Página inicial Explorar Ajuda
Entrar
lqb
/
elasticsearch
mirror de https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Arquivos Issues 0 Wiki
Tree: 43065ea536
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
securing-communications
/
tls-ad.asciidoc

tls-ad.asciidoc 2.3 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. [role="xpack"]
    2. 

  2. [[tls-active-directory]]
    3. 

  3. ==== Encrypting communications between {es} and Active Directory
    4. 

  4. 

  5. To protect the user credentials that are sent for authentication, it's highly
    6. 

  6. recommended to encrypt communications between {es} and your Active Directory 
    7. 

  7. server. Connecting via SSL/TLS ensures that the identity of the Active Directory 
    8. 

  8. server is authenticated before {es} transmits the user credentials and the 
    9. 

  9. usernames and passwords are encrypted in transit. 
    10. 

  10. 

  11. Clients and nodes that connect via SSL/TLS to the Active Directory server need 
    12. 

  12. to have the Active Directory server's certificate or the server's root CA 
    13. 

  13. certificate installed in their keystore or truststore. 
    14. 

  14. 

  15. . Create the realm configuration for the `xpack.security.authc.realms` namespace 
    16. 

  16. in the `elasticsearch.yml` file. See <<configuring-ad-realm>>. 
    17. 

  17. 

  18. . Set the `url` attribute in the realm configuration to specify the LDAPS protocol
    19. 

  19. and the secure port number. For example, `url: ldaps://ad.example.com:636`.
    20. 

  20. 

  21. . Configure each node to trust certificates signed by the certificate authority 
    22. 

  22. (CA) that signed your Active Directory server certificates. 
    23. 

  23. +
    24. 

  24. --
    25. 

  25. The following example demonstrates how to trust a CA certificate (`cacert.pem`), 
    26. 

  26. which is located within the configuration directory:
    27. 

  27. 

  28. [source,shell]
    29. 

  29. --------------------------------------------------
    30. 

  30. xpack:
    31. 

  31.   security:
    32. 

  32.     authc:
    33. 

  33.       realms:
    34. 

  34.         active_directory:
    35. 

  35.           ad_realm:
    36. 

  36.             order: 0
    37. 

  37.             domain_name: ad.example.com
    38. 

  38.             url: ldaps://ad.example.com:636
    39. 

  39.             ssl:
    40. 

  40.               certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
    41. 

  41. --------------------------------------------------
    42. 

  42. 

  43. The CA cert must be a PEM encoded certificate.
    44. 

  44. 

  45. For more information about these settings, see <<ref-ad-settings>>. 
    46. 

  46. --
    47. 

  47. 

  48. . Restart {es}.
    49. 

  49. 

  50. NOTE: By default, when you configure {es} to connect to Active Directory
    51. 

  51.       using SSL/TLS, it attempts to verify the hostname or IP address
    52. 

  52.       specified with the `url` attribute in the realm configuration with the
    53. 

  53.       values in the certificate. If the values in the certificate and realm
    54. 

  54.       configuration do not match, {es} does not allow a connection to the
    55. 

  55.       Active Directory server. This is done to protect against man-in-the-middle
    56. 

  56.       attacks. If necessary, you can disable this behavior by setting the 
    57. 

  57.       `ssl.verification_mode` property to `certificate`.
    58.