lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189
							==== {component} TLS/SSL settings
You can configure the following TLS/SSL settings.

ifdef::server[]
+{ssl-prefix}.ssl.enabled+::
(<<static-cluster-setting,Static>>)
Used to enable or disable TLS/SSL. The default is `false`.
endif::server[]

+{ssl-prefix}.ssl.supported_protocols+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-supported-protocols]

ifdef::server[]
+{ssl-prefix}.ssl.client_authentication+::
(<<static-cluster-setting,Static>>)
Controls the server's behavior in regard to requesting a certificate
from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional`
requests a client certificate but the client is not required to present one.
ifndef::client-auth-default[]
Defaults to `none`.
endif::client-auth-default[]
ifdef::client-auth-default[]
Defaults to +{client-auth-default}+.
endif::client-auth-default[]
endif::server[]

ifdef::verifies[]
+{ssl-prefix}.ssl.verification_mode+::
(<<static-cluster-setting,Static>>)
Controls the verification of certificates.
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-verification-mode-values]
endif::verifies[]

+{ssl-prefix}.ssl.cipher_suites+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-cipher-suites-values]

[#{ssl-context}-tls-ssl-key-trusted-certificate-settings]
===== {component} TLS/SSL key and trusted certificate settings

The following settings are used to specify a private key, certificate, and the
trusted certificates that should be used when communicating over an SSL/TLS connection.
ifdef::server[]
A private key and certificate must be configured.
endif::server[]
ifndef::server[]
A private key and certificate are optional and would be used if the server requires client authentication for PKI
authentication.
endif::server[]

===== PEM encoded files

When using PEM encoded files, use the following settings:

+{ssl-prefix}.ssl.key+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-pem]

+{ssl-prefix}.ssl.key_passphrase+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-key-passphrase]

+{ssl-prefix}.ssl.secure_key_passphrase+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-secure-key-passphrase]

+{ssl-prefix}.ssl.certificate+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate]

+{ssl-prefix}.ssl.certificate_authorities+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-certificate-authorities]

===== Java keystore files

When using Java keystore files (JKS), which contain the private key, certificate
and certificates that should be trusted, use the following settings:

+{ssl-prefix}.ssl.keystore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path]

+{ssl-prefix}.ssl.keystore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password]

+{ssl-prefix}.ssl.keystore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password]

+{ssl-prefix}.ssl.keystore.key_password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password]

+{ssl-prefix}.ssl.keystore.secure_key_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password]

+{ssl-prefix}.ssl.truststore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path]

+{ssl-prefix}.ssl.truststore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password]

+{ssl-prefix}.ssl.truststore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password]

[#{ssl-context}-pkcs12-files]
===== PKCS#12 files

{es} can be configured to use PKCS#12 container files (`.p12` or `.pfx` files)
that contain the private key, certificate and certificates that should be trusted.

PKCS#12 files are configured in the same way as Java keystore files:

+{ssl-prefix}.ssl.keystore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-path]

+{ssl-prefix}.ssl.keystore.type+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-type-pkcs12]

+{ssl-prefix}.ssl.keystore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-password]

+{ssl-prefix}.ssl.keystore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-password]

+{ssl-prefix}.ssl.keystore.key_password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-key-password]

+{ssl-prefix}.ssl.keystore.secure_key_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-keystore-secure-key-password]

+{ssl-prefix}.ssl.truststore.path+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-path]

+{ssl-prefix}.ssl.truststore.type+::
(<<static-cluster-setting,Static>>)
Set this to `PKCS12` to indicate that the truststore is a PKCS#12 file.
//TBD:Should this use the ssl-truststore-type-pkcs11 or ssl-truststore-type definition and default values?

+{ssl-prefix}.ssl.truststore.password+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-password]

+{ssl-prefix}.ssl.truststore.secure_password+::
(<<secure-settings,Secure>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-secure-password]

[#{ssl-context}-pkcs11-tokens]
===== PKCS#11 tokens

{es} can be configured to use a PKCS#11 token that contains the private key,
certificate and certificates that should be trusted.

PKCS#11 token require additional configuration on the JVM level and can be enabled
via the following settings:

+{ssl-prefix}.keystore.type+::
(<<static-cluster-setting,Static>>)
Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore.
//TBD: Is the default value `jks`?

+{ssl-prefix}.truststore.type+::
(<<static-cluster-setting,Static>>)
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-truststore-type-pkcs11]

[NOTE]
When configuring the PKCS#11 token that your JVM is configured to use as
a keystore or a truststore for Elasticsearch, the PIN for the token can be
configured by setting the appropriate value to `ssl.truststore.password`
or `ssl.truststore.secure_password` in the context that you are configuring.
Since there can only be one PKCS#11 token configured, only one keystore and
truststore will be usable for configuration in {es}. This in turn means
that only one certificate can be used for TLS both in the transport and the
http layer.