forked from elastic/elasticsearch
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[DOCS] Adds common definitions for security settings (elastic#51017)
Co-Authored-By: Tim Vernum <[email protected]>
- Loading branch information
Showing
6 changed files
with
361 additions
and
324 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,136 @@ | ||
| tag::ssl-certificate[] | ||
| Specifies the path for the PEM encoded certificate (or certificate chain) that is | ||
| associated with the key. | ||
| //TBD: This setting can be used only if `ssl.key` is set. | ||
| end::ssl-certificate[] | ||
|
|
||
| tag::ssl-certificate-authorities[] | ||
| List of paths to PEM encoded certificate files that should be trusted. | ||
| //TBD: You cannot use this setting and `ssl.truststore.path` at the same time. | ||
| end::ssl-certificate-authorities[] | ||
|
|
||
| tag::ssl-cipher-suites-values[] | ||
| include::{docdir}/settings/common-defs.asciidoc[tag=ssl-cipher-suites-values-java11] | ||
| end::ssl-cipher-suites-values[] | ||
|
|
||
| tag::ssl-cipher-suites-values-java11[] | ||
| Supported cipher suites vary depending on which version of Java you use. For | ||
| example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`, | ||
| `TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, | ||
| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, | ||
| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`, | ||
| `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`, | ||
| `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_RSA_WITH_AES_128_CBC_SHA`. For more information, see Oracle's | ||
| https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation]. | ||
| end::ssl-cipher-suites-values-java11[] | ||
|
|
||
| tag::ssl-key-pem[] | ||
| Path to a PEM encoded file containing the private key. | ||
| //TBD: You cannot use this setting and `ssl.keystore.path` at the same time. | ||
| end::ssl-key-pem[] | ||
|
|
||
| tag::ssl-key-passphrase[] | ||
| The passphrase that is used to decrypt the private key. Since the key might not | ||
| be encrypted, this value is optional. | ||
| //TBD: You cannot use this setting and `ssl.secure_key_passphrase` at the same time. | ||
| end::ssl-key-passphrase[] | ||
|
|
||
| tag::ssl-keystore-key-password[] | ||
| The password for the key in the keystore. The default is the keystore password. | ||
| //TBD: You cannot use this setting and `ssl.keystore.secure_key_password` at the same time. | ||
| end::ssl-keystore-key-password[] | ||
|
|
||
| tag::ssl-keystore-password[] | ||
| The password for the keystore. | ||
| //TBD: You cannot use this setting and `ssl.keystore.secure_password` at the same time. | ||
| end::ssl-keystore-password[] | ||
|
|
||
| tag::ssl-keystore-path[] | ||
| The path for the keystore file that contains a private key and certificate. | ||
| //TBD: It must be either a Java keystore (jks) or a PKCS#12 file. | ||
| //TBD: You cannot use this setting and `ssl.key` at the same time. | ||
| end::ssl-keystore-path[] | ||
|
|
||
| tag::ssl-keystore-secure-key-password[] | ||
| The password for the key in the keystore. The default is the keystore password. | ||
| //TBD: You cannot use this setting and `ssl.keystore.key_password` at the same time. | ||
| end::ssl-keystore-secure-key-password[] | ||
|
|
||
| tag::ssl-keystore-secure-password[] | ||
| The password for the keystore. | ||
| //TBD: You cannot use this setting and `ssl.keystore.password` at the same time. | ||
| end::ssl-keystore-secure-password[] | ||
|
|
||
| tag::ssl-keystore-type-pkcs12[] | ||
| The format of the keystore file. It must be either `jks` or `PKCS12`. If the | ||
| keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults | ||
| to `PKCS12`. Otherwise, it defaults to `jks`. | ||
| end::ssl-keystore-type-pkcs12[] | ||
|
|
||
| tag::ssl-secure-key-passphrase[] | ||
| The passphrase that is used to decrypt the private key. Since the key might not | ||
| be encrypted, this value is optional. | ||
| //TBD: You cannot use this setting and `ssl.key_passphrase` at the same time. | ||
| end::ssl-secure-key-passphrase[] | ||
|
|
||
| tag::ssl-supported-protocols[] | ||
| Supported protocols with versions. Valid protocols: `SSLv2Hello`, | ||
| `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. If the JVM's SSL provider supports TLSv1.3, | ||
| the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is | ||
| `TLSv1.2,TLSv1.1`. | ||
| + | ||
| -- | ||
| NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello` | ||
| or `SSLv3`. See <<fips-140-compliance>>. | ||
|
|
||
| -- | ||
| end::ssl-supported-protocols[] | ||
|
|
||
| tag::ssl-truststore-password[] | ||
| The password for the truststore. | ||
| //TBD: You cannot use this setting and `ssl.truststore.secure_password` at the same time. | ||
| end::ssl-truststore-password[] | ||
|
|
||
| tag::ssl-truststore-path[] | ||
| The path for the keystore that contains the certificates to trust. It must be | ||
| either a Java keystore (jks) or a PKCS#12 file. | ||
| //TBD: You cannot use this setting and `ssl.certificate_authorities` at the same time. | ||
| end::ssl-truststore-path[] | ||
|
|
||
| tag::ssl-truststore-secure-password[] | ||
| Password for the truststore. | ||
| //TBD: You cannot use this setting and `ssl.truststore.password` at the same time. | ||
| end::ssl-truststore-secure-password[] | ||
|
|
||
| tag::ssl-truststore-type[] | ||
| The format of the truststore file. It must be either `jks` or `PKCS12`. If the | ||
| file name ends in ".p12", ".pfx" or "pkcs12", the default is `PKCS12`. | ||
| Otherwise, it defaults to `jks`. | ||
| end::ssl-truststore-type[] | ||
|
|
||
| tag::ssl-truststore-type-pkcs11[] | ||
| The format of the truststore file. For the Java keystore format, use `jks`. For | ||
| PKCS#12 files, use `PKCS12`. For a PKCS#11 token, use `PKCS11`. The default is | ||
| `jks`. | ||
| end::ssl-truststore-type-pkcs11[] | ||
|
|
||
| tag::ssl-verification-mode-values[] | ||
| Valid values are: | ||
| - `full`, which verifies that the provided certificate is signed by a trusted | ||
| authority (CA) and also verifies that the server's hostname (or IP address) | ||
| matches the names identified within the certificate. | ||
| - `certificate`, which verifies that the provided certificate is signed by a | ||
| trusted authority (CA), but does not perform any hostname verification. | ||
| - `none`, which performs _no verification_ of the server's certificate. This | ||
| mode disables many of the security benefits of SSL/TLS and should only be used | ||
| after very careful consideration. It is primarily intended as a temporary | ||
| diagnostic mechanism when attempting to resolve TLS errors; its use on | ||
| production clusters is strongly discouraged. | ||
| + | ||
| The default value is `full`. | ||
| end::ssl-verification-mode-values[] |
Oops, something went wrong.