == this;
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        DefaultJDKTrustConfig that = (DefaultJDKTrustConfig) o;
+        return Objects.equals(trustStorePassword, that.trustStorePassword);
     }
 
     @Override
     public int hashCode() {
-        return System.identityHashCode(this);
+        return Objects.hash(trustStorePassword);
     }
 
     /**

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java

@@ -13,16 +13,11 @@ import org.elasticsearch.env.Environment;
 import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;
 
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.TrustManagerFactory;
-
 import java.io.IOException;
 import java.nio.file.Path;
 import java.security.GeneralSecurityException;
-import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Objects;
 
 import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType;
 
@@ -51,32 +46,14 @@ public final class SSLConfiguration {
      * @param settings the SSL specific settings; only the settings under a *.ssl. prefix
      */
     SSLConfiguration(Settings settings) {
-        this.keyConfig = createKeyConfig(settings, (SSLConfiguration) null);
-        this.trustConfig = createTrustConfig(settings, keyConfig, null);
+        this.keyConfig = createKeyConfig(settings);
+        this.trustConfig = createTrustConfig(settings, keyConfig);
         this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS);
         this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS);
         this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(XPackSettings.CLIENT_AUTH_DEFAULT);
         this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
     }
 
-    /**
-     * Creates a new SSLConfiguration from the given settings and global/default SSLConfiguration. If the settings do not contain a value
-     * for a given aspect, the value from the global configuration will be used.
-     *
-     * @param settings               the SSL specific settings; only the settings under a *.ssl. prefix
-     * @param globalSSLConfiguration the default configuration that is used as a fallback
-     */
-    SSLConfiguration(Settings settings, SSLConfiguration globalSSLConfiguration) {
-        Objects.requireNonNull(globalSSLConfiguration);
-        this.keyConfig = createKeyConfig(settings, globalSSLConfiguration);
-        this.trustConfig = createTrustConfig(settings, keyConfig, globalSSLConfiguration);
-        this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, globalSSLConfiguration.cipherSuites());
-        this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings,
-                globalSSLConfiguration.supportedProtocols());
-        this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(globalSSLConfiguration.sslClientAuth());
-        this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(globalSSLConfiguration.verificationMode());
-    }
-
     /**
      * The configuration for the key, if any, that will be used as part of this ssl configuration
      */
@@ -183,46 +160,28 @@ public final class SSLConfiguration {
         return result;
     }
 
-    private static KeyConfig createKeyConfig(Settings settings, SSLConfiguration global) {
+    private static KeyConfig createKeyConfig(Settings settings) {
         final String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
         final KeyConfig config = CertParsingUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, trustStoreAlgorithm);
-        if (config != null) {
-            return config;
-        }
-        if (global != null) {
-            return global.keyConfig();
-        }
-        if (System.getProperty("javax.net.ssl.keyStore") != null && System.getProperty("javax.net.ssl.keyStore").equals("NONE") == false) {
-            // TODO: we should not support loading a keystore from sysprops...
-            try (SecureString keystorePassword = new SecureString(System.getProperty("javax.net.ssl.keyStorePassword", ""))) {
-                return new StoreKeyConfig(System.getProperty("javax.net.ssl.keyStore"), KeyStore.getDefaultType(), keystorePassword,
-                    keystorePassword, System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()),
-                    System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
-            }
-        }
-        return KeyConfig.NONE;
+        return config == null ? KeyConfig.NONE : config;
     }
 
-    private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) {
-        final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig, global);
+    private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig) {
+        final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig);
         return SETTINGS_PARSER.trustRestrictionsPath.get(settings)
                 .map(path -> (TrustConfig) new RestrictedTrustConfig(path, trustConfig))
                 .orElse(trustConfig);
     }
 
-    private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) {
+    private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig) {
         String trustStorePath = SETTINGS_PARSER.truststorePath.get(settings).orElse(null);
         String trustStoreType = getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, trustStorePath);
         List<String> caPaths = getListOrNull(SETTINGS_PARSER.caPaths, settings);
         if (trustStorePath != null && caPaths != null) {
             throw new IllegalArgumentException("you cannot specify a truststore and ca files");
         }
-        VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElseGet(() -> {
-            if (global != null) {
-                return global.verificationMode();
-            }
-            return XPackSettings.VERIFICATION_MODE_DEFAULT;
-        });
+
+        VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
         if (verificationMode.isCertificateVerificationEnabled() == false) {
             return TrustAllConfig.INSTANCE;
         } else if (caPaths != null) {
@@ -231,14 +190,6 @@ public final class SSLConfiguration {
             String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
             SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings);
             return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm);
-        } else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null
-            && System.getProperty("javax.net.ssl.trustStore").equals("NONE") == false) {
-            try (SecureString truststorePassword = new SecureString(System.getProperty("javax.net.ssl.trustStorePassword", ""))) {
-                return new StoreTrustConfig(System.getProperty("javax.net.ssl.trustStore"), KeyStore.getDefaultType(), truststorePassword,
-                    System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
-            }
-        } else if (global != null && keyConfig == global.keyConfig()) {
-            return global.trustConfig();
         } else if (keyConfig != KeyConfig.NONE) {
             return DefaultJDKTrustConfig.merge(keyConfig, getDefaultTrustStorePassword(settings));
         } else {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -31,13 +31,14 @@ import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedKeyManager;
 import javax.net.ssl.X509ExtendedTrustManager;
+
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
 import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
-import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -81,8 +82,6 @@ public class SSLService {
      * always maps to the same {@link SSLContextHolder}, even if it is being used within a different context-name.
      */
     private final Map<SSLConfiguration, SSLContextHolder> sslContexts;
-
-    private final SSLConfiguration globalSSLConfiguration;
     private final SetOnce<SSLConfiguration> transportSSLConfiguration = new SetOnce<>();
     private final Environment env;
 
@@ -93,16 +92,14 @@ public class SSLService {
     public SSLService(Settings settings, Environment environment) {
         this.settings = settings;
         this.env = environment;
-        this.globalSSLConfiguration = new SSLConfiguration(settings.getByPrefix(XPackSettings.GLOBAL_SSL_PREFIX));
         this.sslConfigurations = new HashMap<>();
         this.sslContexts = loadSSLConfigurations();
     }
 
-    private SSLService(Settings settings, Environment environment, SSLConfiguration globalSSLConfiguration,
-                       Map<String, SSLConfiguration> sslConfigurations, Map<SSLConfiguration, SSLContextHolder> sslContexts) {
+    private SSLService(Settings settings, Environment environment, Map<String, SSLConfiguration> sslConfigurations,
+                       Map<SSLConfiguration, SSLContextHolder> sslContexts) {
         this.settings = settings;
         this.env = environment;
-        this.globalSSLConfiguration = globalSSLConfiguration;
         this.sslConfigurations = sslConfigurations;
         this.sslContexts = sslContexts;
     }
@@ -113,7 +110,7 @@ public class SSLService {
      * have been created during initialization
      */
     public SSLService createDynamicSSLService() {
-        return new SSLService(settings, env, globalSSLConfiguration, sslConfigurations, sslContexts) {
+        return new SSLService(settings, env, sslConfigurations, sslContexts) {
 
             @Override
             Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
@@ -265,13 +262,6 @@ public class SSLService {
         return sslConfiguration.sslClientAuth().enabled();
     }
 
-    /**
-     * Returns the {@link SSLContext} for the global configuration. Mainly used for testing
-     */
-    public SSLContext sslContext() {
-        return sslContextHolder(globalSSLConfiguration).sslContext();
-    }
-
     /**
      * Returns the {@link SSLContext} for the configuration. Mainly used for testing
      */
@@ -297,13 +287,10 @@ public class SSLService {
      * Returns the existing {@link SSLConfiguration} for the given settings
      *
      * @param settings the settings for the ssl configuration
-     * @return the ssl configuration for the provided settings. If the settings are empty, the global configuration is returned
+     * @return the ssl configuration for the provided settings
      */
-    SSLConfiguration sslConfiguration(Settings settings) {
-        if (settings.isEmpty()) {
-            return globalSSLConfiguration;
-        }
-        return new SSLConfiguration(settings, globalSSLConfiguration);
+    public SSLConfiguration sslConfiguration(Settings settings) {
+        return new SSLConfiguration(settings);
     }
 
     public Set<String> getTransportProfileContextNames() {
@@ -403,8 +390,6 @@ public class SSLService {
      */
     Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
         Map<SSLConfiguration, SSLContextHolder> sslContextHolders = new HashMap<>();
-        sslContextHolders.put(globalSSLConfiguration, createSslContext(globalSSLConfiguration));
-        this.sslConfigurations.put("xpack.ssl", globalSSLConfiguration);
 
         Map<String, Settings> sslSettingsMap = new HashMap<>();
         sslSettingsMap.put(XPackSettings.HTTP_SSL_PREFIX, getHttpTransportSSLSettings(settings));
@@ -413,23 +398,19 @@ public class SSLService {
         sslSettingsMap.putAll(getMonitoringExporterSettings(settings));
 
         sslSettingsMap.forEach((key, sslSettings) -> {
-            if (sslSettings.isEmpty()) {
-                storeSslConfiguration(key, globalSSLConfiguration);
-            } else {
-                final SSLConfiguration configuration = new SSLConfiguration(sslSettings, globalSSLConfiguration);
-                storeSslConfiguration(key, configuration);
-                sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
-            }
+            final SSLConfiguration configuration = new SSLConfiguration(sslSettings);
+            storeSslConfiguration(key, configuration);
+            sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
         });
 
         final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX);
-        final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration);
+        final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings);
         this.transportSSLConfiguration.set(transportSSLConfiguration);
         storeSslConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLConfiguration);
         Map<String, Settings> profileSettings = getTransportProfileSSLSettings(settings);
         sslContextHolders.computeIfAbsent(transportSSLConfiguration, this::createSslContext);
         profileSettings.forEach((key, profileSetting) -> {
-            final SSLConfiguration configuration = new SSLConfiguration(profileSetting, transportSSLConfiguration);
+            final SSLConfiguration configuration = new SSLConfiguration(profileSetting);
             storeSslConfiguration(key, configuration);
             sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
         });

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java

@@ -71,7 +71,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
     }
 
     @After
-    public void cleanup() throws Exception {
+    public void cleanup() {
         if (threadPool != null) {
             terminate(threadPool);
         }
@@ -88,10 +88,10 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath);
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
         final Settings settings = Settings.builder()
             .put("path.home", createTempDir())
-            .put("xpack.ssl.keystore.path", keystorePath)
+            .put("xpack.security.transport.ssl.keystore.path", keystorePath)
             .setSecureSettings(secureSettings)
             .build();
         final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@@ -144,11 +144,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath);
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         final Settings settings = Settings.builder()
             .put("path.home", createTempDir())
-            .put("xpack.ssl.key", keyPath)
-            .put("xpack.ssl.certificate", certPath)
+            .put("xpack.security.transport.ssl.key", keyPath)
+            .put("xpack.security.transport.ssl.certificate", certPath)
+            .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString())
             .setSecureSettings(secureSettings)
             .build();
         final Environment env = randomBoolean() ? null :
@@ -202,9 +203,9 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"),
             updatedTruststorePath);
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.truststore.path", trustStorePath)
+            .put("xpack.security.transport.ssl.truststore.path", trustStorePath)
             .put("path.home", createTempDir())
             .setSecureSettings(secureSettings)
             .build();
@@ -254,7 +255,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath);
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert);
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate_authorities", serverCertPath)
+            .putList("xpack.security.transport.ssl.certificate_authorities", serverCertPath.toString())
             .put("path.home", createTempDir())
             .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@@ -300,15 +301,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Path keystorePath = tempDir.resolve("testnode.jks");
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.keystore.path", keystorePath)
+            .put("xpack.security.transport.ssl.keystore.path", keystorePath)
             .setSecureSettings(secureSettings)
             .put("path.home", createTempDir())
             .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
         new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -339,17 +340,17 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.key", keyPath)
-            .put("xpack.ssl.certificate", certPath)
-            .putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
+            .put("xpack.security.transport.ssl.key", keyPath)
+            .put("xpack.security.transport.ssl.certificate", certPath)
+            .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
             .put("path.home", createTempDir())
             .setSecureSettings(secureSettings)
             .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
         new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -376,15 +377,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Path trustStorePath = tempDir.resolve("testnode.jks");
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath);
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.truststore.path", trustStorePath)
+            .put("xpack.security.transport.ssl.truststore.path", trustStorePath)
             .put("path.home", createTempDir())
             .setSecureSettings(secureSettings)
             .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
         new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -411,12 +412,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
         Path clientCertPath = tempDir.resolve("testclient.crt");
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
         Settings settings = Settings.builder()
-            .putList("xpack.ssl.certificate_authorities", clientCertPath.toString())
+            .putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString())
             .put("path.home", createTempDir())
             .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl."));
         new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -442,7 +443,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
                                                     Runnable modificationFunction, Consumer<SSLContext> postChecks) throws Exception {
         final CountDownLatch reloadLatch = new CountDownLatch(1);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java

@@ -21,7 +21,7 @@ public class SSLConfigurationSettingsTests extends ESTestCase {
         final SSLConfigurationSettings ssl = SSLConfigurationSettings.withoutPrefix();
         assertThat(ssl.ciphers.match("cipher_suites"), is(true));
         assertThat(ssl.ciphers.match("ssl.cipher_suites"), is(false));
-        assertThat(ssl.ciphers.match("xpack.ssl.cipher_suites"), is(false));
+        assertThat(ssl.ciphers.match("xpack.transport.security.ssl.cipher_suites"), is(false));
 
         final Settings settings = Settings.builder()
                 .put("cipher_suites.0", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java

@@ -35,10 +35,6 @@ public class SSLConfigurationTests extends ESTestCase {
         assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE));
         assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig()))));
         assertThat(globalConfig.trustConfig(), instanceOf(DefaultJDKTrustConfig.class));
-
-        SSLConfiguration scopedConfig = new SSLConfiguration(Settings.EMPTY, globalConfig);
-        assertThat(scopedConfig.keyConfig(), sameInstance(globalConfig.keyConfig()));
-        assertThat(scopedConfig.trustConfig(), sameInstance(globalConfig.trustConfig()));
     }
 
     public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() {
@@ -50,22 +46,17 @@ public class SSLConfigurationTests extends ESTestCase {
                 .setSecureSettings(secureSettings)
                 .build();
         // Pass settings in as component settings
-        SSLConfiguration globalSettings = new SSLConfiguration(settings);
-        SSLConfiguration scopedSettings = new SSLConfiguration(settings, globalSettings);
-        SSLConfiguration scopedEmptyGlobalSettings =
-                new SSLConfiguration(settings, new SSLConfiguration(Settings.EMPTY));
-        for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) {
-            assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
-            StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
+        SSLConfiguration sslConfiguration = new SSLConfiguration(settings);
+        assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
+        StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
 
-            assertThat(ksKeyInfo.keyStorePath, is(equalTo(path)));
-            assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode")));
-            assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks")));
-            assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword)));
-            assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm()));
-            assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class)));
-            assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration);
-        }
+        assertThat(ksKeyInfo.keyStorePath, is(equalTo(path)));
+        assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode")));
+        assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks")));
+        assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword)));
+        assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm()));
+        assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class)));
+        assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration);
     }
 
     public void testKeystorePassword() {
@@ -188,44 +179,13 @@ public class SSLConfigurationTests extends ESTestCase {
         assertThat(ksKeyInfo.keyStoreType, is(equalTo(type)));
     }
 
-    public void testThatProfileSettingsOverrideServiceSettings() {
-        MockSecureSettings profileSecureSettings = new MockSecureSettings();
-        profileSecureSettings.setString("keystore.secure_password", "password");
-        profileSecureSettings.setString("keystore.secure_key_password", "key");
-        profileSecureSettings.setString("truststore.secure_password", "password for trust");
-        Settings profileSettings = Settings.builder()
-                .put("keystore.path", "path")
-                .put("keystore.algorithm", "algo")
-                .put("truststore.path", "trust path")
-                .put("truststore.algorithm", "trusted")
-                .setSecureSettings(profileSecureSettings)
-                .build();
-
-        MockSecureSettings serviceSecureSettings = new MockSecureSettings();
-        serviceSecureSettings.setString("xpack.ssl.keystore.secure_password", "comp password");
-        serviceSecureSettings.setString("xpack.ssl.keystore.secure_key_password", "comp key");
-        serviceSecureSettings.setString("xpack.ssl.truststore.secure_password", "comp password for trust");
-        Settings serviceSettings = Settings.builder()
-                .put("xpack.ssl.keystore.path", "comp path")
-                .put("xpack.ssl.keystore.algorithm", "comp algo")
-                .put("xpack.ssl.truststore.path", "comp trust path")
-                .put("xpack.ssl.truststore.algorithm", "comp trusted")
-                .setSecureSettings(serviceSecureSettings)
-                .build();
-
-        SSLConfiguration globalSettings = new SSLConfiguration(serviceSettings);
-        SSLConfiguration sslConfiguration = new SSLConfiguration(profileSettings, globalSettings);
-        assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
-        StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
-        assertThat(ksKeyInfo.keyStorePath, is(equalTo("path")));
-        assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password")));
-        assertThat(ksKeyInfo.keyPassword, is(equalTo("key")));
-        assertThat(ksKeyInfo.keyStoreAlgorithm, is(equalTo("algo")));
-        assertThat(sslConfiguration.trustConfig(), instanceOf(StoreTrustConfig.class));
-        StoreTrustConfig ksTrustInfo = (StoreTrustConfig) sslConfiguration.trustConfig();
-        assertThat(ksTrustInfo.trustStorePath, is(equalTo("trust path")));
-        assertThat(ksTrustInfo.trustStorePassword, is(equalTo("password for trust")));
-        assertThat(ksTrustInfo.trustStoreAlgorithm, is(equalTo("trusted")));
+    public void testThatEmptySettingsAreEqual() {
+        SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
+        SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
+        assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true)));
+        assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true)));
+        assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true)));
+        assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
     }
 
     public void testThatSettingsWithDifferentKeystoresAreNotEqual() {
@@ -254,6 +214,12 @@ public class SSLConfigurationTests extends ESTestCase {
         assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
     }
 
+    public void testThatEmptySettingsHaveSameHashCode() {
+        SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
+        SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
+        assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode())));
+    }
+
     public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() {
         SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.builder()
                 .put("keystore.path", "path")

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java

@@ -109,11 +109,11 @@ public class SSLServiceTests extends ESTestCase {
         assumeFalse("Can't run in a FIPS JVM", inFipsJvm());
         Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
         secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.truststore.path", testnodeStore)
-                .put("xpack.ssl.truststore.type", testnodeStoreType)
+                .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
+                .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
                 .setSecureSettings(secureSettings)
                 .put("transport.profiles.foo.xpack.security.ssl.truststore.path", testClientStore)
                 .build();
@@ -126,12 +126,12 @@ public class SSLServiceTests extends ESTestCase {
                 .setSecureSettings(secureCustomSettings)
                 .build();
 
-        SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings, globalConfiguration(sslService));
+        SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings);
         SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(configuration, null, -1);
         assertThat(sslEngineWithTruststore, is(not(nullValue())));
 
-        SSLConfiguration globalConfig = globalConfiguration(sslService);
-        SSLEngine sslEngine = sslService.createSSLEngine(globalConfig, null, -1);
+        SSLConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
+        SSLEngine sslEngine = sslService.createSSLEngine(defaultConfig, null, -1);
         assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine))));
 
         final SSLConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl");
@@ -142,20 +142,21 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testThatSslContextCachingWorks() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate", testnodeCert)
-            .put("xpack.ssl.key", testnodeKey)
+                .put("xpack.security.transport.ssl.certificate", testnodeCert)
+                .put("xpack.security.transport.ssl.key", testnodeKey)
                 .setSecureSettings(secureSettings)
                 .build();
         SSLService sslService = new SSLService(settings, env);
 
-        SSLContext sslContext = sslService.sslContext();
-        SSLContext cachedSslContext = sslService.sslContext();
+        final Settings transportSSLSettings = settings.getByPrefix("xpack.security.transport.ssl.");
+        SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
+        SSLContext cachedSslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
 
         assertThat(sslContext, is(sameInstance(cachedSslContext)));
 
-        final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         final SSLContext configContext = sslService.sslContext(configuration);
         assertThat(configContext, is(sameInstance(sslContext)));
     }
@@ -165,14 +166,15 @@ public class SSLServiceTests extends ESTestCase {
         Path differentPasswordsStore =
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
-        secureSettings.setString("xpack.ssl.keystore.secure_key_password", "testnode1");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.keystore.path", differentPasswordsStore)
-                .setSecureSettings(secureSettings)
-                .build();
+            .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
+            .setSecureSettings(secureSettings)
+            .build();
+
         final SSLService sslService = new SSLService(settings, env);
-        SSLConfiguration configuration = globalConfiguration(sslService);
+        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         sslService.createSSLEngine(configuration, null, -1);
     }
 
@@ -182,13 +184,13 @@ public class SSLServiceTests extends ESTestCase {
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
         try {
             MockSecureSettings secureSettings = new MockSecureSettings();
-            secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
+            secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
             Settings settings = Settings.builder()
-                    .put("xpack.ssl.keystore.path", differentPasswordsStore)
-                    .setSecureSettings(secureSettings)
-                    .build();
+                .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
+                .setSecureSettings(secureSettings)
+                .build();
             final SSLService sslService = new SSLService(settings, env);
-            SSLConfiguration configuration = globalConfiguration(sslService);
+            SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
             sslService.createSSLEngine(configuration, null, -1);
             fail("expected an exception");
         } catch (ElasticsearchException e) {
@@ -198,34 +200,34 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testThatSSLv3IsNotEnabled() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate", testnodeCert)
-            .put("xpack.ssl.key", testnodeKey)
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
         SSLService sslService = new SSLService(settings, env);
-        SSLConfiguration configuration = globalConfiguration(sslService);
+        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3")));
     }
 
     public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
         SSLService sslService = new SSLService(Settings.EMPTY, env);
-        SSLConfiguration configuration = globalConfiguration(sslService);
+        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(sslEngine, notNullValue());
     }
 
     public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testclient");
+        secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.truststore.path", testclientStore)
-                .setSecureSettings(secureSettings)
-                .build();
+            .put("xpack.security.transport.ssl.truststore.path", testclientStore)
+            .setSecureSettings(secureSettings)
+            .build();
         SSLService sslService = new SSLService(settings, env);
-        SSLConfiguration configuration = globalConfiguration(sslService);
+        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(sslEngine, notNullValue());
     }
@@ -234,54 +236,52 @@ public class SSLServiceTests extends ESTestCase {
     public void testCreateWithKeystoreIsValidForServer() throws Exception {
         assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.keystore.path", testnodeStore)
-                .put("xpack.ssl.keystore.type", testnodeStoreType)
-                .setSecureSettings(secureSettings)
-                .build();
+            .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
+            .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
+            .setSecureSettings(secureSettings)
+            .build();
         SSLService sslService = new SSLService(settings, env);
 
-        assertTrue(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
+        assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
     }
 
-    public void testValidForServerWithFallback() throws Exception {
+    public void testValidForServer() throws Exception {
         assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.truststore.path", testnodeStore)
-                .put("xpack.ssl.truststore.type", testnodeStoreType)
-                .setSecureSettings(secureSettings)
-                .build();
+            .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
+            .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
+            .setSecureSettings(secureSettings)
+            .build();
         SSLService sslService = new SSLService(settings, env);
-        assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
+        assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
 
         secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
         settings = Settings.builder()
-                .put("xpack.ssl.truststore.path", testnodeStore)
-                .put("xpack.ssl.truststore.type", testnodeStoreType)
-                .setSecureSettings(secureSettings)
-                .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
-                .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
-                .build();
+            .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
+            .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
+            .setSecureSettings(secureSettings)
+            .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
+            .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
+            .build();
         sslService = new SSLService(settings, env);
-        assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
         assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
     }
 
     public void testGetVerificationMode() throws Exception {
         assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
         SSLService sslService = new SSLService(Settings.EMPTY, env);
-        assertThat(globalConfiguration(sslService).verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT));
+        assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(),
+            is(XPackSettings.VERIFICATION_MODE_DEFAULT));
 
         Settings settings = Settings.builder()
-                .put("xpack.ssl.verification_mode", "none")
-                .put("xpack.security.transport.ssl.verification_mode", "certificate")
-                .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full")
-                .build();
+            .put("xpack.security.transport.ssl.verification_mode", "certificate")
+            .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full")
+            .build();
         sslService = new SSLService(settings, env);
-        assertThat(globalConfiguration(sslService).verificationMode(), is(VerificationMode.NONE));
         assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE));
         assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(),
             is(VerificationMode.FULL));
@@ -289,27 +289,25 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testIsSSLClientAuthEnabled() throws Exception {
         SSLService sslService = new SSLService(Settings.EMPTY, env);
-        assertTrue(globalConfiguration(sslService).sslClientAuth().enabled());
+        assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled());
 
         Settings settings = Settings.builder()
-                .put("xpack.ssl.client_authentication", "none")
-                .put("xpack.security.transport.ssl.client_authentication", "optional")
+            .put("xpack.security.transport.ssl.client_authentication", "optional")
             .put("transport.profiles.foo.port", "9400-9410")
-                .build();
+            .build();
         sslService = new SSLService(settings, env);
-        assertFalse(sslService.isSSLClientAuthEnabled(globalConfiguration(sslService)));
         assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
         assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl")));
     }
 
     public void testThatHttpClientAuthDefaultsToNone() throws Exception {
         final Settings globalSettings = Settings.builder()
-                .put("xpack.security.http.ssl.enabled", true)
-                .put("xpack.ssl.client_authentication", SSLClientAuth.OPTIONAL.name())
-                .build();
+            .put("xpack.security.http.ssl.enabled", true)
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name())
+            .build();
         final SSLService sslService = new SSLService(globalSettings, env);
 
-        final SSLConfiguration globalConfig = globalConfiguration(sslService);
+        final SSLConfiguration globalConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         assertThat(globalConfig.sslClientAuth(), is(SSLClientAuth.OPTIONAL));
 
         final SSLConfiguration httpConfig = sslService.getHttpTransportSSLConfiguration();
@@ -318,14 +316,14 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testThatTruststorePasswordIsRequired() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.keystore.path", testnodeStore)
-                .put("xpack.ssl.keystore.type", testnodeStoreType)
-                .setSecureSettings(secureSettings)
-                .put("xpack.ssl.truststore.path", testnodeStore)
-                .put("xpack.ssl.truststore.type", testnodeStoreType)
-                .build();
+            .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
+            .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
+            .setSecureSettings(secureSettings)
+            .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
+            .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
+            .build();
         ElasticsearchException e =
                 expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
         assertThat(e.getMessage(), is("failed to initialize a TrustManagerFactory"));
@@ -333,9 +331,9 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testThatKeystorePasswordIsRequired() throws Exception {
         Settings settings = Settings.builder()
-                .put("xpack.ssl.keystore.path", testnodeStore)
-                .put("xpack.ssl.keystore.type", testnodeStoreType)
-                .build();
+            .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
+            .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
+            .build();
         ElasticsearchException e =
                 expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
         assertThat(e.getMessage(), is("failed to create trust manager"));
@@ -346,14 +344,15 @@ public class SSLServiceTests extends ESTestCase {
         ciphers.add("foo");
         ciphers.add("bar");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate", testnodeCert)
-            .put("xpack.ssl.key", testnodeKey)
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
+            .putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()]))
             .build();
         SSLService sslService = new SSLService(settings, env);
-        SSLConfiguration configuration = globalConfiguration(sslService);
+        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(engine, is(notNullValue()));
         String[] enabledCiphers = engine.getEnabledCipherSuites();
@@ -362,14 +361,14 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testInvalidCiphersOnlyThrowsException() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
+
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate", testnodeCert)
-            .put("xpack.ssl.key", testnodeKey)
-            .putList("xpack.ssl.cipher_suites", new String[]{"foo", "bar"})
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
+            .putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" })
             .build();
-
         IllegalArgumentException e =
                 expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env));
         assertThat(e.getMessage(), is("none of the ciphers [foo, bar] are supported by this JVM"));
@@ -377,14 +376,14 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate", testnodeCert)
-            .put("xpack.ssl.key", testnodeKey)
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
         SSLService sslService = new SSLService(settings, env);
-        SSLConfiguration configuration = globalConfiguration(sslService);
+        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(engine, is(notNullValue()));
         assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
@@ -392,14 +391,14 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate", testnodeCert)
-            .put("xpack.ssl.key", testnodeKey)
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
         SSLService sslService = new SSLService(settings, env);
-        SSLConfiguration config = globalConfiguration(sslService);
+        SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         final SSLSocketFactory factory = sslService.sslSocketFactory(config);
         final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.cipherSuites(), false);
         assertThat(factory.getDefaultCipherSuites(), is(ciphers));
@@ -417,14 +416,14 @@ public class SSLServiceTests extends ESTestCase {
 
     public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate", testnodeCert)
-            .put("xpack.ssl.key", testnodeKey)
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
         SSLService sslService = new SSLService(settings, env);
-        SSLConfiguration configuration = globalConfiguration(sslService);
+        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
         final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.cipherSuites(), false);
         final String[] supportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
@@ -475,9 +474,9 @@ public class SSLServiceTests extends ESTestCase {
     }
 
     public void testEmptyTrustManager() throws Exception {
-        Settings settings = Settings.builder().build();
+        Settings settings = Settings.EMPTY;
         final SSLService sslService = new SSLService(settings, env);
-        X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.ssl"))
+        X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.security.transport.ssl"))
             .getEmptyTrustManager();
         assertThat(trustManager.getAcceptedIssuers(), emptyArray());
     }
@@ -489,7 +488,6 @@ public class SSLServiceTests extends ESTestCase {
         final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites();
 
         final String[] contextNames = {
-            "xpack.ssl",
             "xpack.http.ssl",
             "xpack.security.http.ssl",
             "xpack.security.transport.ssl",
@@ -517,10 +515,6 @@ public class SSLServiceTests extends ESTestCase {
         }
 
         final Settings settings = builder
-            // Add a realm without SSL settings. This context name should be mapped to the global configuration
-            .put("xpack.security.authc.realms.file.realm3.order", 4)
-            // Add an exporter without SSL settings. This context name should be mapped to the global configuration
-            .put("xpack.monitoring.exporters.mon3.type", "http")
             .setSecureSettings(secureSettings)
             .build();
         SSLService sslService = new SSLService(settings, env);
@@ -535,14 +529,6 @@ public class SSLServiceTests extends ESTestCase {
             assertThat("Cipher for " + name, configuration.cipherSuites(), contains(cipherSuites[i]));
             assertThat("Configuration for " + name + ".", sslService.getSSLConfiguration(name + "."), sameInstance(configuration));
         }
-
-        // These contexts have no SSL settings, but for convenience we want those components to be able to access their context
-        // by name, and get back the global configuration
-        final SSLConfiguration realm3Config = sslService.getSSLConfiguration("xpack.security.authc.realms.file.realm3.ssl");
-        final SSLConfiguration mon3Config = sslService.getSSLConfiguration("xpack.monitoring.exporters.mon3.ssl.");
-        final SSLConfiguration global = globalConfiguration(sslService);
-        assertThat(realm3Config, sameInstance(global));
-        assertThat(mon3Config, sameInstance(global));
     }
 
     public void testReadCertificateInformation() throws Exception {
@@ -552,13 +538,13 @@ public class SSLServiceTests extends ESTestCase {
         final Path pemPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt");
 
         final MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
         secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode");
 
         final Settings settings = Settings.builder()
-                .put("xpack.ssl.keystore.path", jksPath)
-                .put("xpack.ssl.truststore.path", jksPath)
+                .put("xpack.security.transport.ssl.keystore.path", jksPath)
+                .put("xpack.security.transport.ssl.truststore.path", jksPath)
                 .put("xpack.http.ssl.keystore.path", p12Path)
                 .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", pemPath)
                 .setSecureSettings(secureSettings)
@@ -718,7 +704,7 @@ public class SSLServiceTests extends ESTestCase {
     @Network
     public void testThatSSLContextWithoutSettingsWorks() throws Exception {
         SSLService sslService = new SSLService(Settings.EMPTY, env);
-        SSLContext sslContext = sslService.sslContext();
+        SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY));
         try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
             // Execute a GET on a site known to have a valid certificate signed by a trusted public CA
             // This will result in a SSLHandshakeException if the SSLContext does not trust the CA, but the default
@@ -730,12 +716,13 @@ public class SSLServiceTests extends ESTestCase {
     @Network
     public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.keystore.path", testclientStore)
+                .put("xpack.security.transport.ssl.keystore.path", testclientStore)
                 .setSecureSettings(secureSettings)
                 .build();
-        SSLContext sslContext = new SSLService(settings, env).sslContext();
+        SSLService sslService = new SSLService(settings, env);
+        SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")));
         try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
             // Execute a GET on a site known to have a valid certificate signed by a trusted public CA which will succeed because the JDK
             // certs are trusted by default
@@ -746,7 +733,7 @@ public class SSLServiceTests extends ESTestCase {
     @Network
     public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception {
         SSLService sslService = new SSLService(Settings.EMPTY, env);
-        SSLConfiguration sslConfiguration = globalConfiguration(sslService);
+        SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         logger.info("SSL Configuration: {}", sslConfiguration);
         SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration);
         try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
@@ -762,13 +749,13 @@ public class SSLServiceTests extends ESTestCase {
     @Network
     public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient");
+        secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
         Settings settings = Settings.builder()
-                .put("xpack.ssl.keystore.path", testclientStore)
+                .put("xpack.security.transport.ssl.keystore.path", testclientStore)
                 .setSecureSettings(secureSettings)
                 .build();
         final SSLService sslService = new SSLService(settings, env);
-        SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(globalConfiguration(sslService));
+        SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslService.getSSLConfiguration("xpack.security.transport.ssl"));
         try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
             client.start();
 
@@ -778,10 +765,6 @@ public class SSLServiceTests extends ESTestCase {
         }
     }
 
-    private static SSLConfiguration globalConfiguration(SSLService sslService) {
-        return sslService.getSSLConfiguration("xpack.ssl");
-    }
-
     class AssertionCallback implements FutureCallback<HttpResponse> {
 
         @Override

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java

@@ -19,11 +19,6 @@ public class TestsSSLService extends SSLService {
         super(settings, environment);
     }
 
-    @Override
-    public SSLContext sslContext() {
-        return super.sslContext();
-    }
-
     /**
      * Allows to get alternative ssl context, like for the http client
      */

x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterSslIT.java

@@ -95,14 +95,14 @@ public class HttpExporterSslIT extends MonitoringIntegTestCase {
         final Path key = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.pem");
 
         final Settings sslSettings = Settings.builder()
-            .put("xpack.ssl.certificate", cert)
-            .put("xpack.ssl.key", key)
-            .put("xpack.ssl.key_passphrase", "testnode")
+            .put("xpack.transport.security.ssl.certificate", cert)
+            .put("xpack.transport.security.ssl.key", key)
+            .put("xpack.transport.security.ssl.key_passphrase", "testnode")
             .put(globalSettings)
             .build();
 
         TestsSSLService sslService = new TestsSSLService(sslSettings, environment);
-        final SSLContext sslContext = sslService.sslContext(Settings.EMPTY);
+        final SSLContext sslContext = sslService.sslContext("xpack.security.transport.ssl");
         MockWebServer server = new MockWebServer(sslContext, false);
         server.start();
         return server;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java

@@ -9,7 +9,7 @@ import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.bootstrap.BootstrapContext;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.xpack.core.XPackSettings;
-import org.elasticsearch.xpack.core.security.authc.RealmConfig;
+import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
 import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
@@ -37,7 +37,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
     @Override
     public BootstrapCheckResult check(BootstrapContext context) {
         final Settings settings = context.settings();
-        final Map<RealmConfig.RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings);
+        final Map<RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings);
         final boolean pkiRealmEnabled = realms.entrySet().stream()
                 .filter(e -> PkiRealmSettings.TYPE.equals(e.getKey().getType()))
                 .map(Map.Entry::getValue)
@@ -70,6 +70,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
         return list;
     }
 
+    // FIXME this is an antipattern move this out of a bootstrap check!
     @Override
     public boolean alwaysEnforce() {
         return true;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java

@@ -67,7 +67,6 @@ import java.util.Map;
 import java.util.Set;
 
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
-import static org.elasticsearch.xpack.core.security.SecurityField.setting;
 
 /**
  * This is the command-line tool used for migrating users and roles from the file-based realm into the new native realm using the API for
@@ -149,7 +148,7 @@ public class ESNativeRealmMigrateTool extends LoggingAwareMultiCommand {
             // If using SSL, need a custom service because it's likely a self-signed certificate
             if ("https".equalsIgnoreCase(uri.getScheme())) {
                 final SSLService sslService = new SSLService(settings, env);
-                final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration(setting("http.ssl"));
+                final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.http.ssl");
                 final HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection();
                 AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
                     // Requires permission java.lang.RuntimePermission "setFactory";

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java

@@ -86,7 +86,6 @@ public class SecurityNioTransport extends NioTransport {
             Map<String, SSLConfiguration> profileConfiguration = SecurityNetty4Transport.getTransportProfileConfigurations(settings,
                 sslService, transportConfiguration);
             this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
-
         } else {
             profileConfiguration = Collections.emptyMap();
         }

x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java

@@ -149,7 +149,7 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
     @Override
     public Settings transportClientSettings() {
         Settings.Builder builder = Settings.builder();
-        addClientSSLSettings(builder, "");
+        addClientSSLSettings(builder, "xpack.security.transport.");
         addDefaultSecurityTransportType(builder, Settings.EMPTY);
 
         if (randomBoolean()) {
@@ -208,22 +208,27 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
         return new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray());
     }
 
+    public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, String prefix, boolean hostnameVerificationEnabled) {
+        addSSLSettingsForPEMFiles(builder, prefix,
+            "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
+            "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+            Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
+            hostnameVerificationEnabled, false);
+    }
+
     private void addNodeSSLSettings(Settings.Builder builder) {
         if (sslEnabled) {
+            builder.put("xpack.security.transport.ssl.enabled", true);
             if (usePEM) {
-                addSSLSettingsForPEMFiles(builder, "",
-                        "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
-                        "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-                        Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
-                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
-                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
-                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
-                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
-                        sslEnabled, hostnameVerificationEnabled, false);
-
+                addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled);
             } else {
-                addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks",
-                        "testnode", sslEnabled, hostnameVerificationEnabled, false);
+                addSSLSettingsForStore(builder, "xpack.security.transport.",
+                    "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode",
+                    hostnameVerificationEnabled, false);
             }
         } else if (randomBoolean()) {
             builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false);
@@ -231,47 +236,53 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
     }
 
     public void addClientSSLSettings(Settings.Builder builder, String prefix) {
+        builder.put("xpack.security.transport.ssl.enabled", sslEnabled);
         if (usePEM) {
             addSSLSettingsForPEMFiles(builder, prefix,
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient",
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
                 Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
                               "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"),
-                    sslEnabled, hostnameVerificationEnabled, true);
+                hostnameVerificationEnabled, true);
         } else {
             addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks",
-                "testclient", sslEnabled, hostnameVerificationEnabled, true);
+                "testclient", hostnameVerificationEnabled, true);
         }
     }
 
+    /**
+     * Returns the configuration settings given the location of a certificate and its password
+     *
+     * @param resourcePathToStore the location of the keystore or truststore
+     * @param password the password
+     */
+    public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password, String prefix) {
+        addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true);
+    }
+
     private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password,
-                                               boolean sslEnabled, boolean hostnameVerificationEnabled,
-                                               boolean transportClient) {
+                                               boolean hostnameVerificationEnabled, boolean transportClient) {
         Path store = resolveResourcePath(resourcePathToStore);
-
-        if (transportClient == false) {
-            builder.put(prefix + "xpack.security.http.ssl.enabled", false);
-        }
-        builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
-
-        builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
-        builder.put(prefix + "xpack.ssl.keystore.path", store);
+        builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
+        builder.put(prefix + "ssl.keystore.path", store);
         if (transportClient) {
             // continue using insecure settings for clients until we figure out what to do there...
-            builder.put(prefix + "xpack.ssl.keystore.password", password);
+            builder.put(prefix + "ssl.keystore.password", password);
         } else {
+            final String finalPrefix = prefix;
             addSecureSettings(builder, secureSettings ->
-                secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password));
+                secureSettings.setString(finalPrefix + "ssl.keystore.secure_password", password));
         }
 
         if (randomBoolean()) {
-            builder.put(prefix + "xpack.ssl.truststore.path", store);
+            builder.put(prefix + "ssl.truststore.path", store);
             if (transportClient) {
                 // continue using insecure settings for clients until we figure out what to do there...
-                builder.put(prefix + "xpack.ssl.truststore.password", password);
+                builder.put(prefix + "ssl.truststore.password", password);
             } else {
+                final String finalPrefix = prefix;
                 addSecureSettings(builder, secureSettings ->
-                    secureSettings.setString(prefix + "xpack.ssl.truststore.secure_password", password));
+                    secureSettings.setString(finalPrefix + "ssl.truststore.secure_password", password));
             }
         }
     }
@@ -289,31 +300,46 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
      */
     public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
                                                  String certificatePath, List<String> trustedCertificates) {
-        addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true, true);
+        addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true);
+    }
+
+    /**
+     * Returns the SSL related configuration settings given the location of a key and certificate and the location
+     * of the PEM certificates to be trusted
+     *
+     * @param keyPath             The path to the Private key to be used for SSL
+     * @param password            The password with which the private key is protected
+     * @param certificatePath     The path to the PEM formatted Certificate encapsulating the public key that corresponds
+     *                            to the Private Key specified in {@code keyPath}. Will be presented to incoming
+     *                            SSL connections.
+     * @param prefix              The settings prefix to use before ssl setting names
+     * @param trustedCertificates A list of PEM formatted certificates that will be trusted.
+     */
+    public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
+                                                 String certificatePath, String prefix, List<String> trustedCertificates) {
+        addSSLSettingsForPEMFiles(builder, prefix, keyPath, password, certificatePath, trustedCertificates, true, true);
     }
 
     private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password,
-                                                  String certificatePath, List<String> trustedCertificates, boolean sslEnabled,
+                                                  String certificatePath, List<String> trustedCertificates,
                                                   boolean hostnameVerificationEnabled, boolean transportClient) {
-
-        if (transportClient == false) {
-            builder.put(prefix + "xpack.security.http.ssl.enabled", false);
+        if (prefix.equals("")) {
+            prefix = "xpack.security.transport.";
         }
-        builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
-
-        builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
-        builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath))
-                .put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath));
+        builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
+        builder.put(prefix + "ssl.key", resolveResourcePath(keyPath))
+                .put(prefix + "ssl.certificate", resolveResourcePath(certificatePath));
         if (transportClient) {
             // continue using insecure settings for clients until we figure out what to do there...
-            builder.put(prefix + "xpack.ssl.key_passphrase", password);
+            builder.put(prefix + "ssl.key_passphrase", password);
         } else {
+            final String finalPrefix = prefix;
             addSecureSettings(builder, secureSettings ->
-                secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password));
+                secureSettings.setString(finalPrefix + "ssl.secure_key_passphrase", password));
         }
 
         if (trustedCertificates.isEmpty() == false) {
-            builder.put(prefix + "xpack.ssl.certificate_authorities",
+            builder.put(prefix + "ssl.certificate_authorities",
                     Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates)));
         }
     }

x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java

@@ -64,21 +64,21 @@ public class SettingsFilterTests extends ESTestCase {
         if (inFipsJvm() == false) {
             configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.path",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks").toString());
-            configureFilteredSetting("xpack.ssl.keystore.path",
+            configureFilteredSetting("xpack.security.transport.ssl.keystore.path",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks").toString());
         }
         configureSecureSetting("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
         configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.algorithm", "SunX509");
 
 
-        configureFilteredSetting("xpack.ssl.cipher_suites",
+        configureFilteredSetting("xpack.security.transport.ssl.cipher_suites",
                 Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray()));
-        configureFilteredSetting("xpack.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2"));
-        configureSecureSetting("xpack.ssl.keystore.secure_password", "testnode");
-        configureFilteredSetting("xpack.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
-        configureSecureSetting("xpack.ssl.keystore.secure_key_password", "testnode");
-        configureSecureSetting("xpack.ssl.truststore.secure_password", randomAlphaOfLength(5));
-        configureFilteredSetting("xpack.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
+        configureFilteredSetting("xpack.security.transport.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2"));
+        configureSecureSetting("xpack.security.transport.ssl.keystore.secure_password", "testnode");
+        configureFilteredSetting("xpack.security.transport.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
+        configureSecureSetting("xpack.security.transport.ssl.keystore.secure_key_password", "testnode");
+        configureSecureSetting("xpack.security.transport.ssl.truststore.secure_password", randomAlphaOfLength(5));
+        configureFilteredSetting("xpack.security.transport.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
 
         // client profile
         configureUnfilteredSetting("transport.profiles.client.port", "9500-9600");

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java

@@ -16,22 +16,6 @@ public class FIPS140JKSKeystoreBootstrapCheckTests extends AbstractBootstrapChec
         assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
     }
 
-    public void testSSLKeystoreTypeIsNotAllowed() {
-        final Settings.Builder settings = Settings.builder()
-            .put("xpack.security.fips_mode.enabled", "true")
-            .put("xpack.ssl.keystore.path", "/this/is/the/path")
-            .put("xpack.ssl.keystore.type", "JKS");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
-    }
-
-    public void testSSLImplicitKeystoreTypeIsNotAllowed() {
-        final Settings.Builder settings = Settings.builder()
-            .put("xpack.security.fips_mode.enabled", "true")
-            .put("xpack.ssl.keystore.path", "/this/is/the/path")
-            .put("xpack.ssl.keystore.type", "JKS");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
-    }
-
     public void testTransportSSLKeystoreTypeIsNotAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true")

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java

@@ -36,15 +36,9 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
                 .build();
         assertFalse(runCheck(settings, env).isFailure());
 
-        // disable client auth default
-        settings = Settings.builder().put(settings)
-                .put("xpack.ssl.client_authentication", "none")
-                .build();
-        env = TestEnvironment.newEnvironment(settings);
-        assertTrue(runCheck(settings, env).isFailure());
-
         // enable ssl for http
         settings = Settings.builder().put(settings)
+                .put("xpack.security.transport.ssl.enabled", false)
                 .put("xpack.security.http.ssl.enabled", true)
                 .build();
         env = TestEnvironment.newEnvironment(settings);
@@ -73,6 +67,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
 
         // test with transport profile
         settings = Settings.builder().put(settings)
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.security.transport.client_authentication", "none")
                 .put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional"))
                 .build();
@@ -87,7 +82,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
     public void testBootstrapCheckWithDisabledRealm() throws Exception {
         Settings settings = Settings.builder()
                 .put("xpack.security.authc.realms.pki.test_pki.enabled", false)
-                .put("xpack.ssl.client_authentication", "none")
+                .put("xpack.security.transport.ssl.client_authentication", "none")
                 .put("path.home", createTempDir())
                 .build();
         Environment env = TestEnvironment.newEnvironment(settings);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java

@@ -246,7 +246,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
                         SecuritySettingsSourceField.TEST_PASSWORD);
 
         if (remoteUseSSL) {
-            cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.");
+            cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
             builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true);
         }
         if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java

@@ -111,7 +111,7 @@ public class RemoteIndexAuditTrailStartingTests extends SecurityIntegTestCase {
                         .put("xpack.security.audit.index.settings.index.number_of_shards", 1)
                         .put("xpack.security.audit.index.settings.index.number_of_replicas", 0);
 
-                addClientSSLSettings(builder, "xpack.security.audit.index.client.");
+                addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
                 builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled);
                 return builder.build();
             }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java

@@ -13,7 +13,6 @@ import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.NativeRealmIntegTestCase;
-import org.elasticsearch.test.SecuritySettingsSource;
 import org.elasticsearch.common.CharArrays;
 import org.elasticsearch.xpack.core.security.client.SecurityClient;
 import org.elasticsearch.xpack.security.support.SecurityIndexManager;
@@ -21,10 +20,12 @@ import org.junit.BeforeClass;
 
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 
@@ -49,11 +50,11 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
     @Override
     public Settings nodeSettings(int nodeOrdinal) {
         logger.info("--> use SSL? {}", useSSL);
-        Settings s = Settings.builder()
-                .put(super.nodeSettings(nodeOrdinal))
-                .put("xpack.security.http.ssl.enabled", useSSL)
-                .build();
-        return s;
+        Settings.Builder builder = Settings.builder()
+                .put(super.nodeSettings(nodeOrdinal));
+        addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
+        builder.put("xpack.security.http.ssl.enabled", useSSL);
+        return builder.build();
     }
 
     @Override
@@ -77,7 +78,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
         SecurityClient c = new SecurityClient(client());
         logger.error("--> creating users");
         int numToAdd = randomIntBetween(1,10);
-        Set<String> addedUsers = new HashSet(numToAdd);
+        Set<String> addedUsers = new HashSet<>(numToAdd);
         for (int i = 0; i < numToAdd; i++) {
             String uname = randomAlphaOfLength(5);
             c.preparePutUser(uname, "s3kirt".toCharArray(), getFastStoredHashAlgoForTests(), "role1", "user").get();
@@ -94,13 +95,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
 
         Settings.Builder builder = Settings.builder()
                 .put("path.home", home)
-                .put("path.conf", conf.toString());
-        SecuritySettingsSource.addSSLSettingsForPEMFiles(
+                .put("path.conf", conf.toString())
+                .put("xpack.security.http.ssl.client_authentication", "none");
+        addSSLSettingsForPEMFiles(
             builder,
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
             "testnode",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-            Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+            "xpack.security.http.",
+            Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
         Settings settings = builder.build();
         logger.error("--> retrieving users using URL: {}, home: {}", url, home);
 
@@ -140,12 +143,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
         String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8);
         String url = getHttpURL();
         ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
-        Settings.Builder builder = Settings.builder().put("path.home", home);
-        SecuritySettingsSource.addSSLSettingsForPEMFiles(builder,
+        Settings.Builder builder = Settings.builder()
+                .put("path.home", home)
+                .put("xpack.security.http.ssl.client_authentication", "none");
+        addSSLSettingsForPEMFiles(builder,
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
             "testclient",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
-            Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+            "xpack.security.http.",
+            Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
         Settings settings = builder.build();
         logger.error("--> retrieving roles using URL: {}, home: {}", url, home);
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java

@@ -44,29 +44,16 @@ public class CommandLineHttpClientTests extends ESTestCase {
     }
 
     @After
-    public void shutdown() throws Exception {
+    public void shutdown() {
         webServer.close();
     }
 
     public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception {
         Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
-        MockSecureSettings secureSettings = new MockSecureSettings();
-        Settings settings;
-        if (randomBoolean()) {
-            // with http ssl settings
-            secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
-            settings = Settings.builder().put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
-                    .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings)
-                    .build();
-        } else {
-            // with global settings
-            secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
-            settings = Settings.builder()
-                .put("xpack.ssl.certificate_authorities", certPath.toString())
-                .put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE)
-                .setSecureSettings(secureSettings)
-                .build();
-        }
+        Settings settings = Settings.builder()
+            .put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
+            .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE)
+            .build();
         CommandLineHttpClient client = new CommandLineHttpClient(settings, environment);
         HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1",
                 new SecureString(new char[]{'p'}), () -> null, is -> responseBuilder(is));
@@ -80,14 +67,14 @@ public class CommandLineHttpClientTests extends ESTestCase {
         Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
         Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.key", keyPath.toString())
-            .put("xpack.ssl.certificate", certPath.toString())
+            .put("xpack.security.http.ssl.key", keyPath.toString())
+            .put("xpack.security.http.ssl.certificate", certPath.toString())
             .setSecureSettings(secureSettings)
             .build();
         TestsSSLService sslService = new TestsSSLService(settings, environment);
-        return new MockWebServer(sslService.sslContext(), false);
+        return new MockWebServer(sslService.sslContext("xpack.security.http.ssl."), false);
     }
 
     private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java

@@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
-import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
 import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
 import org.elasticsearch.xpack.core.ssl.SSLService;
@@ -29,26 +28,16 @@ public class LdapTestUtils {
     }
 
     public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception {
-        boolean useGlobalSSL = ESTestCase.randomBoolean();
         Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir());
         MockSecureSettings secureSettings = new MockSecureSettings();
         builder.setSecureSettings(secureSettings);
-        if (useGlobalSSL) {
-            builder.put("xpack.ssl.truststore.path", truststore);
-            // fake realm to load config with certificate verification mode
-            builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
-            builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
-            secureSettings.setString("xpack.ssl.truststore.secure_password", "changeit");
-            secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
-        } else {
-            // fake realms so ssl will get loaded
-            builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
-            builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
-            builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
-            builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
-            secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
-            secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
-        }
+        // fake realms so ssl will get loaded
+        builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
+        builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
+        builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
+        builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
+        secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
+        secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
         Settings settings = builder.build();
         Environment env = TestEnvironment.newEnvironment(settings);
         SSLService sslService = new SSLService(settings, env);
@@ -60,12 +49,7 @@ public class LdapTestUtils {
         options.setConnectTimeoutMillis(Math.toIntExact(SessionFactorySettings.TIMEOUT_DEFAULT.millis()));
         options.setResponseTimeoutMillis(SessionFactorySettings.TIMEOUT_DEFAULT.millis());
 
-        final SSLConfiguration sslConfiguration;
-        if (useGlobalSSL) {
-            sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
-        } else {
-            sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
-        }
+        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
         return LdapUtils.privilegedConnect(() -> new LDAPConnection(sslService.sslSocketFactory(sslConfiguration), options,
             ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword));
     }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java

@@ -65,7 +65,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
 
         globalSettings = Settings.builder()
             .put("path.home", createTempDir())
-            .put("xpack.ssl.certificate_authorities", certPath)
+            .put("xpack.security.transport.ssl.certificate_authorities", certPath)
             .build();
         sslService = new SSLService(globalSettings, env);
         threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java

@@ -18,7 +18,6 @@ import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.http.HttpServerTransport;
-import org.elasticsearch.test.SecuritySettingsSource;
 import org.elasticsearch.test.SecuritySingleNodeTestCase;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.xpack.core.TestXPackTransportClient;
@@ -41,6 +40,7 @@ import java.util.List;
 import java.util.Locale;
 import java.util.stream.Collectors;
 
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
 import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
@@ -60,17 +60,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
         SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL;
 
         Settings.Builder builder = Settings.builder()
-            .put(super.nodeSettings())
-            .put("xpack.security.http.ssl.enabled", true)
+            .put(super.nodeSettings());
+        addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
+        builder.put("xpack.security.http.ssl.enabled", true)
             .put("xpack.security.http.ssl.client_authentication", sslClientAuth)
             .put("xpack.security.authc.realms.file.file.order", "0")
             .put("xpack.security.authc.realms.pki.pki1.order", "1")
             .put("xpack.security.authc.realms.pki.pki1.certificate_authorities",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
             .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"));
-
-        SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
-                secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"));
         return builder.build();
     }
 
@@ -158,13 +156,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
 
     private TransportClient createTransportClient(Settings additionalSettings) {
         Settings clientSettings = transportClientSettings();
-        if (additionalSettings.getByPrefix("xpack.ssl.").isEmpty() == false) {
-            clientSettings = clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false);
+        if (additionalSettings.getByPrefix("xpack.security.transport.ssl.").isEmpty() == false) {
+            clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false);
         }
 
-        Settings.Builder builder = Settings.builder().put(clientSettings, false)
-                .put(additionalSettings)
-                .put("cluster.name", node().settings().get("cluster.name"));
+        Settings.Builder builder = Settings.builder()
+            .put("xpack.security.transport.ssl.enabled", true)
+            .put(clientSettings, false)
+            .put(additionalSettings)
+            .put("cluster.name", node().settings().get("cluster.name"));
         builder.remove(SecurityField.USER_SETTING.getKey());
         builder.remove("request.headers.Authorization");
         return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java

@@ -52,6 +52,9 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
                 .put(super.nodeSettings())
                 .put("xpack.security.http.ssl.enabled", true)
                 .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL)
+                .put("xpack.security.http.ssl.keystore.path",
+                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
+                .put("xpack.security.http.ssl.keystore.password", "testnode")
                 .put("xpack.security.authc.realms.file.file.order", "0")
                 .put("xpack.security.authc.realms.pki.pki1.order", "1")
                 .put("xpack.security.authc.realms.pki.pki1.truststore.path",
@@ -59,10 +62,15 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
                 .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"))
                 .put("transport.profiles.want_client_auth.port", randomClientPortRange)
                 .put("transport.profiles.want_client_auth.bind_host", "localhost")
+                .put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.path",
+                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
+                .put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.password", "testnode")
                 .put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL);
 
-        SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
-                secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"));
+        SecuritySettingsSource.addSecureSettings(builder, secureSettings -> {
+            secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
+            secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode");
+        });
         return builder.build();
 
     }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java

@@ -123,19 +123,20 @@ public class SamlRealmTests extends SamlTestCase {
         final Path path = getDataPath("idp1.xml");
         final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
         final MockSecureSettings mockSecureSettings = new MockSecureSettings();
-        mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
         final Settings settings = Settings.builder()
-            .put("xpack.ssl.key",
+            .put("xpack.security.http.ssl.key",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
-            .put("xpack.ssl.certificate",
+            .put("xpack.security.http.ssl.certificate",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
-            .put("xpack.ssl.certificate_authorities",
+            .put("xpack.security.http.ssl.certificate_authorities",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
             .put("path.home", createTempDir())
             .setSecureSettings(mockSecureSettings)
             .build();
         TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings));
-        try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(Settings.EMPTY), false)) {
+        try (MockWebServer proxyServer =
+                     new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) {
             proxyServer.start();
             proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));
             proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java

@@ -82,11 +82,11 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
         Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
         Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings1 = Settings.builder()
             .put("xpack.security.transport.ssl.enabled", true)
-            .put("xpack.ssl.key", testnodeKey)
-            .put("xpack.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
             .put("path.home", createTempDir())
             .put(settings)
             .setSecureSettings(secureSettings)
@@ -153,7 +153,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
     @SuppressForbidden(reason = "Need to open socket connection")
     public void testRenegotiation() throws Exception {
         SSLService sslService = createSSLService();
-        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SocketFactory factory = sslService.sslSocketFactory(sslConfiguration);
         try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
             SocketAccess.doPrivileged(() -> socket.connect(serviceA.boundAddress().publishAddress().address()));
@@ -205,7 +205,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
         assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
         SSLService sslService = createSSLService();
 
-        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLContext sslContext = sslService.sslContext(sslConfiguration);
         final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
         final String sniIp = "sni-hostname";
@@ -245,7 +245,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
 
             InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
 
-            Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build();
+            Settings settings = Settings.builder().put("name", "TS_TEST")
+                .put("xpack.security.transport.ssl.verification_mode", "none")
+                .build();
             try (MockTransportService serviceC = build(settings, version0, null, true)) {
                 serviceC.acceptIncomingRequests();
 
@@ -271,7 +273,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
         assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
         SSLService sslService = createSSLService();
 
-        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
+        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLContext sslContext = sslService.sslContext(sslConfiguration);
         final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
         final String sniIp = "invalid_hostname";
@@ -290,7 +292,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
 
             InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
 
-            Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build();
+            Settings settings = Settings.builder().put("name", "TS_TEST")
+                .put("xpack.security.transport.ssl.verification_mode", "none")
+                .build();
             try (MockTransportService serviceC = build(settings, version0, null, true)) {
                 serviceC.acceptIncomingRequests();
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java

@@ -32,7 +32,6 @@ import org.elasticsearch.transport.TransportResponseHandler;
 import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.security.SecurityField;
-import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
 import org.elasticsearch.xpack.security.LocalStateSecurity;
 import org.junit.BeforeClass;
 
@@ -41,8 +40,10 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.concurrent.CountDownLatch;
 
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
 import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
 import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile;
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -63,13 +64,12 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
 
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
-        Settings.Builder settingsBuilder = Settings.builder();
+        Settings.Builder settingsBuilder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
         String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100);
+        addSSLSettingsForNodePEMFiles(settingsBuilder, "transport.profiles.client.xpack.security.", true);
         Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
-        settingsBuilder.put(super.nodeSettings(nodeOrdinal))
-            .putList("transport.profiles.client.xpack.security.ssl.certificate_authorities",
-                Arrays.asList(certPath.toString())) // settings for client truststore
-            .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+        settingsBuilder.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities",
+            Collections.singletonList(certPath.toString())) // settings for client truststore
             .put("transport.profiles.client.xpack.security.type", "client")
             .put("transport.profiles.client.port", randomClientPortRange)
             // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
@@ -82,7 +82,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
         }
 
         SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings ->
-            secureSettings.setString("transport.profiles.client.xpack.security.ssl.truststore.secure_password", "testnode"));
+            secureSettings.setString("transport.profiles.client.xpack.security.ssl.keystore.secure_password", "testnode"));
         return settingsBuilder.build();
     }
 
@@ -97,20 +97,20 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
 
         // test that starting up a node works
         Settings.Builder nodeSettings = Settings.builder()
-                .put("node.name", "my-test-node")
-                .put("network.host", "localhost")
-                .put("cluster.name", internalCluster().getClusterName())
-                .put("discovery.zen.ping.unicast.hosts", unicastHost)
-                .put("discovery.zen.minimum_master_nodes",
-                        internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
-                .put("xpack.security.enabled", true)
-                .put("xpack.security.audit.enabled", false)
-                .put(XPackSettings.WATCHER_ENABLED.getKey(), false)
-                .put("path.home", home)
-                .put(Node.NODE_MASTER_SETTING.getKey(), false)
-                .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
-                .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
-                //.put("xpack.ml.autodetect_process", false);
+            .put("node.name", "my-test-node")
+            .put("network.host", "localhost")
+            .put("cluster.name", internalCluster().getClusterName())
+            .put("discovery.zen.ping.unicast.hosts", unicastHost)
+            .put("discovery.zen.minimum_master_nodes",
+                    internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
+            .put("xpack.security.enabled", true)
+            .put("xpack.security.audit.enabled", false)
+            .put("xpack.security.transport.ssl.enabled", true)
+            .put(XPackSettings.WATCHER_ENABLED.getKey(), false)
+            .put("path.home", home)
+            .put(Node.NODE_MASTER_SETTING.getKey(), false)
+            .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
+            .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
         Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
             LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
         addSSLSettingsForPEMFiles(
@@ -139,22 +139,22 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
 
         // test that starting up a node works
         Settings.Builder nodeSettings = Settings.builder()
-                .put("xpack.security.authc.realms.file.file.order", 0)
-                .put("node.name", "my-test-node")
-                .put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
-                .put("cluster.name", internalCluster().getClusterName())
-                .put("discovery.zen.ping.unicast.hosts", unicastHost)
-                .put("discovery.zen.minimum_master_nodes",
-                        internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
-                .put("xpack.security.enabled", true)
-                .put("xpack.security.audit.enabled", false)
-                .put(XPackSettings.WATCHER_ENABLED.getKey(), false)
-                .put("discovery.initial_state_timeout", "0s")
-                .put("path.home", home)
-                .put(Node.NODE_MASTER_SETTING.getKey(), false)
-                .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
-                .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
-                //.put("xpack.ml.autodetect_process", false);
+            .put("xpack.security.authc.realms.file.file.order", 0)
+            .put("node.name", "my-test-node")
+            .put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
+            .put("cluster.name", internalCluster().getClusterName())
+            .put("discovery.zen.ping.unicast.hosts", unicastHost)
+            .put("discovery.zen.minimum_master_nodes",
+                internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
+            .put("xpack.security.enabled", true)
+            .put("xpack.security.audit.enabled", false)
+            .put("xpack.security.transport.ssl.enabled", true)
+            .put(XPackSettings.WATCHER_ENABLED.getKey(), false)
+            .put("discovery.initial_state_timeout", "0s")
+            .put("path.home", home)
+            .put(Node.NODE_MASTER_SETTING.getKey(), false)
+            .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
+            .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
         Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
             LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
         addSSLSettingsForPEMFiles(
@@ -162,7 +162,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
             "testnode",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-            Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+            Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
         try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) {
             node.start();
             TransportService instance = node.injector().getInstance(TransportService.class);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java

@@ -33,7 +33,7 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
     protected Settings nodeSettings(int nodeOrdinal) {
         Settings settings = super.nodeSettings(nodeOrdinal);
         Settings.Builder builder = Settings.builder()
-                .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false), false);
+                .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false), false);
         settings = builder.build();
 
         // The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP
@@ -56,27 +56,27 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
         }
 
         SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
-            secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-ip-only");
+            secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-ip-only");
         });
-        return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath())
-            .put("xpack.ssl.certificate", certPath.toAbsolutePath())
-            .put("xpack.ssl.certificate_authorities", certPath.toAbsolutePath())
+        return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
+            .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
+            .put("xpack.security.transport.ssl.certificate_authorities", certPath.toAbsolutePath())
             .put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1")
             .put("network.host", "127.0.0.1")
-            .put("xpack.ssl.client_authentication", SSLClientAuth.NONE)
-            .put("xpack.ssl.verification_mode", "full")
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
+            .put("xpack.security.transport.ssl.verification_mode", "full")
             .build();
     }
 
     @Override
     protected Settings transportClientSettings() {
         Settings clientSettings = super.transportClientSettings();
-        return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false))
-            .put("xpack.ssl.verification_mode", "certificate")
-            .put("xpack.ssl.key", keyPath.toAbsolutePath())
-            .put("xpack.ssl.certificate", certPath.toAbsolutePath())
-            .put("xpack.ssl.key_passphrase", "testnode-ip-only")
-            .put("xpack.ssl.certificate_authorities", certPath)
+        return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false))
+            .put("xpack.security.transport.ssl.verification_mode", "certificate")
+            .put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
+            .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
+            .put("xpack.security.transport.ssl.key_passphrase", "testnode-ip-only")
+            .put("xpack.security.transport.ssl.certificate_authorities", certPath)
             .build();
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java

@@ -42,15 +42,15 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
     private Path testnodeCert;
     private Path testnodeKey;
     @Before
-    public void createSSLService() throws Exception {
+    public void createSSLService() {
         testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
         testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
 
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.key", testnodeKey)
-            .put("xpack.ssl.certificate", testnodeCert)
+            .put("xpack.security.http.ssl.key", testnodeKey)
+            .put("xpack.security.http.ssl.certificate", testnodeCert)
             .put("path.home", createTempDir())
             .setSecureSettings(secureSettings)
             .build();
@@ -149,7 +149,7 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
 
     public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception {
         Settings settings = Settings.builder()
-            .put("xpack.ssl.certificate_authorities", testnodeCert)
+            .put("xpack.security.http.ssl.certificate_authorities", testnodeCert)
             .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
             .put("path.home", createTempDir())
             .build();
@@ -163,10 +163,10 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
 
     public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.key", testnodeKey)
-            .put("xpack.ssl.certificate", testnodeCert)
+            .put("xpack.security.http.ssl.key", testnodeKey)
+            .put("xpack.security.http.ssl.certificate", testnodeCert)
             .setSecureSettings(secureSettings)
             .put("path.home", createTempDir())
             .build();

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java

@@ -21,11 +21,9 @@ import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport;
 import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
-import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.junit.Before;
 
-import javax.net.ssl.SSLEngine;
 import java.nio.file.Path;
 import java.util.Collections;
 import java.util.Locale;
@@ -44,11 +42,11 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
         Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
         Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
             .put("xpack.security.transport.ssl.enabled", true)
-            .put("xpack.ssl.key", testnodeKey)
-            .put("xpack.ssl.certificate", testnodeCert)
+            .put("xpack.security.transport.ssl.key", testnodeKey)
+            .put("xpack.security.transport.ssl.certificate", testnodeCert)
             .setSecureSettings(secureSettings)
             .put("path.home", createTempDir())
             .build();
@@ -97,7 +95,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
         String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT));
         Settings settings = Settings.builder()
                 .put(env.settings())
-                .put("xpack.ssl.client_authentication", value)
+                .put("xpack.security.transport.ssl.client_authentication", value)
                 .build();
         sslService = new SSLService(settings, env);
         SecurityNetty4Transport transport = createTransport(settings);
@@ -111,7 +109,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
         String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT));
         Settings settings = Settings.builder()
                 .put(env.settings())
-                .put("xpack.ssl.client_authentication", value)
+                .put("xpack.security.transport.ssl.client_authentication", value)
                 .build();
         sslService = new SSLService(settings, env);
         SecurityNetty4Transport transport = createTransport(settings);
@@ -125,7 +123,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
         String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT));
         Settings settings = Settings.builder()
                 .put(env.settings())
-                .put("xpack.ssl.client_authentication", value)
+                .put("xpack.security.transport.ssl.client_authentication", value)
                 .build();
         sslService = new SSLService(settings, env);
         SecurityNetty4Transport transport = createTransport(settings);
@@ -179,36 +177,4 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
         assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false));
         assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(true));
     }
-
-    public void testTransportSSLOverridesGlobalSSL() throws Exception {
-        MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
-        Settings.Builder builder = Settings.builder()
-            .put("xpack.security.transport.ssl.enabled", true)
-            .put("xpack.security.transport.ssl.key",
-                getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
-            .put("xpack.security.transport.ssl.certificate",
-                getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
-            .put("xpack.security.transport.ssl.client_authentication", "none")
-            .put("xpack.ssl.certificate_authorities",
-                getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
-            .setSecureSettings(secureSettings)
-            .put("path.home", createTempDir());
-        Settings settings = builder.build();
-        env = TestEnvironment.newEnvironment(settings);
-        sslService = new SSLService(settings, env);
-        SecurityNetty4Transport transport = createTransport(settings);
-        final ChannelHandler handler = transport.getServerChannelInitializer("default");
-        final EmbeddedChannel ch = new EmbeddedChannel(handler);
-        final SSLEngine engine = ch.pipeline().get(SslHandler.class).engine();
-        assertFalse(engine.getNeedClientAuth());
-        assertFalse(engine.getWantClientAuth());
-
-        // get the global and verify that it is different in that it requires client auth
-        SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl");
-        assertNotNull(configuration);
-        final SSLEngine globalEngine = sslService.createSSLEngine(configuration, null, -1);
-        assertTrue(globalEngine.getNeedClientAuth());
-        assertFalse(globalEngine.getWantClientAuth());
-    }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java

@@ -35,7 +35,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
     protected Settings nodeSettings(int nodeOrdinal) {
         Settings settings = super.nodeSettings(nodeOrdinal);
         Settings.Builder settingsBuilder = Settings.builder();
-        settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.ssl.") == false), false);
+        settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
         Path keyPath;
         Path certPath;
         Path nodeCertPath;
@@ -58,14 +58,15 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
         }
 
         SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
-            secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname");
+            secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname");
         });
-        return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath())
-            .put("xpack.ssl.certificate", certPath.toAbsolutePath())
-            .putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()))
-                // disable hostname verification as this test uses certs without a valid SAN or DNS in the CN
-                .put("xpack.ssl.verification_mode", "certificate")
-                .build();
+        return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
+            .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
+            .putList("xpack.security.transport.ssl.certificate_authorities",
+                     Arrays.asList(certPath.toString(), nodeCertPath.toString()))
+            // disable hostname verification as this test uses certs without a valid SAN or DNS in the CN
+            .put("xpack.security.transport.ssl.verification_mode", "certificate")
+            .build();
     }
 
     @Override
@@ -89,13 +90,13 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
         Settings settings = super.transportClientSettings();
         // remove all ssl settings
         Settings.Builder builder = Settings.builder();
-        builder.put(settings.filter( k -> k.startsWith("xpack.ssl.") == false), false);
+        builder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
 
-        builder.put("xpack.ssl.verification_mode", "certificate")
-            .put("xpack.ssl.key", keyPath.toAbsolutePath())
-            .put("xpack.ssl.key_passphrase", "testnode-no-subjaltname")
-            .put("xpack.ssl.certificate", certPath.toAbsolutePath())
-            .putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()));
+        builder.put("xpack.security.transport.ssl.verification_mode", "certificate")
+            .put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
+            .put("xpack.security.transport.ssl.key_passphrase", "testnode-no-subjaltname")
+            .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
+            .putList("xpack.security.transport.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()));
         return builder.build();
     }
 
@@ -105,7 +106,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
         InetSocketAddress inetSocketAddress = transportAddress.address();
 
         Settings settings = Settings.builder().put(transportClientSettings())
-                .put("xpack.ssl.verification_mode", "full")
+                .put("xpack.security.transport.ssl.verification_mode", "full")
                 .build();
 
         try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java

@@ -52,10 +52,10 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
         Path testNodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
         Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.key", testNodeKey)
-            .put("xpack.ssl.certificate", testNodeCert)
+            .put("xpack.security.http.ssl.key", testNodeKey)
+            .put("xpack.security.http.ssl.certificate", testNodeCert)
             .put("path.home", createTempDir())
             .setSecureSettings(secureSettings)
             .build();
@@ -173,9 +173,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
 
     public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.truststore.path",
+            .put("xpack.security.http.ssl.truststore.path",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
             .setSecureSettings(secureSettings)
             .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
@@ -193,9 +193,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
 
     public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() {
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
+        secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.truststore.path",
+            .put("xpack.security.http.ssl.truststore.path",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
             .setSecureSettings(secureSettings)
             .put("path.home", createTempDir())

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java

@@ -42,11 +42,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
         final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
         final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
         return Settings.builder()
-                .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.ssl") == false))
-                .put("xpack.ssl.key", keyPath)
-                .put("xpack.ssl.certificate", certPath)
-                .put("xpack.ssl.certificate_authorities", certPath)
-                .put("xpack.ssl.verification_mode", "certificate") // disable hostname verificate since these certs aren't setup for that
+                .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
+                .put("xpack.security.transport.ssl.enabled", true)
+                .put("xpack.security.transport.ssl.key", keyPath)
+                .put("xpack.security.transport.ssl.certificate", certPath)
+                .put("xpack.security.transport.ssl.certificate_authorities", certPath)
+                // disable hostname verificate since these certs aren't setup for that
+                .put("xpack.security.transport.ssl.verification_mode", "certificate")
                 .build();
     }
 
@@ -55,11 +57,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
         final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
         final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
         return Settings.builder()
-                .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false))
-                .put("xpack.ssl.key", keyPath)
-                .put("xpack.ssl.certificate", certPath)
-                .put("xpack.ssl.certificate_authorities", certPath)
-                .put("xpack.ssl.verification_mode", "certificate") // disable hostname verification since these certs aren't setup for that
+                .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
+                .put("xpack.security.transport.ssl.enabled", true)
+                .put("xpack.security.transport.ssl.key", keyPath)
+                .put("xpack.security.transport.ssl.certificate", certPath)
+                .put("xpack.security.transport.ssl.certificate_authorities", certPath)
+                // disable hostname verificate since these certs aren't setup for that
+                .put("xpack.security.transport.ssl.verification_mode", "certificate")
                 .build();
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java

@@ -48,6 +48,7 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.TrustManagerFactory;
 
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
 import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.Matchers.containsString;
@@ -61,8 +62,9 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
 
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
-        return Settings.builder().put(super.nodeSettings(nodeOrdinal))
-                .put("xpack.security.http.ssl.enabled", true).build();
+        final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
+        addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", randomBoolean());
+        return builder.put("xpack.security.http.ssl.enabled", true).build();
     }
 
     @Override
@@ -82,7 +84,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
                 .put(transportClientSettings())
                 .put("node.name", "programmatic_transport_client")
                 .put("cluster.name", internalCluster().getClusterName())
-                .putList("xpack.ssl.cipher_suites", unconfiguredCiphers)
+                .putList("xpack.security.transport.ssl.cipher_suites", unconfiguredCiphers)
                 .build(), LocalStateSecurity.class)) {
 
             TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
@@ -101,7 +103,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
                 .put(transportClientSettings())
                 .put("node.name", "programmatic_transport_client")
                 .put("cluster.name", internalCluster().getClusterName())
-                .putList("xpack.ssl.supported_protocols", new String[]{"SSLv3"})
+                .putList("xpack.security.transport.ssl.supported_protocols", new String[]{"SSLv3"})
                 .build(), LocalStateSecurity.class)) {
 
             TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
@@ -120,13 +122,14 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
             builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
             "testclient",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
+            "xpack.security.http.",
             Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
         SSLService service = new SSLService(builder.build(), null);
 
         CredentialsProvider provider = new BasicCredentialsProvider();
         provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(),
                 new String(nodeClientPassword().getChars())));
-        SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.ssl");
+        SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.security.http.ssl");
         try (CloseableHttpClient client = HttpClients.custom()
                 .setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(sslConfiguration),
                         SSLConnectionSocketFactory.getDefaultHostnameVerifier()))

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java

@@ -24,6 +24,7 @@ import java.util.Arrays;
 import java.util.Collections;
 
 import static org.elasticsearch.test.SecuritySettingsSource.TEST_USER_NAME;
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
 import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
 import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD;
 import static org.hamcrest.CoreMatchers.is;
@@ -61,17 +62,17 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
             throw new RuntimeException(e);
         }
 
-        Settings settings = Settings.builder()
-            .put(super.nodeSettings(nodeOrdinal))
-            // client set up here
-            .put("transport.profiles.client.port", randomClientPortRange)
+        Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
+        addSSLSettingsForNodePEMFiles(builder, "transport.profiles.client.xpack.security.", true);
+        builder.put("transport.profiles.client.port", randomClientPortRange)
             // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
             .put("transport.profiles.client.bind_host", "localhost")
-            .put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath())
-            .put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
+            .put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath());
+        addSSLSettingsForNodePEMFiles(builder, "transport.profiles.no_client_auth.xpack.security.", true);
+        builder.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
             .put("transport.profiles.no_client_auth.bind_host", "localhost")
-            .put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE)
-            .build();
+            .put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE);
+        final Settings settings = builder.build();
         logger.info("node {} settings:\n{}", nodeOrdinal, settings);
         return settings;
     }
@@ -83,7 +84,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
 
     private TransportClient createTransportClient(Settings additionalSettings) {
         Settings settings = Settings.builder()
-                .put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false))
+                .put(transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
                 .put("node.name", "programmatic_transport_client")
                 .put("cluster.name", internalCluster().getClusterName())
                 .put("xpack.security.transport.ssl.enabled", true)
@@ -270,7 +271,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
             .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
             .put("cluster.name", internalCluster().getClusterName())
             .put("xpack.security.transport.ssl.enabled", true)
-            .put("xpack.ssl.certificate_authorities",
+            .put("xpack.security.transport.ssl.certificate_authorities",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
             .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings,
@@ -290,8 +291,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
             .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
             .put("cluster.name", internalCluster().getClusterName())
             .put("xpack.security.transport.ssl.enabled", true)
-            .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
-            .put("xpack.ssl.certificate_authorities",
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
+            .put("xpack.security.transport.ssl.certificate_authorities",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
             .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings,
@@ -314,8 +315,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
             .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
             .put("cluster.name", internalCluster().getClusterName())
             .put("xpack.security.transport.ssl.enabled", true)
-            .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
-            .put("xpack.ssl.certificate_authorities",
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
+            .put("xpack.security.transport.ssl.certificate_authorities",
                 getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
             .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings,
@@ -337,7 +338,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
         Settings settings = Settings.builder()
             .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
             .put("cluster.name", internalCluster().getClusterName())
-            .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
             .put("xpack.security.transport.ssl.enabled", true)
             .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings,
@@ -359,7 +360,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
         Settings settings = Settings.builder()
             .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
             .put("cluster.name", internalCluster().getClusterName())
-            .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
             .put("xpack.security.transport.ssl.enabled", true)
             .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings,
@@ -381,7 +382,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
         Settings settings = Settings.builder()
             .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
             .put("cluster.name", internalCluster().getClusterName())
-            .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
             .put("xpack.security.transport.ssl.enabled", true)
             .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings,

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java

@@ -17,6 +17,7 @@ import org.elasticsearch.client.Response;
 import org.elasticsearch.client.RestClient;
 import org.elasticsearch.client.transport.TransportClient;
 import org.elasticsearch.common.settings.MockSecureSettings;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.test.SecurityIntegTestCase;
@@ -31,14 +32,17 @@ import org.elasticsearch.xpack.security.LocalStateSecurity;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
-
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.SecureRandom;
 import java.security.cert.CertPathBuilderException;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 
 import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.containsString;
@@ -54,13 +58,41 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
 
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
-        return Settings.builder()
-                .put(super.nodeSettings(nodeOrdinal))
+        Settings baseSettings = super.nodeSettings(nodeOrdinal);
+
+        Settings.Builder builder = Settings.builder().put(baseSettings);
+        baseSettings.getByPrefix("xpack.security.transport.ssl.")
+                .keySet()
+                .forEach(k -> {
+                    String httpKey = "xpack.security.http.ssl." + k;
+                    String value = baseSettings.get("xpack.security.transport.ssl." + k);
+                    if (value != null) {
+                        builder.put(httpKey, baseSettings.get("xpack.security.transport.ssl." + k));
+                    }
+                });
+
+        MockSecureSettings secureSettings = (MockSecureSettings) builder.getSecureSettings();
+        for (String key : new HashSet<>(secureSettings.getSettingNames())) {
+            SecureString value = secureSettings.getString(key);
+            if (value == null) {
+                try {
+                    if (key.startsWith("xpack.security.transport.ssl.")) {
+                        byte[] file = toByteArray(secureSettings.getFile(key));
+                        secureSettings.setFile(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), file);
+                    }
+                } catch (IOException e) {
+                    throw new UncheckedIOException(e);
+                }
+            } else if (key.startsWith("xpack.security.transport.ssl.")) {
+                secureSettings.setString(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), value.toString());
+            }
+        }
+
+        return builder
                 // invert the require auth settings
-                .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+                .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
                 .put("xpack.security.http.ssl.enabled", true)
                 .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED)
-                .put("transport.profiles.default.xpack.security.ssl.client_authentication", SSLClientAuth.NONE)
                 .build();
     }
 
@@ -109,13 +141,13 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
         }
 
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testclient-client-profile");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testclient-client-profile");
         Settings settings = Settings.builder()
             .put("xpack.security.transport.ssl.enabled", true)
-            .put("xpack.ssl.client_authentication", SSLClientAuth.NONE)
-            .put("xpack.ssl.key", keyPath)
-            .put("xpack.ssl.certificate", certPath)
-            .put("xpack.ssl.certificate_authorities", nodeCertPath)
+            .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
+            .put("xpack.security.transport.ssl.key", keyPath)
+            .put("xpack.security.transport.ssl.certificate", certPath)
+            .put("xpack.security.transport.ssl.certificate_authorities", nodeCertPath)
             .setSecureSettings(secureSettings)
             .put("cluster.name", internalCluster().getClusterName())
             .put(SecurityField.USER_SETTING.getKey(), transportClientUsername() + ":" + new String(transportClientPassword().getChars()))
@@ -145,4 +177,15 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
             throw new ElasticsearchException("failed to initialize SSLContext", e);
         }
     }
+
+    private byte[] toByteArray(InputStream is) throws IOException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        byte[] internalBuffer = new byte[1024];
+        int read = is.read(internalBuffer);
+        while (read != -1) {
+            baos.write(internalBuffer, 0, read);
+            read = is.read(internalBuffer);
+        }
+        return baos.toByteArray();
+    }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java

@@ -72,16 +72,16 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
 
         Settings settings = super.nodeSettings(nodeOrdinal);
         Settings.Builder builder = Settings.builder()
-                .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false));
-
+                .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false));
         builder.put("path.home", createTempDir())
-            .put("xpack.ssl.key", nodeKeyPath)
-            .put("xpack.ssl.key_passphrase", "testnode")
-            .put("xpack.ssl.certificate", nodeCertPath)
-            .putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(),
-                updateableCertPath.toString()))
+            .put("xpack.security.transport.ssl.key", nodeKeyPath)
+            .put("xpack.security.transport.ssl.key_passphrase", "testnode")
+            .put("xpack.security.transport.ssl.certificate", nodeCertPath)
+            .putList("xpack.security.transport.ssl.certificate_authorities",
+                Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
             .put("resource.reload.interval.high", "1s");
 
+        builder.put("xpack.security.transport.ssl.enabled", true);
         return builder.build();
     }
 
@@ -96,18 +96,18 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.pem"), keyPath);
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), certPath);
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
             .put("path.home", createTempDir())
-            .put("xpack.ssl.key", keyPath)
-            .put("xpack.ssl.certificate", certPath)
-            .putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(),
-                updateableCertPath.toString()))
+            .put("xpack.security.transport.ssl.key", keyPath)
+            .put("xpack.security.transport.ssl.certificate", certPath)
+            .putList("xpack.security.transport.ssl.certificate_authorities",
+                Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
             .setSecureSettings(secureSettings)
             .build();
         String node = randomFrom(internalCluster().getNodeNames());
         SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
-        SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
+        SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
         TransportAddress address = internalCluster()
             .getInstance(Transport.class, node).boundAddress().publishAddress();

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java

@@ -102,9 +102,9 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
         nodeSSL = Settings.builder()
                 .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.security.transport.ssl.verification_mode", "certificate")
-                .putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString())
-                .put("xpack.ssl.key", trustedCert.getKeyPath())
-                .put("xpack.ssl.certificate", trustedCert.getCertPath())
+                .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
+                .put("xpack.security.transport.ssl.key", trustedCert.getKeyPath())
+                .put("xpack.security.transport.ssl.certificate", trustedCert.getCertPath())
                 .build();
     }
 
@@ -122,14 +122,14 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
 
         Settings parentSettings = super.nodeSettings(nodeOrdinal);
         Settings.Builder builder = Settings.builder()
-                .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false))
+                .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
                 .put(nodeSSL);
 
         restrictionsPath = configPath.resolve("trust_restrictions.yml");
         restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp");
 
         writeRestrictions("*.trusted");
-        builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath);
+        builder.put("xpack.security.transport.ssl.trust_restrictions.path", restrictionsPath);
 
         return builder.build();
     }
@@ -152,7 +152,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
     protected Settings transportClientSettings() {
         Settings parentSettings = super.transportClientSettings();
         Settings.Builder builder = Settings.builder()
-                .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false))
+                .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
                 .put(nodeSSL);
         return builder.build();
     }
@@ -224,15 +224,15 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
     private void tryConnect(CertificateInfo certificate) throws Exception {
         Settings settings = Settings.builder()
                 .put("path.home", createTempDir())
-                .put("xpack.ssl.key", certificate.getKeyPath())
-                .put("xpack.ssl.certificate", certificate.getCertPath())
-                .putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString())
-                .put("xpack.ssl.verification_mode", "certificate")
+                .put("xpack.security.transport.ssl.key", certificate.getKeyPath())
+                .put("xpack.security.transport.ssl.certificate", certificate.getCertPath())
+                .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
+                .put("xpack.security.transport.ssl.verification_mode", "certificate")
                 .build();
 
         String node = randomFrom(internalCluster().getNodeNames());
         SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
-        SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
+        SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
         TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
         try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {

x-pack/plugin/sql/qa/security/with-ssl/build.gradle

@@ -151,8 +151,10 @@ integTestCluster {
   setting 'xpack.security.transport.ssl.enabled', 'true'
 
   // ceremony to set up ssl
-  setting 'xpack.ssl.keystore.path', 'test-node.jks'
-  keystoreSetting 'xpack.ssl.keystore.secure_password', 'keypass'
+  setting 'xpack.security.transport.ssl.keystore.path', 'test-node.jks'
+  keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass'
+  setting 'xpack.security.http.ssl.keystore.path', 'test-node.jks'
+  keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass'
 
   setting 'xpack.license.self_generated.type', 'trial'
 

x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java

@@ -81,7 +81,7 @@ public class HttpClientTests extends ESTestCase {
     }
 
     @After
-    public void shutdown() throws Exception {
+    public void shutdown() throws IOException {
         webServer.close();
         httpClient.close();
     }
@@ -179,30 +179,22 @@ public class HttpClientTests extends ESTestCase {
         Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
         Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        Settings settings;
-        if (randomBoolean()) {
-            settings = Settings.builder()
-                .put("xpack.http.ssl.certificate_authorities", trustedCertPath)
-                .setSecureSettings(secureSettings)
-                .build();
-        } else {
-            settings = Settings.builder()
-                .put("xpack.ssl.certificate_authorities", trustedCertPath)
-                .setSecureSettings(secureSettings)
-                .build();
-        }
+        Settings settings = Settings.builder()
+            .put("xpack.http.ssl.certificate_authorities", trustedCertPath)
+            .setSecureSettings(secureSettings)
+            .build();
         try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
             secureSettings = new MockSecureSettings();
             // We can't use the client created above for the server since it is only a truststore
-            secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+            secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
             Settings settings2 = Settings.builder()
-                .put("xpack.ssl.key", keyPath)
-                .put("xpack.ssl.certificate", certPath)
+                .put("xpack.security.http.ssl.key", keyPath)
+                .put("xpack.security.http.ssl.certificate", certPath)
                 .setSecureSettings(secureSettings)
                 .build();
 
             TestsSSLService sslService = new TestsSSLService(settings2, environment);
-            testSslMockWebserver(client, sslService.sslContext(), false);
+            testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
         }
     }
 
@@ -210,40 +202,27 @@ public class HttpClientTests extends ESTestCase {
         Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt");
         Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem");
         Settings settings;
-        if (randomBoolean()) {
-            MockSecureSettings secureSettings = new MockSecureSettings();
-            Settings.Builder builder = Settings.builder()
-                .put("xpack.http.ssl.certificate_authorities", certPath);
-            if (inFipsJvm()) {
-                //Can't use TrustAllConfig in FIPS mode
-                builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
-            } else {
-                builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
-            }
-            settings = builder.build();
+        Settings.Builder builder = Settings.builder()
+            .put("xpack.http.ssl.certificate_authorities", certPath);
+        if (inFipsJvm()) {
+            //Can't use TrustAllConfig in FIPS mode
+            builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
         } else {
-            Settings.Builder builder = Settings.builder()
-                .put("xpack.ssl.certificate_authorities", certPath);
-            if (inFipsJvm()) {
-                //Can't use TrustAllConfig in FIPS mode
-                builder.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE);
-            } else {
-                builder.put("xpack.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
-            }
-            settings = builder.build();
+            builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
         }
+        settings = builder.build();
         try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
             MockSecureSettings secureSettings = new MockSecureSettings();
             // We can't use the client created above for the server since it only defines a truststore
-            secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname");
+            secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname");
             Settings settings2 = Settings.builder()
-                .put("xpack.ssl.key", keyPath)
-                .put("xpack.ssl.certificate", certPath)
+                .put("xpack.security.http.ssl.key", keyPath)
+                .put("xpack.security.http.ssl.certificate", certPath)
                 .setSecureSettings(secureSettings)
                 .build();
 
             TestsSSLService sslService = new TestsSSLService(settings2, environment);
-            testSslMockWebserver(client, sslService.sslContext(), false);
+            testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
         }
     }
 
@@ -251,16 +230,16 @@ public class HttpClientTests extends ESTestCase {
         Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
         Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
         MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
         Settings settings = Settings.builder()
-            .put("xpack.ssl.key", keyPath)
-            .put("xpack.ssl.certificate", certPath)
+            .put("xpack.http.ssl.key", keyPath)
+            .put("xpack.http.ssl.certificate", certPath)
             .setSecureSettings(secureSettings)
             .build();
 
         TestsSSLService sslService = new TestsSSLService(settings, environment);
         try (HttpClient client = new HttpClient(settings, sslService, null, mockClusterService())) {
-            testSslMockWebserver(client, sslService.sslContext(), true);
+            testSslMockWebserver(client, sslService.sslContext("xpack.http.ssl"), true);
         }
     }
 
@@ -387,19 +366,18 @@ public class HttpClientTests extends ESTestCase {
         // on top of that the proxy request is HTTPS but the real request is HTTP only
         MockSecureSettings serverSecureSettings = new MockSecureSettings();
         // We can't use the client created above for the server since it is only a truststore
-        serverSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
+        serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
         Settings serverSettings = Settings.builder()
-            .put("xpack.ssl.key", keyPath)
-            .put("xpack.ssl.certificate", certPath)
+            .put("xpack.http.ssl.key", keyPath)
+            .put("xpack.http.ssl.certificate", certPath)
             .setSecureSettings(serverSecureSettings)
             .build();
         TestsSSLService sslService = new TestsSSLService(serverSettings, environment);
 
-        try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(), false)) {
+        try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(serverSettings.getByPrefix("xpack.http.ssl.")), false)) {
             proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent"));
             proxyServer.start();
 
-            MockSecureSettings secureSettings = new MockSecureSettings();
             Settings settings = Settings.builder()
                     .put(HttpSettings.PROXY_HOST.getKey(), "localhost")
                     .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort())

x-pack/qa/full-cluster-restart/build.gradle

@@ -172,8 +172,8 @@ subprojects {
 
       setting 'xpack.security.enabled', 'true'
       setting 'xpack.security.transport.ssl.enabled', 'true'
-      setting 'xpack.ssl.keystore.path', 'testnode.jks'
-      setting 'xpack.ssl.keystore.password', 'testnode'
+      setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
+      setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
       setting 'xpack.license.self_generated.type', 'trial'
       dependsOn copyTestNodeKeystore
       extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
@@ -217,8 +217,8 @@ subprojects {
       // some tests rely on the translog not being flushed
       setting 'indices.memory.shard_inactive_time', '20m'
       setting 'xpack.security.enabled', 'true'
-      setting 'xpack.ssl.keystore.path', 'testnode.jks'
-      keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
+      setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
+      keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
       setting 'xpack.license.self_generated.type', 'trial'
       dependsOn copyTestNodeKeystore
       extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')

x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java

@@ -61,13 +61,12 @@ public class OpenLdapTests extends ESTestCase {
     private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
     public static final String REALM_NAME = "oldap-test";
 
-    private boolean useGlobalSSL;
     private SSLService sslService;
     private ThreadPool threadPool;
     private Settings globalSettings;
 
     @Before
-    public void init() throws Exception {
+    public void init() {
         threadPool = new TestThreadPool("OpenLdapTests thread pool");
     }
 
@@ -89,32 +88,19 @@ public class OpenLdapTests extends ESTestCase {
          * If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
          * verification tests since a re-established connection does not perform hostname verification.
          */
-        useGlobalSSL = randomBoolean();
         MockSecureSettings mockSecureSettings = new MockSecureSettings();
         Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
-        if (useGlobalSSL) {
-            builder.put("xpack.ssl.truststore.path", truststore);
-            mockSecureSettings.setString("xpack.ssl.truststore.secure_password", "changeit");
-
-            // configure realm to load config with certificate verification mode
-            builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
-            mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
-            builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
-        } else {
-            // fake realms so ssl will get loaded
-            builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
-            mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
-            builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
-            builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
-            mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
-            builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
-
-            // If not using global ssl, need to set the truststore for the "full verification" realm
-            builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
-            mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
-        }
+        // fake realms so ssl will get loaded
+        builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
+        mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
+        builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
+        builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
+        mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
+        builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
+
+        builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
+        mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
         builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.verification_mode", VerificationMode.FULL);
-
         globalSettings = builder.setSecureSettings(mockSecureSettings).build();
         Environment environment = TestEnvironment.newEnvironment(globalSettings);
         sslService = new SSLService(globalSettings, environment);
@@ -290,11 +276,8 @@ public class OpenLdapTests extends ESTestCase {
         final String[] urls = {ldapUrl};
         final String[] templates = {userTemplate};
         Settings.Builder builder = Settings.builder()
-                .put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false));
+            .put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false));
         builder.put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid");
-        if (useGlobalSSL) {
-            return builder.build();
-        }
         return builder
             .put(getFullSettingKey(realmId, SSLConfigurationSettings.TRUST_STORE_PATH_REALM), getDataPath(LDAPTRUST_PATH))
             .put(getFullSettingKey(realmId, SSLConfigurationSettings.LEGACY_TRUST_STORE_PASSWORD_REALM), "changeit")

x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java

@@ -60,13 +60,13 @@ public class OpenLdapUserSearchSessionFactoryTests extends ESTestCase {
          */
         globalSettings = Settings.builder()
             .put("path.home", createTempDir())
-            .put("xpack.ssl.certificate_authorities", caPath)
+            .put("xpack.security.authc.realms.ldap.ssl.certificate_authorities", caPath)
             .build();
         threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");
     }
 
     @After
-    public void shutdown() throws InterruptedException {
+    public void shutdown() {
         terminate(threadPool);
     }
 

x-pack/qa/rolling-upgrade/build.gradle

@@ -157,8 +157,8 @@ subprojects {
       setting 'xpack.security.authc.token.enabled', 'true'
       setting 'xpack.security.audit.enabled', 'true'
       setting 'xpack.security.audit.outputs', 'index'
-      setting 'xpack.ssl.keystore.path', 'testnode.jks'
-      setting 'xpack.ssl.keystore.password', 'testnode'
+      setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
+      setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
       dependsOn copyTestNodeKeystore
       extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
       if (version.onOrAfter('7.0.0')) {
@@ -226,8 +226,8 @@ subprojects {
         setting 'xpack.license.self_generated.type', 'trial'
         setting 'xpack.security.enabled', 'true'
         setting 'xpack.security.transport.ssl.enabled', 'true'
-        setting 'xpack.ssl.keystore.path', 'testnode.jks'
-        keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
+        setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
+        keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
         setting 'node.attr.upgraded', 'true'
         setting 'xpack.security.authc.token.enabled', 'true'
         setting 'xpack.security.audit.enabled', 'true'

x-pack/qa/smoke-test-plugins-ssl/build.gradle

@@ -57,16 +57,17 @@ integTestCluster {
   setting 'xpack.monitoring.collection.interval', '1s'
   setting 'xpack.monitoring.exporters._http.type', 'http'
   setting 'xpack.monitoring.exporters._http.enabled', 'false'
-  setting 'xpack.ssl.certificate_authorities', 'testnode.crt'
   setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent'
   setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
   setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full'
+  setting 'xpack.monitoring.exporters._http.ssl.certificate_authorities', 'testnode.crt'
 
   setting 'xpack.license.self_generated.type', 'trial'
   setting 'xpack.security.enabled', 'true'
   setting 'xpack.security.http.ssl.enabled', 'true'
   setting 'xpack.security.http.ssl.key', 'testnode.pem'
   setting 'xpack.security.http.ssl.certificate', 'testnode.crt'
+  setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
   keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode'
 
   setting 'xpack.ilm.enabled', 'false'

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java

@@ -7,7 +7,6 @@ package org.elasticsearch.xpack.security.authc.ldap;
 
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.common.Strings;
-import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -50,23 +49,17 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
 
         globalSettings = Settings.builder()
             .put("path.home", createTempDir())
-            .put("xpack.ssl.certificate_authorities", certPath)
+            .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath)
             .build();
         sslService = new SSLService(globalSettings, env);
         threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests");
     }
 
     @After
-    public void shutdown() throws InterruptedException {
+    public void shutdown() {
         terminate(threadPool);
     }
 
-    private MockSecureSettings newSecureSettings(String key, String value) {
-        MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString(key, value);
-        return secureSettings;
-    }
-
     @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
     public void testUserSearchWithActiveDirectory() throws Exception {
         String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java

@@ -58,12 +58,10 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
 
     protected SSLService sslService;
     protected Settings globalSettings;
-    protected boolean useGlobalSSL;
     protected List<String> certificatePaths;
 
     @Before
     public void initializeSslSocketFactory() throws Exception {
-        useGlobalSSL = randomBoolean();
         // We use certificates in PEM format and `ssl.certificate_authorities` instead of ssl.trustore
         // so that these tests can also run in a FIPS JVM where JKS keystores can't be used.
         certificatePaths = new ArrayList<>();
@@ -84,19 +82,12 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
          * verification tests since a re-established connection does not perform hostname verification.
          */
         Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
-        if (useGlobalSSL) {
-            builder.putList("xpack.ssl.certificate_authorities", certificatePaths);
 
-            // fake realm to load config with certificate verification mode
-            builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
-            builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
-        } else {
-            // fake realms so ssl will get loaded
-            builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
-            builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
-            builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
-            builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
-        }
+        // fake realms so ssl will get loaded
+        builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
+        builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
+        builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
+        builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
         globalSettings = builder.build();
         Environment environment = TestEnvironment.newEnvironment(globalSettings);
         sslService = new SSLService(globalSettings, environment);
@@ -106,24 +97,22 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
                              LdapSearchScope scope, boolean hostnameVerification) {
         final String realmName = realmId.getName();
         Settings.Builder builder = Settings.builder()
-                .putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl)
-                .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName)
-                .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN)
-                .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope)
-                .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
-                .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
-                .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
-                .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
-                .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS);
+            .putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl)
+            .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName)
+            .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN)
+            .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope)
+            .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
+            .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
+            .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
+            .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
+            .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
+            .putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
         if (randomBoolean()) {
             builder.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM),
                     hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE);
         } else {
             builder.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
         }
-        if (useGlobalSSL == false) {
-            builder.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
-        }
         return builder.build();
     }
 

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java

@@ -103,13 +103,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
     protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt";
     protected static RealmConfig realmConfig;
     protected static List<RoleMappingEntry> roleMappings;
-    protected static boolean useGlobalSSL;
 
     @BeforeClass
     public static void setupRealm() {
         realmConfig = randomFrom(RealmConfig.values());
         roleMappings = realmConfig.selectRoleMappings(ESTestCase::randomBoolean);
-        useGlobalSSL = randomBoolean();
         LogManager.getLogger(AbstractAdLdapRealmTestCase.class).info(
                 "running test with realm configuration [{}], with direct group to role mapping [{}]. Settings [{}]",
                 realmConfig, realmConfig.mapGroupsAsRoles, realmConfig.settings);
@@ -128,13 +126,13 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
         Settings.Builder builder = Settings.builder();
         // don't use filter since it returns a prefixed secure setting instead of mock!
         Settings settingsToAdd = super.nodeSettings(nodeOrdinal);
-        builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.ssl.") == false), false);
+        builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false);
         MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings();
         if (mockSecureSettings != null) {
             MockSecureSettings filteredSecureSettings = new MockSecureSettings();
             builder.setSecureSettings(filteredSecureSettings);
             for (String secureSetting : mockSecureSettings.getSettingNames()) {
-                if (secureSetting.startsWith("xpack.ssl.") == false) {
+                if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) {
                     SecureString secureString = mockSecureSettings.getString(secureSetting);
                     if (secureString == null) {
                         final byte[] fileBytes;
@@ -216,25 +214,6 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
                 .collect(Collectors.toList());
     }
 
-    @Override
-    protected Settings transportClientSettings() {
-        if (useGlobalSSL) {
-            Path key = getDataPath(TESTNODE_KEY);
-            Path cert = getDataPath(TESTNODE_CERT);
-            Settings.Builder builder = Settings.builder()
-                    .put(super.transportClientSettings().filter((s) -> s.startsWith("xpack.ssl.") == false));
-            addSslSettingsForKeyPair(builder, key, "testnode", cert, getNodeTrustedCertificates());
-            return builder.build();
-        } else {
-            return super.transportClientSettings();
-        }
-    }
-
-    @Override
-    protected boolean transportSSLEnabled() {
-        return useGlobalSSL;
-    }
-
     protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) {
         String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n"));
         Path nodeFiles = createTempDir();
@@ -310,11 +289,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
 
     private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert,
                                           List<String> certificateAuthorities) {
-        builder.put("xpack.ssl.key", key)
-            .put("xpack.ssl.key_passphrase", keyPassphrase)
-            .put("xpack.ssl.verification_mode", "certificate")
-            .put("xpack.ssl.certificate", cert)
-            .putList("xpack.ssl.certificate_authorities", certificateAuthorities);
+        builder.put("xpack.transport.security.ssl.key", key)
+            .put("xpack.transport.security.ssl.key_passphrase", keyPassphrase)
+            .put("xpack.transport.security.ssl.verification_mode", "certificate")
+            .put("xpack.transport.security.ssl.certificate", cert)
+            .putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities);
     }
 
     /**
@@ -462,11 +441,8 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
                 .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order)
                 .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false)
                 .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles)
-                .put(this.settings);
-            if (useGlobalSSL == false) {
-                builder.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
-            }
-
+                .put(this.settings)
+                .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
             return builder.build();
         }
 

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java

@@ -280,21 +280,16 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
         String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
         Settings settings = Settings.builder()
-                .put(LdapTestCase.buildLdapSettings(
-                        new String[]{AD_LDAP_URL},
-                        new String[]{userTemplate},
-                        groupSearchBase,
-                        LdapSearchScope.SUB_TREE,
-                        null,
-                        true))
-                .put("follow_referrals", FOLLOW_REFERRALS)
-                .build();
-        if (useGlobalSSL == false) {
-            settings = Settings.builder()
-                .put(settings)
-                .putList("ssl.certificate_authorities", certificatePaths)
-                .build();
-        }
+            .put(LdapTestCase.buildLdapSettings(
+                    new String[]{AD_LDAP_URL},
+                    new String[]{userTemplate},
+                    groupSearchBase,
+                    LdapSearchScope.SUB_TREE,
+                    null,
+                    true))
+            .put("follow_referrals", FOLLOW_REFERRALS)
+            .putList("ssl.certificate_authorities", certificatePaths)
+            .build();
         RealmConfig config = configureRealm("ad-as-ldap-test", settings);
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
@@ -325,9 +320,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
             null,
             ignoreReferralErrors);
         final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings);
-        if (useGlobalSSL == false) {
-            builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
-        }
+        builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
         settings = builder.build();
         RealmConfig config = new RealmConfig(realmId,
                 settings, TestEnvironment.newEnvironment(globalSettings),
@@ -352,12 +345,10 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     public void testStandardLdapWithAttributeGroups() throws Exception {
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
         Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false);
-        if (useGlobalSSL == false) {
-            settings = Settings.builder()
-                .put(settings)
-                .putList("ssl.certificate_authorities", certificatePaths)
-                .build();
-        }
+        settings = Settings.builder()
+            .put(settings)
+            .putList("ssl.certificate_authorities", certificatePaths)
+            .build();
         RealmConfig config = configureRealm("ad-as-ldap-test", settings);
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
@@ -412,9 +403,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
             builder.put(getFullSettingKey(REALM_ID, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
         }
 
-        if (useGlobalSSL == false) {
-            builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
-        }
+        builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
 
         if (useBindUser) {
             final String user = randomFrom("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", "cap@ad.test.elasticsearch.com",

x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash

@@ -251,9 +251,12 @@ node.data: false
 discovery.zen.ping.unicast.hosts: ["127.0.0.1:9301"]
 cluster.initial_master_nodes: ["node-master"]
 
-xpack.ssl.key: $ESCONFIG/certs/node-master/node-master.key
-xpack.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
-xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
+xpack.security.transport.ssl.key: $ESCONFIG/certs/node-master/node-master.key
+xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
+xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
+xpack.security.http.ssl.key: $ESCONFIG/certs/node-master/node-master.key
+xpack.security.http.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
+xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
 
 xpack.security.transport.ssl.enabled: true
 transport.tcp.port: 9300
@@ -334,9 +337,12 @@ node.master: false
 node.data: true
 discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]
 
-xpack.ssl.key: $ESCONFIG/certs/node-data/node-data.key
-xpack.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt
-xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
+xpack.security.transport.ssl.key: $ESCONFIG/certs/node-data/node-data.key
+xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt
+xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
+xpack.security.http.ssl.key: $ESCONFIG/certs/node-data/node-data.key
+xpack.security.http.ssl.certificate: $ESCONFIG/certs//node-data/node-data.crt
+xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
 
 xpack.security.transport.ssl.enabled: true
 transport.tcp.port: 9301