WARNING: Version 6.0 of Elasticsearch has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
You configure xpack.security
settings to
enable anonymous access
and perform message authentication,
set up document and field level security,
configure realms, and
encrypt communications with SSL.
All of these settings can be added to the elasticsearch.yml
configuration file,
with the exception of the secure settings, which you add to the Elasticsearch keystore.
For more information about creating and updating the Elasticsearch keystore, see
Secure Settings.
-
xpack.security.enabled
-
Set to
true
(default) to enable X-Pack security on the node.
If set to
false
inelasticsearch.yml
, X-Pack security is disabled. It also affects all Kibana instances that connect to this Elasticsearch instance; you do not need to disable X-Pack security in thosekibana.yml
files. For more information about disabling X-Pack security in specific Kibana instances, see Kibana security settings. -
xpack.security.hide_settings
-
A comma-separated list of settings that are omitted from the results of the
cluster nodes info API. You can use wildcards to include
multiple settings in the list. For example, the following value hides all the
settings for the ad1 realm:
xpack.security.authc.realms.ad1.*
. The API already omits allssl
settings,bind_dn
, andbind_password
due to the sensitive nature of the information.
-
xpack.security.authc.accept_default_password
-
In
elasticsearch.yml
, set this tofalse
to disable support for the default "changeme" password.
For more information, see Enabling anonymous access.
-
xpack.security.authc.anonymous.username
-
The username (principal) of the anonymous user. Defaults to
_es_anonymous_user
. -
xpack.security.authc.anonymous.roles
- The roles to associate with the anonymous user. Required.
-
xpack.security.authc.anonymous.authz_exception
-
When
true
, an HTTP 403 response is returned if the anonymous user does not have the appropriate permissions for the requested action. The user is not prompted to provide credentials to access the requested resource. When set tofalse
, a HTTP 401 is returned and the user can provide credentials with the appropriate permissions to gain access. Defaults totrue
.
You can set the following document and field level security
settings in elasticsearch.yml
. For more information, see
Setting up document and field
level security.
-
xpack.security.dls_fls.enabled
-
Set to
false
to prevent document and field level security from being configured. Defaults totrue
.
-
xpack.security.authc.token.enabled
-
Set to
false
to disable the built-in token service. Defaults totrue
unlessxpack.security.http.ssl.enabled
isfalse
andhttp.enabled
istrue
. This prevents sniffing the token from a connection over plain http. -
xpack.security.authc.token.passphrase
(Secure) - [6.0.0] Deprecated in 6.0.0. A secure passphrase that must be the same on each node and greater than 8 characters in length. This passphrase is used to derive a cryptographic key with which the tokens will be encrypted and authenticated. If this setting is not used, the cluster automatically generates a key, which is the recommended method.
-
xpack.security.authc.token.timeout
-
The length of time that a token is valid for. By default this value is
20m
or 20 minutes. The maximum value is 1 hour.
You configure realm settings in the xpack.security.authc.realms
namespace in elasticsearch.yml
. For example:
xpack.security.authc.realms: realm1: type: native order: 0 ... realm2: type: ldap order: 1 ... realm3: type: active_directory order: 2 ... ...
The valid settings vary depending on the realm type. For more information, see Setting up authentication.
-
type
-
The type of the realm:
native, `ldap
,active_directory
,pki
, orfile
. Required. -
order
-
The priority of the realm within the realm chain. Realms with a lower order are
consulted first. Although not required, use of this setting is strongly
recommended when you configure multiple realms. Defaults to
Integer.MAX_VALUE
. -
enabled
-
Indicates whether a realm is enabled. You can use this setting to disable a
realm without removing its configuration information. Defaults to
true
.
For a native realm, the type
must be set to native
. In addition to the
settings that are valid for all realms, you can specify
the following optional settings:
-
cache.ttl
-
The time-to-live for cached user entries. User credentials are
cached for this period of time. Specify the time period using the standard
Elasticsearch time units. Defaults to
20m
. -
cache.max_users
- The maximum number of user entries that can live in the cache at any given time. Defaults to 100,000.
-
cache.hash_algo
-
(Expert Setting) The hashing algorithm that is used for the
in-memory cached user credentials. For possible values, see
Cache hash algorithms. Defaults to
ssha256
.
-
cache.ttl
-
The time-to-live for cached user entries—user credentials are cached for
this configured period of time. Defaults to
20m
. Specify values using the standard Elasticsearch time units. Defaults to20m
. -
cache.max_users
- The maximum number of user entries that can live in the cache at a given time. Defaults to 100,000.
-
cache.hash_algo
-
(Expert Setting) The hashing algorithm that is used for the in-memory cached
user credentials. See the Cache hash algorithms table for
all possible values. Defaults to
ssha256
.
-
url
-
An LDAP URL in the format
ldap[s]://<server>:<port>
. Required. -
load_balance.type
-
The behavior to use when there are multiple LDAP URLs defined. For supported
values see LDAP load balancing and failover types.
Defaults to
failover
. -
load_balance.cache_ttl
-
When using
dns_failover
ordns_round_robin
as the load balancing type, this setting controls the amount of time to cache DNS lookups. Defaults to1h
. -
bind_dn
- The DN of the user that will be used to bind to the LDAP and perform searches. Only applicable in user search mode. If this is not specified, an anonymous bind will be attempted. Defaults to Empty.
-
bind_password
- The password for the user that will be used to bind to the LDAP. Defaults to Empty.
-
user_dn_templates
-
The DN template that replaces the user name with the string
{0}
. This element is multivalued; you can specify multiple user contexts. Required to operate in user template mode. Not valid ifuser_search.base_dn
is specified. For more information on the different modes, see LDAP realms. -
user_group_attribute
-
Specifies the attribute to examine on the user for group membership.
The default is
memberOf
. This setting will be ignored if anygroup_search
settings are specified. Defaults tomemberOf
. -
user_search.base_dn
- Specifies a container DN to search for users. Required to operated in user search mode. Not valid if `user_dn_templates is specified. For more information on the different modes, see LDAP realms.
-
user_search.scope
-
The scope of the user search. Valid values are
sub_tree
,one_level
orbase
.one_level
only searches objects directly contained within thebase_dn
.sub_tree
searches all objects contained underbase_dn
.base
specifies that thebase_dn
is the user object, and that it is the only user considered. Defaults tosub_tree
. -
user_search.filter
-
Specifies the filter used to search the directory in attempt to match
an entry with the username provided by the user. Defaults to
(uid={0})
.{0}
is substituted with the username provided when searching. -
user_search.attribute
-
This setting is deprecated; use
user_search.filter
instead. The attribute to match with the username presented to. Defaults touid
. -
user_search.pool.enabled
-
Enables or disables connection pooling for user search. When
disabled a new connection is created for every search. The
default is
true
whenbind_dn
is provided. -
user_search.pool.size
-
The maximum number of connections to the LDAP server to allow in the
connection pool. Defaults to
20
. -
user_search.pool.initial_size
-
The initial number of connections to create to the LDAP server on startup.
Defaults to
0
. -
user_search.pool.health_check.enabled
-
Flag to enable or disable a health check on LDAP connections in the connection
pool. Connections are checked in the background at the specified interval.
Defaults to
true
. -
user_search.pool.health_check.dn
-
The distinguished name to be retrieved as part of the health check.
Defaults to the value of
bind_dn
if present, and if not falls back touser_search.base_dn
. -
user_search.pool.health_check.interval
-
The interval to perform background checks of connections in the pool.
Defaults to
60s
. -
group_search.base_dn
-
The container DN to search for groups in which the user has membership. When
this element is absent, Security searches for the attribute specified by
user_group_attribute
set on the user in order to determine group membership. -
group_search.scope
-
Specifies whether the group search should be
sub_tree
,one_level
orbase
.one_level
only searches objects directly contained within thebase_dn
.sub_tree
searches all objects contained underbase_dn
.base
specifies that thebase_dn
is a group object, and that it is the only group considered. Defaults tosub_tree
. -
group_search.filter
-
When not set, the realm searches for
group
,groupOfNames
,groupOfUniqueNames
, orposixGroup
with the attributesmember
,memberOf
, ormemberUid
. Any instance of{0}
in the filter is replaced by the user attribute defined ingroup_search.user_attribute
. -
group_search.user_attribute
- Specifies the user attribute that will be fetched and provided as a parameter to the filter. If not set, the user DN is passed into the filter. Defaults to Empty.
-
unmapped_groups_as_roles
-
Takes a boolean variable. When this element is set to
true
, the names of any LDAP groups that are not referenced in a role-mapping file are used as role names and assigned to the user. Defaults tofalse
. -
files.role_mapping
-
The location for the
YAML role mapping configuration file. Defaults to
ES_PATH_CONF/x-pack/role_mapping.yml
. -
follow_referrals
-
Boolean value that specifies whether Securityshould follow referrals returned
by the LDAP server. Referrals are URLs returned by the server that are to be
used to continue the LDAP operation (e.g. search). Defaults to
true
. -
metadata
- A list of additional LDAP attributes that should be loaded from the LDAP server and stored in the authenticated user’s metadata field.
-
timeout.tcp_connect
-
The TCP connect timeout period for establishing an LDAP connection.
An
s
at the end indicates seconds, orms
indicates milliseconds. Defaults to5s
(5 seconds ). -
timeout.tcp_read
-
The TCP read timeout period after establishing an LDAP connection.
An
s
at the end indicates seconds, orms
indicates milliseconds. Defaults to5s
(5 seconds ). -
timeout.ldap_search
-
The LDAP Server enforced timeout period for an LDAP search.
An
s
at the end indicates seconds, orms
indicates milliseconds. Defaults to5s
(5 seconds ). -
ssl.key
- Path to a PEM encoded file containing the private key.
-
ssl.key_passphrase
- The passphrase that is used to decrypt the private key. This value is optional as the key may not be encrypted.
-
ssl.secure_key_passphrase
(Secure) - The passphrase that is used to decrypt the private key.
-
ssl.certificate
- Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented to clients when they connect.
-
ssl.certificate_authorities
- List of paths to PEM encoded certificate files that should be trusted.
-
ssl.keystore.path
-
The path to the Java Keystore file that contains a private key and certificate.
ssl.key
andssl.keystore.path
may not be used at the same time. -
ssl.keystore.type
-
The format of the keystore file. Should be either
jks
to use the Java Keystore format, orPKCS12
to use PKCS#12 files. The default isjks
. -
ssl.keystore.password
- The password to the keystore.
-
ssl.keystore.secure_password
(Secure) - The password to the keystore.
-
ssl.keystore.key_password
- The password for the key in the keystore. Defaults to the keystore password.
-
ssl.keystore.secure_key_password
- The password for the key in the keystore. Defaults to the keystore password.
-
ssl.truststore.path
-
The path to the Java Keystore file that contains the certificates to trust.
ssl.certificate_authorities
andssl.truststore.path
may not be used at the same time. -
ssl.truststore.password
- The password to the truststore.
-
ssl.truststore.secure_password
(Secure) - The password to the truststore.
-
ssl.truststore.type
-
The format of the keystore file. Should be either
jks
to use the Java Keystore format, orPKCS12
to use PKCS#12 files. The default isjks
. -
ssl.verification_mode
-
Indicates the type of verification when using
ldaps
to protect against man in the middle attacks and certificate forgery. Values arenone
,certificate
, andfull
. Defaults to the value ofxpack.ssl.verification_mode
. -
ssl.supported_protocols
-
Supported protocols with versions. Defaults to the value of
xpack.ssl.supported_protocols
.
ssl.cipher_suites
Supported cipher suites can be found in Oracle’s
Java Cryptography Architecture documentation. Defaults to the value of
xpack.ssl.cipher_suites
.
-
cache.ttl
-
Specifies the time-to-live for cached user entries (a user and its credentials
are cached for this period of time). Use the standard Elasticsearch
time units). Defaults to
20m
. -
cache.max_users
-
Specifies the maximum number of user entries that the cache can contain.
Defaults to
100000
. -
cache.hash_algo
-
(Expert Setting) Specifies the hashing algorithm that is used for the
in-memory cached user credentials (see Cache hash algorithms
table for all possible values). Defaults to
ssha256
.
-
url
-
A URL in the format
ldap[s]://<server>:<port>
. Defaults toldap://<domain_name>:389
. -
load_balance.type
-
The behavior to use when there are multiple LDAP URLs defined. For supported
values see load balancing and failover types.
Defaults to
failover
. -
load_balance.cache_ttl
-
When using
dns_failover
ordns_round_robin
as the load balancing type, this setting controls the amount of time to cache DNS lookups. Defaults to1h
. -
domain_name
-
The domain name of Active Directory. The cluster can derive the URL and
user_search_dn
fields from values in this element if those fields are not otherwise specified. Required. -
bind_dn
- The DN of the user that will be used to bind to Active Directory and perform searches. Defaults to Empty.
-
bind_password
- The password for the user that will be used to bind to Active Directory. Defaults to Empty.
-
unmapped_groups_as_roles
-
Takes a boolean variable. When this element is set to
true
, the names of any LDAP groups that are not referenced in a role-mapping file are used as role names and assigned to the user. Defaults tofalse
. -
files.role_mapping
-
The location for the YAML
role mapping configuration file. Defaults to
ES_PATH_CONF/x-pack/role_mapping.yml
. -
user_search.base_dn
- The context to search for a user. Defaults to the root of the Active Directory domain.
-
user_search.scope
-
Specifies whether the user search should be
sub_tree
,one_level
orbase
.one_level
only searches users directly contained within thebase_dn
.sub_tree
searches all objects contained underbase_dn
.base
specifies that thebase_dn
is a user object, and that it is the only user considered. Defaults tosub_tree
. -
user_search.filter
-
Specifies a filter to use to lookup a user given a username. The default
filter looks up
user
objects with eithersAMAccountName
oruserPrincipalName
. -
user_search.upn_filter
-
Specifies a filter to use to lookup a user given a user principal name.
The default filter looks up
user
objects with a matchinguserPrincipalName
. If specified, this must be a valid LDAP user search filter, for example(&(objectClass=user)(userPrincipalName={1}))
.{1}
is the full user principal name provided by the user. -
user_search.down_level_filter
-
Specifies a filter to use to lookup a user given a down level logon name
(DOMAIN\user). The default filter looks up
user
objects with a matchingsAMAccountName
in the domain provided. If specified, this must be a valid LDAP user search filter, for example(&(objectClass=user)(sAMAccountName={0}))
. -
user_search.pool.enabled
-
Enables or disables connection pooling for user search. When
disabled a new connection is created for every search. The
default is
true
whenbind_dn
is provided. -
user_search.pool.size
-
The maximum number of connections to the Active Directory server to allow in the
connection pool. Defaults to
20
. -
user_search.pool.initial_size
-
The initial number of connections to create to the Active Directory server on startup.
Defaults to
0
. -
user_search.pool.health_check.enabled
-
Flag to enable or disable a health check on Active Directory connections in the connection
pool. Connections are checked in the background at the specified interval.
Defaults to
true
. -
user_search.pool.health_check.dn
-
The distinguished name to be retrieved as part of the health check.
Defaults to the value of
bind_dn
if it is a distinguished name. -
user_search.pool.health_check.interval
-
The interval to perform background checks of connections in the pool.
Defaults to
60s
. -
group_search.base_dn
- The context to search for groups in which the user has membership. Defaults to the root of the Active Directory domain.
-
group_search.scope
-
Specifies whether the group search should be
sub_tree
,one_level
orbase
.one_level
searches for groups directly contained within thebase_dn
.sub_tree
searches all objects contained underbase_dn
.base
specifies that thebase_dn
is a group object, and that it is the only group considered. Defaults tosub_tree
. -
metadata
- A list of additional LDAP attributes that should be loaded from the LDAP server and stored in the authenticated user’s metadata field.
-
timeout.tcp_connect
-
The TCP connect timeout period for establishing an LDAP connection.
An
s
at the end indicates seconds, orms
indicates milliseconds. Defaults to5s
(5 seconds ). -
timeout.tcp_read
-
The TCP read timeout period after establishing an LDAP connection.
An
s
at the end indicates seconds, orms
indicates milliseconds. Defaults to5s
(5 seconds ). -
timeout.ldap_search
-
The LDAP Server enforced timeout period for an LDAP search.
An
s
at the end indicates seconds, orms
indicates milliseconds. Defaults to5s
(5 seconds ). -
ssl.certificate
- Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented to clients when they connect.
-
ssl.certificate_authorities
- List of paths to PEM encoded certificate files that should be trusted.
-
ssl.key
- Path to the PEM encoded file containing the private key.
-
ssl.key_passphrase
- The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
ssl.secure_key_passphrase
(Secure) - The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
ssl.keystore.key_password
- The password for the key in the keystore. Defaults to the keystore password.
-
ssl.keystore.secure_key_password
(Secure) - The password for the key in the keystore. Defaults to the keystore password.
-
ssl.keystore.password
- The password to the keystore.
-
ssl.secure_keystore.password
(Secure) - The password to the keystore.
-
ssl.keystore.path
- The path to the Java Keystore file that contains a private key and certificate.
-
ssl.keystore.type
-
The format of the keystore file. Should be either
jks
to use the Java Keystore format, orPKCS12
to use PKCS#12 files. The default isjks
. -
ssl.truststore.password
- The password to the truststore.
-
ssl.truststore.secure_password
(Secure) - The password to the truststore.
-
ssl.truststore.path
- The path to the Java Keystore file that contains the certificates to trust.
-
ssl.truststore.type
-
The format of the truststore file. Should be either
jks
to use the Java Keystore format, orPKCS12
to use PKCS#12 files. The default isjks
. -
ssl.verification_mode
-
Indicates the type of verification when using
ldaps
to protect against man in the middle attacks and certificate forgery. Values arenone
,certificate
, andfull
. Defaults to the value ofxpack.ssl.verification_mode
. -
ssl.supported_protocols
-
Supported protocols with versions. Defaults to the value of
xpack.ssl.supported_protocols
. -
ssl.cipher_suites
-
Supported cipher suites can be found in Oracle’s
Java Cryptography Architecture documentation. Defaults to the value of
xpack.ssl.cipher_suites
. -
cache.ttl
-
Specifies the time-to-live for cached user entries (user
credentials are cached for this configured period of time). Use the
standard Elasticsearch time units).
Defaults to
20m
. -
cache.max_users
-
Specifies the maximum number of user entries that the cache can contain.
Defaults to
100000
. -
cache.hash_algo
-
(Expert Setting) Specifies the hashing algorithm that will be used for
the in-memory cached user credentials (see Cache hash algorithms table for all possible values). Defaults to
ssha256
.
-
username_pattern
-
The regular expression pattern used to extract the username from the
certificate DN. The first match group is the used as the username.
Defaults to
CN=(.*?)(?:,\|$)
. -
certificate_authorities
-
List of paths to the PEM certificate files that should be used to authenticate a
user’s certificate as trusted. Defaults to the trusted certificates configured
for SSL. See the SSL settings
section of the PKI realm documentation for more information.
This setting cannot be used with
truststore.path
. -
truststore.algorithm
-
Algorithm for the truststore. Defaults to
SunX509
. -
truststore.password
-
The password for the truststore. Must be provided if
truststore.path
is set. -
truststore.secure_password
(Secure) - The password for the truststore.
-
truststore.path
-
The path of a truststore to use. Defaults to the trusted certificates configured
for SSL. See the
SSL settings section of the PKI realm
documentation for more information. This setting cannot be used with
certificate_authorities
. -
files.role_mapping
-
Specifies the location of the
YAML role mapping configuration file.
Defaults to
ES_PATH_CONF/x-pack/role_mapping.yml
.
You can configure the following TLS/SSL settings in
elasticsearch.yml
. For more information, see
Encrypting Communications. These settings will be used
for all of X-Pack unless they have been overridden by more specific
settings such as those for HTTP or Transport.
-
xpack.ssl.supported_protocols
-
Supported protocols with versions. Valid protocols:
SSLv2Hello
,SSLv3
,TLSv1
,TLSv1.1
,TLSv1.2
. Defaults toTLSv1.2
,TLSv1.1
,TLSv1
. -
xpack.ssl.client_authentication
-
Controls the server’s behavior in regard to requesting a certificate
from client connections. Valid values are
required
,optional
, andnone
.required
forces a client to present a certificate, whileoptional
requests a client certificate but the client is not required to present one. Defaults torequired
. -
xpack.ssl.verification_mode
-
Controls the verification of certificates. Valid values are
none
,certificate
, andfull
. Defaults tofull
. -
xpack.ssl.cipher_suites
-
Supported cipher suites can be found in Oracle’s
Java Cryptography Architecture documentation. Defaults to
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
,TLS_RSA_WITH_AES_128_CBC_SHA256
,TLS_RSA_WITH_AES_128_CBC_SHA
.
The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. If none of the settings below are specified, this will default to the X-Pack defaults. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be trusted along with the certificate(s) from the key settings. The key and certificate must be in place for connections that require client authentication or when acting as a SSL enabled server.
When using PEM encoded files, use the following settings:
-
xpack.ssl.key
- Path to the PEM encoded file containing the private key.
-
xpack.ssl.key_passphrase
- The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
xpack.ssl.secure_key_passphrase
({Secure) - The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
xpack.ssl.certificate
- Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented to clients when they connect.
-
xpack.ssl.certificate_authorities
- List of paths to the PEM encoded certificate files that should be trusted.
When using Java keystore files (JKS), which contain the private key, certificate and certificates that should be trusted, use the following settings:
-
xpack.ssl.keystore.path
- Path to the keystore that holds the private key and certificate.
-
xpack.ssl.keystore.password
- Password to the keystore.
-
xpack.ssl.keystore.secure_password
(Secure) - Password to the keystore.
-
xpack.ssl.keystore.key_password
-
Password for the private key in the keystore. Defaults to the
same value as
xpack.ssl.keystore.password
. -
xpack.ssl.keystore.secure_key_password
(Secure) - Password for the private key in the keystore.
-
xpack.ssl.truststore.path
- Path to the truststore file.
-
xpack.ssl.truststore.password
- Password to the truststore.
-
xpack.ssl.truststore.secure_password
(Secure) - Password to the truststore.
When using PKCS#12 container files (.p12
or .pfx
), which contain the
private key, certificate, and certificates that should be trusted, use
the following settings:
-
xpack.ssl.keystore.path
- Path to the PKCS#12 file that holds the private key and certificate.
-
xpack.ssl.keystore.type
-
Set this to
PKCS12
. -
xpack.ssl.keystore.password
- Password to the PKCS#12 file.
-
xpack.ssl.keystore.secure_password
(Secure) - Password to the PKCS#12 file.
-
xpack.ssl.keystore.key_password
-
Password for the private key in the PKCS12 file.
Defaults to the same value as
xpack.ssl.keystore.password
. -
xpack.ssl.keystore.secure_key_password
(Secure) - Password for the private key in the PKCS12 file.
-
xpack.ssl.truststore.path
- Path to the truststore file.
-
xpack.ssl.truststore.type
-
Set this to
PKCS12
. -
xpack.ssl.truststore.password
- Password to the truststore.
-
xpack.ssl.truststore.secure_password
(Secure) - Password to the truststore.
You can configure the following TLS/SSL settings. If the settings are not configured, the Default TLS/SSL Settings are used.
-
xpack.security.http.ssl.enabled
-
Used to enable or disable TLS/SSL. The default is
false
. -
xpack.security.http.ssl.supported_protocols
-
Supported protocols with versions. Valid protocols:
SSLv2Hello
,SSLv3
,TLSv1
,TLSv1.1
,TLSv1.2
. Defaults toTLSv1.2
,TLSv1.1
,TLSv1
. Defaults to the value ofxpack.ssl.supported_protocols
. -
xpack.security.http.ssl.client_authentication
-
Controls the server’s behavior in regard to requesting a certificate
from client connections. Valid values are
required
,optional
, andnone
.required
forces a client to present a certificate, whileoptional
requests a client certificate but the client is not required to present one. Defaults tonone
. -
xpack.security.http.ssl.cipher_suites
-
Supported cipher suites can be found in Oracle’s
Java Cryptography Architecture documentation. Defaults to the value of
xpack.ssl.cipher_suites
.
The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. If none of the settings below are specified, the Default TLS/SSL Settings are used. A private key and certificate must be configured. If none of the settings below are specified, the Default TLS/SSL Settings are used.
When using PEM encoded files, use the following settings:
-
xpack.security.http.ssl.key
- Path to a PEM encoded file containing the private key.
-
xpack.security.http.ssl.key_passphrase
- The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
xpack.security.http.ssl.secure_key_passphrase
(Secure) - The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
xpack.security.http.ssl.certificate
- Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented when requested.
-
xpack.security.http.ssl.certificate_authorities
- List of paths to the PEM encoded certificate files that should be trusted.
When using Java keystore files (JKS), which contain the private key, certificate and certificates that should be trusted, use the following settings:
-
xpack.security.http.ssl.keystore.path
- Path to the keystore that holds the private key and certificate.
-
xpack.security.http.ssl.keystore.password
- Password to the keystore.
- +xpack.security.http.ssl.keystore.secure_password` (Secure)
- Password to the keystore.
-
xpack.security.http.ssl.keystore.key_password
-
Password for the private key in the keystore. Defaults to the
same value as
xpack.security.http.ssl.keystore.password
. -
xpack.security.http.ssl.keystore.secure_key_password
(Secure) - Password for the private key in the keystore.
-
xpack.security.http.ssl.truststore.path
- Path to the truststore file.
-
xpack.security.http.ssl.truststore.password
- Password to the truststore.
-
xpack.security.http.ssl.truststore.secure_password
(Secure) - Password to the truststore.
X-Pack security can be configured to use PKCS#12 container files (.p12
or .pfx
files)
that contain the private key, certificate and certificates that should be trusted.
PKCS#12 files are configured in the same way as Java Keystore Files:
-
xpack.security.http.ssl.keystore.path
- Path to the PKCS#12 file that holds the private key and certificate.
-
xpack.security.http.ssl.keystore.type
-
Set this to
PKCS12
to indicate that the keystore is a PKCS#12 file. -
xpack.security.http.ssl.keystore.password
- Password to the PKCS#12 file.
-
xpack.security.http.ssl.keystore.secure_password
(Secure) - Password to the PKCS#12 file.
-
xpack.security.http.ssl.keystore.key_password
-
Password for the private key stored in the PKCS#12 file.
Defaults to the same value as
xpack.security.http.ssl.keystore.password
. -
xpack.security.http.ssl.keystore.secure_key_password
(Secure) - Password for the private key stored in the PKCS#12 file.
-
xpack.security.http.ssl.truststore.path
- Path to the PKCS#12 file that holds the certificates to be trusted.
-
xpack.security.http.ssl.truststore.type
-
Set this to
PKCS12
to indicate that the truststore is a PKCS#12 file. -
xpack.security.http.ssl.truststore.password
- Password to the PKCS#12 file.
-
xpack.security.http.ssl.truststore.secure_password
(Secure) - Password to the PKCS#12 file.
You can configure the following TLS/SSL settings. If the settings are not configured, the Default TLS/SSL Settings are used.
-
xpack.security.transport.ssl.enabled
-
Used to enable or disable TLS/SSL. The default is
false
. -
xpack.security.transport.ssl.supported_protocols
-
Supported protocols with versions. Valid protocols:
SSLv2Hello
,SSLv3
,TLSv1
,TLSv1.1
,TLSv1.2
. Defaults toTLSv1.2
,TLSv1.1
,TLSv1
. Defaults to the value ofxpack.ssl.supported_protocols
. -
xpack.security.transport.ssl.client_authentication
-
Controls the server’s behavior in regard to requesting a certificate
from client connections. Valid values are
required
,optional
, andnone
.required
forces a client to present a certificate, whileoptional
requests a client certificate but the client is not required to present one. Defaults to the value ofxpack.ssl.client_authentication
. -
xpack.security.transport.ssl.verification_mode
-
Controls the verification of certificates. Valid values are
none
,certificate
, andfull
. Defaults to the value ofxpack.ssl.verification_mode
. -
xpack.security.transport.ssl.cipher_suites
-
Supported cipher suites can be found in Oracle’s
Java Cryptography Architecture documentation. Defaults to the value of
xpack.ssl.cipher_suites
.
The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. If none of the settings below are specified, the Default TLS/SSL Settings are used. A private key and certificate must be configured. If none of the settings below are specified, the Default TLS/SSL Settings are used.
When using PEM encoded files, use the following settings:
-
xpack.security.transport.ssl.key
- Path to a PEM encoded file containing the private key.
-
xpack.security.transport.ssl.key_passphrase
- The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
xpack.security.transport.ssl.secure_key_passphrase
(Secure) - The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.
-
xpack.security.transport.ssl.certificate
- Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented when requested.
-
xpack.security.transport.ssl.certificate_authorities
- List of paths to the PEM encoded certificate files that should be trusted.
When using Java keystore files (JKS), which contain the private key, certificate and certificates that should be trusted, use the following settings:
-
xpack.security.transport.ssl.keystore.path
- Path to the keystore that holds the private key and certificate.
-
xpack.security.transport.ssl.keystore.password
- Password to the keystore.
- +xpack.security.transport.ssl.keystore.secure_password` (Secure)
- Password to the keystore.
-
xpack.security.transport.ssl.keystore.key_password
-
Password for the private key in the keystore. Defaults to the
same value as
xpack.security.transport.ssl.keystore.password
. -
xpack.security.transport.ssl.keystore.secure_key_password
(Secure) - Password for the private key in the keystore.
-
xpack.security.transport.ssl.truststore.path
- Path to the truststore file.
-
xpack.security.transport.ssl.truststore.password
- Password to the truststore.
-
xpack.security.transport.ssl.truststore.secure_password
(Secure) - Password to the truststore.
X-Pack security can be configured to use PKCS#12 container files (.p12
or .pfx
files)
that contain the private key, certificate and certificates that should be trusted.
PKCS#12 files are configured in the same way as Java Keystore Files:
-
xpack.security.transport.ssl.keystore.path
- Path to the PKCS#12 file that holds the private key and certificate.
-
xpack.security.transport.ssl.keystore.type
-
Set this to
PKCS12
to indicate that the keystore is a PKCS#12 file. -
xpack.security.transport.ssl.keystore.password
- Password to the PKCS#12 file.
-
xpack.security.transport.ssl.keystore.secure_password
(Secure) - Password to the PKCS#12 file.
-
xpack.security.transport.ssl.keystore.key_password
-
Password for the private key stored in the PKCS#12 file.
Defaults to the same value as
xpack.security.transport.ssl.keystore.password
. -
xpack.security.transport.ssl.keystore.secure_key_password
(Secure) - Password for the private key stored in the PKCS#12 file.
-
xpack.security.transport.ssl.truststore.path
- Path to the PKCS#12 file that holds the certificates to be trusted.
-
xpack.security.transport.ssl.truststore.type
-
Set this to
PKCS12
to indicate that the truststore is a PKCS#12 file. -
xpack.security.transport.ssl.truststore.password
- Password to the PKCS#12 file.
-
xpack.security.transport.ssl.truststore.secure_password
(Secure) - Password to the PKCS#12 file.
The same settings that are available for the default transport are also available for each transport profile. By default, the settings for a transport profile will be the same as the default transport unless they are specified.
As an example, lets look at the key setting. For the default transport
this is xpack.security.transport.ssl.key
. In order to use this setting in a
transport profile, use the prefix transport.profiles.$PROFILE.xpack.security.
and
append the portion of the setting after xpack.security.transport.
. For the key
setting, this would be transport.profiles.$PROFILE.xpack.security.ssl.key
.
You can configure the following settings for IP filtering:
-
xpack.security.transport.filter.allow
- List of IP addresses to allow.
-
xpack.security.transport.filter.deny
- List of IP addresses to deny.
-
xpack.security.http.filter.allow
- List of IP addresses to allow just for HTTP.
-
xpack.security.http.filter.deny
- List of IP addresses to deny just for HTTP.
-
transport.profiles.$PROFILE.xpack.security.filter.allow
- List of IP addresses to allow for this profile.
-
transport.profiles.$PROFILE.xpack.security.filter.deny
- List of IP addresses to deny for this profile.