From b3a417d713f6afec0e14f86230ee46050f9b7809 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 26 Apr 2018 12:45:55 -0600 Subject: [PATCH 01/10] Security: remove SSL settings fallback This commit removes the fallback for SSL settings. While this may be seen as a non user friendly change, the intention behind this change is to simplify the reasoning needed to understand what is actually being used for a given SSL configuration. Each configuration now needs to be explicitly specified as there is no global configuration or fallback to some other configuration. Closes #29797 --- .../netty4/SecurityNetty4Transport.java | 20 ++- .../xpack/core/ssl/SSLConfiguration.java | 64 +------ .../xpack/core/ssl/SSLService.java | 95 ++-------- .../ssl/SSLConfigurationReloaderTests.java | 46 ++--- .../xpack/core/ssl/SSLConfigurationTests.java | 77 ++------ .../xpack/core/ssl/SSLServiceTests.java | 168 +++++++++--------- .../xpack/core/ssl/TestsSSLService.java | 16 +- .../security/PkiRealmBootstrapCheck.java | 7 +- .../esnative/ESNativeRealmMigrateTool.java | 13 +- .../esnative/tool/CommandLineHttpClient.java | 3 +- .../authc/ldap/support/SessionFactory.java | 3 +- .../xpack/security/authc/saml/SamlRealm.java | 2 +- .../SecurityServerTransportInterceptor.java | 2 +- .../SecurityNetty4HttpServerTransport.java | 2 +- .../transport/nio/SecurityNioTransport.java | 20 ++- .../test/SecuritySettingsSource.java | 51 +++--- .../security/PkiRealmBootstrapCheckTests.java | 9 +- .../audit/index/IndexAuditTrailTests.java | 2 +- .../RemoteIndexAuditTrailStartingTests.java | 2 +- .../esnative/ESNativeMigrateToolTests.java | 32 ++-- .../tool/CommandLineHttpClientTests.java | 37 ++-- .../authc/pki/PkiAuthenticationTests.java | 9 +- .../authc/pki/PkiOptionalClientAuthTests.java | 6 + .../security/authc/saml/SamlRealmTests.java | 7 +- ...ServerTransportFilterIntegrationTests.java | 35 ++-- .../DNSOnlyHostnameVerificationTests.java | 20 +-- .../netty4/IPHostnameVerificationTests.java | 27 +-- ...ecurityNetty4HttpServerTransportTests.java | 4 +- .../SecurityNetty4ServerTransportTests.java | 10 +- .../netty4/SslHostnameVerificationTests.java | 26 +-- .../nio/SimpleSecurityNioTransportTests.java | 25 ++- .../transport/ssl/EllipticCurveSSLTests.java | 24 +-- .../transport/ssl/SslIntegrationTests.java | 21 ++- .../transport/ssl/SslMultiPortTests.java | 24 ++- .../xpack/ssl/SSLClientAuthTests.java | 48 ++++- .../xpack/ssl/SSLReloadIntegTests.java | 21 +-- .../xpack/ssl/SSLTrustRestrictionsTests.java | 22 +-- .../xpack/watcher/common/http/HttpClient.java | 2 +- .../watcher/common/http/HttpClientTests.java | 70 +++----- x-pack/qa/full-cluster-restart/build.gradle | 8 +- .../org/elasticsearch/test/OpenLdapTests.java | 31 +--- ...OpenLdapUserSearchSessionFactoryTests.java | 4 +- x-pack/qa/rolling-upgrade/build.gradle | 12 +- x-pack/qa/sql/security/ssl/build.gradle | 6 +- .../ADLdapUserSearchSessionFactoryTests.java | 4 +- .../ldap/AbstractActiveDirectoryTestCase.java | 34 ++-- .../ldap/AbstractAdLdapRealmTestCase.java | 28 +-- .../ActiveDirectorySessionFactoryTests.java | 39 ++-- .../resources/packaging/tests/certgen.bash | 18 +- 49 files changed, 539 insertions(+), 717 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java index a7ef1f0c02f4f..85db9ba0da05e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java @@ -59,19 +59,29 @@ public SecurityNetty4Transport( this.sslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings); final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl.")); if (sslEnabled) { - this.sslConfiguration = sslService.sslConfiguration(transportSSLSettings, Settings.EMPTY); + this.sslConfiguration = sslService.sslConfiguration(transportSSLSettings); Map profileSettingsMap = settings.getGroups("transport.profiles.", true); Map profileConfiguration = new HashMap<>(profileSettingsMap.size() + 1); for (Map.Entry entry : profileSettingsMap.entrySet()) { Settings profileSettings = entry.getValue(); final Settings profileSslSettings = profileSslSettings(profileSettings); - SSLConfiguration configuration = sslService.sslConfiguration(profileSslSettings, transportSSLSettings); + if (entry.getKey().equals(TcpTransport.DEFAULT_PROFILE)) { + // don't attempt to parse ssl settings from the profile; + // profiles need to be killed with fire + if (profileSslSettings.isEmpty()) { + continue; + } else { + throw new IllegalArgumentException("SSL settings should not be configured for the default profile. " + + "Use the [xpack.security.transport.ssl] settings instead."); + } + } + + SSLConfiguration configuration = sslService.sslConfiguration(profileSslSettings); profileConfiguration.put(entry.getKey(), configuration); } - if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) { - profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration); - } + assert profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false; + profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration); this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration); } else { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java index a9ba62998bd6f..1819e85e12909 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java @@ -13,15 +13,11 @@ import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.TrustManagerFactory; - import java.io.IOException; import java.nio.file.Path; import java.security.GeneralSecurityException; import java.util.ArrayList; import java.util.List; -import java.util.Objects; import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType; @@ -50,32 +46,14 @@ public final class SSLConfiguration { * @param settings the SSL specific settings; only the settings under a *.ssl. prefix */ SSLConfiguration(Settings settings) { - this.keyConfig = createKeyConfig(settings, (SSLConfiguration) null); - this.trustConfig = createTrustConfig(settings, keyConfig, null); + this.keyConfig = createKeyConfig(settings); + this.trustConfig = createTrustConfig(settings, keyConfig); this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS); this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS); this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(XPackSettings.CLIENT_AUTH_DEFAULT); this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT); } - /** - * Creates a new SSLConfiguration from the given settings and global/default SSLConfiguration. If the settings do not contain a value - * for a given aspect, the value from the global configuration will be used. - * - * @param settings the SSL specific settings; only the settings under a *.ssl. prefix - * @param globalSSLConfiguration the default configuration that is used as a fallback - */ - SSLConfiguration(Settings settings, SSLConfiguration globalSSLConfiguration) { - Objects.requireNonNull(globalSSLConfiguration); - this.keyConfig = createKeyConfig(settings, globalSSLConfiguration); - this.trustConfig = createTrustConfig(settings, keyConfig, globalSSLConfiguration); - this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, globalSSLConfiguration.cipherSuites()); - this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, - globalSSLConfiguration.supportedProtocols()); - this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(globalSSLConfiguration.sslClientAuth()); - this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(globalSSLConfiguration.verificationMode()); - } - /** * The configuration for the key, if any, that will be used as part of this ssl configuration */ @@ -182,34 +160,20 @@ public int hashCode() { return result; } - private static KeyConfig createKeyConfig(Settings settings, SSLConfiguration global) { + private static KeyConfig createKeyConfig(Settings settings) { final String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); final KeyConfig config = CertUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, trustStoreAlgorithm); - if (config != null) { - return config; - } - if (global != null) { - return global.keyConfig(); - } - if (System.getProperty("javax.net.ssl.keyStore") != null) { - // TODO: we should not support loading a keystore from sysprops... - try (SecureString keystorePassword = new SecureString(System.getProperty("javax.net.ssl.keyStorePassword", ""))) { - return new StoreKeyConfig(System.getProperty("javax.net.ssl.keyStore"), "jks", keystorePassword, keystorePassword, - System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()), - System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm())); - } - } - return KeyConfig.NONE; + return config == null ? KeyConfig.NONE : config; } - private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) { - final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig, global); + private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig) { + final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig); return SETTINGS_PARSER.trustRestrictionsPath.get(settings) .map(path -> (TrustConfig) new RestrictedTrustConfig(settings, path, trustConfig)) .orElse(trustConfig); } - private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) { + private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig) { String trustStorePath = SETTINGS_PARSER.truststorePath.get(settings).orElse(null); List caPaths = getListOrNull(SETTINGS_PARSER.caPaths, settings); @@ -217,12 +181,7 @@ private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConf throw new IllegalArgumentException("you cannot specify a truststore and ca files"); } - VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElseGet(() -> { - if (global != null) { - return global.verificationMode(); - } - return XPackSettings.VERIFICATION_MODE_DEFAULT; - }); + VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT); if (verificationMode.isCertificateVerificationEnabled() == false) { return TrustAllConfig.INSTANCE; } else if (caPaths != null) { @@ -232,13 +191,6 @@ private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConf String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); String trustStoreType = getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, trustStorePath); return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm); - } else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null) { - try (SecureString truststorePassword = new SecureString(System.getProperty("javax.net.ssl.trustStorePassword", ""))) { - return new StoreTrustConfig(System.getProperty("javax.net.ssl.trustStore"), "jks", truststorePassword, - System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm())); - } - } else if (global != null && keyConfig == global.keyConfig()) { - return global.trustConfig(); } else if (keyConfig != KeyConfig.NONE) { return DefaultJDKTrustConfig.merge(keyConfig); } else { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java index c59a2889c28db..b09c45eb22215 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java @@ -8,7 +8,6 @@ import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy; import org.apache.lucene.util.SetOnce; -import org.bouncycastle.operator.OperatorCreationException; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.common.CheckedSupplier; import org.elasticsearch.common.Strings; @@ -29,18 +28,15 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509ExtendedTrustManager; -import javax.security.auth.DestroyFailedException; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.security.GeneralSecurityException; import java.security.KeyManagementException; -import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.PrivateKey; -import java.security.UnrecoverableKeyException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -63,7 +59,6 @@ public class SSLService extends AbstractComponent { private final Map sslContexts; - private final SSLConfiguration globalSSLConfiguration; private final SetOnce transportSSLConfiguration = new SetOnce<>(); private final Environment env; @@ -71,19 +66,15 @@ public class SSLService extends AbstractComponent { * Create a new SSLService that parses the settings for the ssl contexts that need to be created, creates them, and then caches them * for use later */ - public SSLService(Settings settings, Environment environment) throws CertificateException, UnrecoverableKeyException, - NoSuchAlgorithmException, IOException, DestroyFailedException, KeyStoreException, OperatorCreationException { + public SSLService(Settings settings, Environment environment) { super(settings); this.env = environment; - this.globalSSLConfiguration = new SSLConfiguration(settings.getByPrefix(XPackSettings.GLOBAL_SSL_PREFIX)); this.sslContexts = loadSSLConfigurations(); } - private SSLService(Settings settings, Environment environment, SSLConfiguration globalSSLConfiguration, - Map sslContexts) { + private SSLService(Settings settings, Environment environment, Map sslContexts) { super(settings); this.env = environment; - this.globalSSLConfiguration = globalSSLConfiguration; this.sslContexts = sslContexts; } @@ -93,7 +84,7 @@ private SSLService(Settings settings, Environment environment, SSLConfiguration * have been created during initialization */ public SSLService createDynamicSSLService() { - return new SSLService(settings, env, globalSSLConfiguration, sslContexts) { + return new SSLService(settings, env, sslContexts) { @Override Map loadSSLConfigurations() { @@ -189,12 +180,10 @@ public SSLSocketFactory sslSocketFactory(Settings settings) { * will not use hostname verification. * @param settings the settings used to identify the ssl configuration, typically under a *.ssl. prefix. An empty settings will return * a SSLEngine created from the default configuration - * @param fallbackSettings the settings that should be used for the fallback of the SSLConfiguration. Using {@link Settings#EMPTY} - * results in a fallback to the global configuration * @return {@link SSLEngine} */ - public SSLEngine createSSLEngine(Settings settings, Settings fallbackSettings) { - return createSSLEngine(settings, fallbackSettings, null, -1); + public SSLEngine createSSLEngine(Settings settings) { + return createSSLEngine(settings, null, -1); } /** @@ -203,15 +192,13 @@ public SSLEngine createSSLEngine(Settings settings, Settings fallbackSettings) { * host and port are correct. The SSLEngine created by this method is most useful for clients with hostname verification enabled * @param settings the settings used to identify the ssl configuration, typically under a *.ssl. prefix. An empty settings will return * a SSLEngine created from the default configuration - * @param fallbackSettings the settings that should be used for the fallback of the SSLConfiguration. Using {@link Settings#EMPTY} - * results in a fallback to the global configuration * @param host the host of the remote endpoint. If using hostname verification, this should match what is in the remote endpoint's * certificate * @param port the port of the remote endpoint * @return {@link SSLEngine} */ - public SSLEngine createSSLEngine(Settings settings, Settings fallbackSettings, String host, int port) { - SSLConfiguration configuration = sslConfiguration(settings, fallbackSettings); + public SSLEngine createSSLEngine(Settings settings, String host, int port) { + SSLConfiguration configuration = sslConfiguration(settings); return createSSLEngine(configuration, host, port); } @@ -224,7 +211,6 @@ public SSLEngine createSSLEngine(Settings settings, Settings fallbackSettings, S * certificate * @param port the port of the remote endpoint * @return {@link SSLEngine} - * @see #sslConfiguration(Settings, Settings) */ public SSLEngine createSSLEngine(SSLConfiguration configuration, String host, int port) { SSLContext sslContext = sslContext(configuration); @@ -259,22 +245,10 @@ public boolean isConfigurationValidForServerUsage(SSLConfiguration sslConfigurat /** * Indicates whether client authentication is enabled for a particular configuration - * @param settings the settings used to identify the ssl configuration, typically under a *.ssl. prefix. The global configuration - * will be used for fallback + * @param settings the settings used to identify the ssl configuration, typically under a *.ssl. prefix. */ public boolean isSSLClientAuthEnabled(Settings settings) { - return isSSLClientAuthEnabled(settings, Settings.EMPTY); - } - - /** - * Indicates whether client authentication is enabled for a particular configuration - * @param settings the settings used to identify the ssl configuration, typically under a *.ssl. prefix - * @param fallback the settings that should be used for the fallback of the SSLConfiguration. Using {@link Settings#EMPTY} - * results in a fallback to the global configuration - */ - public boolean isSSLClientAuthEnabled(Settings settings, Settings fallback) { - SSLConfiguration sslConfiguration = sslConfiguration(settings, fallback); - return isSSLClientAuthEnabled(sslConfiguration); + return isSSLClientAuthEnabled(sslConfiguration(settings)); } /** @@ -287,21 +261,12 @@ public boolean isSSLClientAuthEnabled(SSLConfiguration sslConfiguration) { /** * Returns the {@link VerificationMode} that is specified in the settings (or the default) * @param settings the settings used to identify the ssl configuration, typically under a *.ssl. prefix - * @param fallback the settings that should be used for the fallback of the SSLConfiguration. Using {@link Settings#EMPTY} - * results in a fallback to the global configuration */ - public VerificationMode getVerificationMode(Settings settings, Settings fallback) { - SSLConfiguration sslConfiguration = sslConfiguration(settings, fallback); + public VerificationMode getVerificationMode(Settings settings) { + SSLConfiguration sslConfiguration = sslConfiguration(settings); return sslConfiguration.verificationMode(); } - /** - * Returns the {@link SSLContext} for the global configuration. Mainly used for testing - */ - SSLContext sslContext() { - return sslContextHolder(globalSSLConfiguration).sslContext(); - } - /** * Returns the {@link SSLContext} for the configuration */ @@ -322,31 +287,12 @@ SSLContextHolder sslContextHolder(SSLConfiguration sslConfiguration) { } /** - * Returns the existing {@link SSLConfiguration} for the given settings + * Returns a {@link SSLConfiguration} for the given settings * @param settings the settings for the ssl configuration - * @return the ssl configuration for the provided settings. If the settings are empty, the global configuration is returned + * @return the ssl configuration for the provided settings */ - SSLConfiguration sslConfiguration(Settings settings) { - if (settings.isEmpty()) { - return globalSSLConfiguration; - } - return new SSLConfiguration(settings, globalSSLConfiguration); - } - - /** - * Returns the existing {@link SSLConfiguration} for the given settings and applies the provided fallback settings instead of the global - * configuration - * @param settings the settings for the ssl configuration - * @param fallbackSettings the settings that should be used for the fallback of the SSLConfiguration. Using {@link Settings#EMPTY} - * results in a fallback to the global configuration - * @return the ssl configuration for the provided settings. If the settings are empty, the global configuration is returned - */ - public SSLConfiguration sslConfiguration(Settings settings, Settings fallbackSettings) { - if (settings.isEmpty() && fallbackSettings.isEmpty()) { - return globalSSLConfiguration; - } - SSLConfiguration fallback = sslConfiguration(fallbackSettings); - return new SSLConfiguration(settings, fallback); + public SSLConfiguration sslConfiguration(Settings settings) { + return new SSLConfiguration(settings); } /** @@ -436,11 +382,8 @@ private SSLContextHolder createSslContext(ReloadableX509KeyManager keyManager, R /** * Parses the settings to load all SSLConfiguration objects that will be used. */ - Map loadSSLConfigurations() throws CertificateException, - UnrecoverableKeyException, NoSuchAlgorithmException, IOException, DestroyFailedException, KeyStoreException, - OperatorCreationException { + Map loadSSLConfigurations() { Map sslConfigurations = new HashMap<>(); - sslConfigurations.put(globalSSLConfiguration, createSslContext(globalSSLConfiguration)); final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX); List sslSettingsList = new ArrayList<>(); @@ -450,15 +393,15 @@ Map loadSSLConfigurations() throws Certifica sslSettingsList.addAll(getMonitoringExporterSettings(settings)); sslSettingsList.forEach((sslSettings) -> - sslConfigurations.computeIfAbsent(new SSLConfiguration(sslSettings, globalSSLConfiguration), this::createSslContext)); + sslConfigurations.computeIfAbsent(new SSLConfiguration(sslSettings), this::createSslContext)); // transport is special because we want to use a auto-generated key when there isn't one - final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration); + final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings); this.transportSSLConfiguration.set(transportSSLConfiguration); List profileSettings = getTransportProfileSSLSettings(settings); sslConfigurations.computeIfAbsent(transportSSLConfiguration, this::createSslContext); profileSettings.forEach((profileSetting) -> - sslConfigurations.computeIfAbsent(new SSLConfiguration(profileSetting, transportSSLConfiguration), this::createSslContext)); + sslConfigurations.computeIfAbsent(new SSLConfiguration(profileSetting), this::createSslContext)); return Collections.unmodifiableMap(sslConfigurations); } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index f19f13d38b74a..7d55ff42b2cf7 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -79,10 +79,10 @@ public void testReloadingKeyStore() throws Exception { final Path keystorePath = tempDir.resolve("testnode.jks"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.keystore.path", keystorePath) + .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); @@ -147,12 +147,12 @@ public void testPEMKeyConfigReloading() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? null : @@ -213,9 +213,9 @@ public void testReloadingTrustStore() throws Exception { Path trustStorePath = tempDir.resolve("testnode.jks"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", trustStorePath) + .put("xpack.security.transport.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); @@ -259,7 +259,7 @@ public void testReloadingPEMTrustConfig() throws Exception { Path clientCertPath = tempDir.resolve("testclient.crt"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); Settings settings = Settings.builder() - .putList("xpack.ssl.certificate_authorities", clientCertPath.toString()) + .putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString()) .put("path.home", createTempDir()) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); @@ -300,15 +300,15 @@ public void testReloadingKeyStoreException() throws Exception { Path keystorePath = tempDir.resolve("testnode.jks"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", keystorePath) + .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY); + final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")); new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -340,17 +340,17 @@ public void testReloadingPEMKeyConfigException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY); + final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")); new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -377,15 +377,15 @@ public void testTrustStoreReloadException() throws Exception { Path trustStorePath = tempDir.resolve("testnode.jks"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", trustStorePath) + .put("xpack.security.transport.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY); + final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")); new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -412,12 +412,12 @@ public void testPEMTrustReloadException() throws Exception { Path clientCertPath = tempDir.resolve("testclient.crt"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); Settings settings = Settings.builder() - .putList("xpack.ssl.certificate_authorities", clientCertPath.toString()) + .putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString()) .put("path.home", createTempDir()) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY); + final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")); new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -486,7 +486,7 @@ private void validateSSLConfigurationIsReloaded(Settings settings, Environment e final CountDownLatch reloadLatch = new CountDownLatch(1); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY); + final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")); new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java index bb6fd279eec72..697690028c60c 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java @@ -35,10 +35,6 @@ public void testThatSSLConfigurationHasCorrectDefaults() { assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE)); assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig())))); assertThat(globalConfig.trustConfig(), instanceOf(DefaultJDKTrustConfig.class)); - - SSLConfiguration scopedConfig = new SSLConfiguration(Settings.EMPTY, globalConfig); - assertThat(scopedConfig.keyConfig(), sameInstance(globalConfig.keyConfig())); - assertThat(scopedConfig.trustConfig(), sameInstance(globalConfig.trustConfig())); } public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() { @@ -50,22 +46,17 @@ public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() { .setSecureSettings(secureSettings) .build(); // Pass settings in as component settings - SSLConfiguration globalSettings = new SSLConfiguration(settings); - SSLConfiguration scopedSettings = new SSLConfiguration(settings, globalSettings); - SSLConfiguration scopedEmptyGlobalSettings = - new SSLConfiguration(settings, new SSLConfiguration(Settings.EMPTY)); - for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) { - assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class)); - StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig(); + SSLConfiguration sslConfiguration = new SSLConfiguration(settings); + assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class)); + StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig(); - assertThat(ksKeyInfo.keyStorePath, is(equalTo(path))); - assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode"))); - assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks"))); - assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword))); - assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm())); - assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class))); - assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration); - } + assertThat(ksKeyInfo.keyStorePath, is(equalTo(path))); + assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode"))); + assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks"))); + assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword))); + assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm())); + assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class))); + assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration); } public void testKeystorePassword() { @@ -188,46 +179,6 @@ public void testExplicitKeystoreType() { assertThat(ksKeyInfo.keyStoreType, is(equalTo(type))); } - public void testThatProfileSettingsOverrideServiceSettings() { - MockSecureSettings profileSecureSettings = new MockSecureSettings(); - profileSecureSettings.setString("keystore.secure_password", "password"); - profileSecureSettings.setString("keystore.secure_key_password", "key"); - profileSecureSettings.setString("truststore.secure_password", "password for trust"); - Settings profileSettings = Settings.builder() - .put("keystore.path", "path") - .put("keystore.algorithm", "algo") - .put("truststore.path", "trust path") - .put("truststore.algorithm", "trusted") - .setSecureSettings(profileSecureSettings) - .build(); - - MockSecureSettings serviceSecureSettings = new MockSecureSettings(); - serviceSecureSettings.setString("xpack.ssl.keystore.secure_password", "comp password"); - serviceSecureSettings.setString("xpack.ssl.keystore.secure_key_password", "comp key"); - serviceSecureSettings.setString("xpack.ssl.truststore.secure_password", "comp password for trust"); - Settings serviceSettings = Settings.builder() - .put("xpack.ssl.keystore.path", "comp path") - .put("xpack.ssl.keystore.algorithm", "comp algo") - .put("xpack.ssl.truststore.path", "comp trust path") - .put("xpack.ssl.truststore.algorithm", "comp trusted") - .setSecureSettings(serviceSecureSettings) - .build(); - - SSLConfiguration globalSettings = new SSLConfiguration(serviceSettings); - SSLConfiguration sslConfiguration = new SSLConfiguration(profileSettings, globalSettings); - assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class)); - StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig(); - assertThat(ksKeyInfo.keyStorePath, is(equalTo("path"))); - assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password"))); - assertThat(ksKeyInfo.keyPassword, is(equalTo("key"))); - assertThat(ksKeyInfo.keyStoreAlgorithm, is(equalTo("algo"))); - assertThat(sslConfiguration.trustConfig(), instanceOf(StoreTrustConfig.class)); - StoreTrustConfig ksTrustInfo = (StoreTrustConfig) sslConfiguration.trustConfig(); - assertThat(ksTrustInfo.trustStorePath, is(equalTo("trust path"))); - assertThat(ksTrustInfo.trustStorePassword, is(equalTo("password for trust"))); - assertThat(ksTrustInfo.trustStoreAlgorithm, is(equalTo("trusted"))); - } - public void testThatEmptySettingsAreEqual() { SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY); SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY); @@ -235,11 +186,6 @@ public void testThatEmptySettingsAreEqual() { assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true))); assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true))); assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true))); - - SSLConfiguration profileSSLConfiguration = new SSLConfiguration(Settings.EMPTY, sslConfiguration); - assertThat(sslConfiguration.equals(profileSSLConfiguration), is(equalTo(true))); - assertThat(profileSSLConfiguration.equals(sslConfiguration), is(equalTo(true))); - assertThat(profileSSLConfiguration.equals(profileSSLConfiguration), is(equalTo(true))); } public void testThatSettingsWithDifferentKeystoresAreNotEqual() { @@ -272,9 +218,6 @@ public void testThatEmptySettingsHaveSameHashCode() { SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY); SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY); assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode()))); - - SSLConfiguration profileSettings = new SSLConfiguration(Settings.EMPTY, sslConfiguration); - assertThat(profileSettings.hashCode(), is(equalTo(sslConfiguration.hashCode()))); } public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index 598a0f8a77ada..c7b969e8f54af 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -96,11 +96,11 @@ public void setup() throws Exception { public void testThatCustomTruststoreCanBeSpecified() throws Exception { Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) .put("transport.profiles.foo.xpack.security.ssl.truststore.path", testClientStore) .build(); @@ -113,25 +113,25 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { .setSecureSettings(secureCustomSettings) .build(); - SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(customTruststoreSettings, Settings.EMPTY); + SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(customTruststoreSettings); assertThat(sslEngineWithTruststore, is(not(nullValue()))); - SSLEngine sslEngine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + SSLEngine sslEngine = sslService.createSSLEngine(Settings.EMPTY); assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine)))); } public void testThatSslContextCachingWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLContext sslContext = sslService.sslContext(); - SSLContext cachedSslContext = sslService.sslContext(); + SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY)); + SSLContext cachedSslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY)); assertThat(sslContext, is(sameInstance(cachedSslContext))); } @@ -140,13 +140,13 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { Path differentPasswordsStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); - secureSettings.setString("xpack.ssl.keystore.secure_key_password", "testnode1"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", differentPasswordsStore) + .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) .build(); - new SSLService(settings, env).createSSLEngine(Settings.EMPTY, Settings.EMPTY); + new SSLService(settings, env).createSSLEngine(Settings.EMPTY); } public void testIncorrectKeyPasswordThrowsException() throws Exception { @@ -154,12 +154,12 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks"); try { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", differentPasswordsStore) + .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) .build(); - new SSLService(settings, env).createSSLEngine(Settings.EMPTY, Settings.EMPTY); + new SSLService(settings, env).createSSLEngine(Settings.EMPTY); fail("expected an exception"); } catch (ElasticsearchException e) { assertThat(e.getMessage(), containsString("failed to initialize a KeyManagerFactory")); @@ -168,55 +168,56 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { public void testThatSSLv3IsNotEnabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY); assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3"))); } public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); - SSLEngine sslEngine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + SSLEngine sslEngine = sslService.createSSLEngine(Settings.EMPTY); assertThat(sslEngine, notNullValue()); } public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testclient"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", testclientStore) + .put("xpack.security.transport.ssl.truststore.path", testclientStore) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLEngine sslEngine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + SSLEngine sslEngine = sslService.createSSLEngine(Settings.EMPTY); assertThat(sslEngine, notNullValue()); } public void testCreateWithKeystoreIsValidForServer() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - assertTrue(sslService.isConfigurationValidForServerUsage(sslService.sslConfiguration(Settings.EMPTY))); + assertTrue(sslService.isConfigurationValidForServerUsage( + sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")))); } public void testValidForServerWithFallback() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); @@ -224,8 +225,8 @@ public void testValidForServerWithFallback() throws Exception { secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); settings = Settings.builder() - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) @@ -239,49 +240,39 @@ public void testValidForServerWithFallback() throws Exception { public void testGetVerificationMode() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); - assertThat(sslService.getVerificationMode(Settings.EMPTY, Settings.EMPTY), is(XPackSettings.VERIFICATION_MODE_DEFAULT)); + assertThat(sslService.getVerificationMode(Settings.EMPTY), is(XPackSettings.VERIFICATION_MODE_DEFAULT)); Settings settings = Settings.builder() - .put("xpack.ssl.verification_mode", "none") .put("xpack.security.transport.ssl.verification_mode", "certificate") .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") .build(); sslService = new SSLService(settings, env); - assertThat(sslService.getVerificationMode(Settings.EMPTY, Settings.EMPTY), is(VerificationMode.NONE)); - assertThat(sslService.getVerificationMode(settings.getByPrefix("xpack.security.transport.ssl."), Settings.EMPTY), - is(VerificationMode.CERTIFICATE)); - assertThat(sslService.getVerificationMode(settings.getByPrefix("transport.profiles.foo.xpack.security.ssl."), - settings.getByPrefix("xpack.security.transport.ssl.")), is(VerificationMode.FULL)); - assertThat(sslService.getVerificationMode(Settings.EMPTY, settings.getByPrefix("xpack.security.transport.ssl.")), + assertThat(sslService.getVerificationMode(settings.getByPrefix("xpack.security.transport.ssl.")), is(VerificationMode.CERTIFICATE)); + assertThat(sslService.getVerificationMode(settings.getByPrefix("transport.profiles.foo.xpack.security.ssl.")), + is(VerificationMode.FULL)); } public void testIsSSLClientAuthEnabled() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); assertTrue(sslService.isSSLClientAuthEnabled(Settings.EMPTY)); - assertTrue(sslService.isSSLClientAuthEnabled(Settings.EMPTY, Settings.EMPTY)); Settings settings = Settings.builder() - .put("xpack.ssl.client_authentication", "none") .put("xpack.security.transport.ssl.client_authentication", "optional") .build(); sslService = new SSLService(settings, env); - assertFalse(sslService.isSSLClientAuthEnabled(Settings.EMPTY)); - assertFalse(sslService.isSSLClientAuthEnabled(Settings.EMPTY, Settings.EMPTY)); assertTrue(sslService.isSSLClientAuthEnabled(settings.getByPrefix("xpack.security.transport.ssl."))); - assertTrue(sslService.isSSLClientAuthEnabled(settings.getByPrefix("xpack.security.transport.ssl."), Settings.EMPTY)); - assertTrue(sslService.isSSLClientAuthEnabled(settings.getByPrefix("transport.profiles.foo.xpack.security.ssl."), - settings.getByPrefix("xpack.security.transport.ssl."))); + assertTrue(sslService.isSSLClientAuthEnabled(settings.getByPrefix("transport.profiles.foo.xpack.security.ssl."))); } public void testThatHttpClientAuthDefaultsToNone() throws Exception { final Settings globalSettings = Settings.builder() .put("xpack.security.http.ssl.enabled", true) - .put("xpack.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) .build(); final SSLService sslService = new SSLService(globalSettings, env); - final SSLConfiguration globalConfig = sslService.sslConfiguration(Settings.EMPTY); + final SSLConfiguration globalConfig = sslService.sslConfiguration(globalSettings.getByPrefix("xpack.security.transport.ssl.")); assertThat(globalConfig.sslClientAuth(), is(SSLClientAuth.OPTIONAL)); final Settings httpSettings = SSLService.getHttpTransportSSLSettings(globalSettings); @@ -291,13 +282,13 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { public void testThatTruststorePasswordIsRequired() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) .build(); ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); @@ -306,8 +297,8 @@ public void testThatTruststorePasswordIsRequired() throws Exception { public void testThatKeystorePasswordIsRequired() throws Exception { Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .build(); ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); @@ -319,15 +310,15 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { ciphers.add("foo"); ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) - .putList("xpack.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) + .putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) .build(); SSLService sslService = new SSLService(settings, env); - SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY); assertThat(engine, is(notNullValue())); String[] enabledCiphers = engine.getEnabledCipherSuites(); assertThat(Arrays.asList(enabledCiphers), not(contains("foo", "bar"))); @@ -335,13 +326,13 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { public void testInvalidCiphersOnlyThrowsException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) - .putList("xpack.ssl.cipher_suites", new String[] { "foo", "bar" }) + .putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" }) .build(); IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env)); @@ -350,24 +341,24 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY); assertThat(engine, is(notNullValue())); assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder()); } public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); @@ -389,14 +380,14 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY); SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY); final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), config.cipherSuites(), false); final String[] supportedProtocols = config.supportedProtocols().toArray(Strings.EMPTY_ARRAY); @@ -470,13 +461,13 @@ public void testReadCertificateInformation() throws Exception { final Path pemPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt"); final MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", jksPath) - .put("xpack.ssl.truststore.path", jksPath) + .put("xpack.security.transport.ssl.keystore.path", jksPath) + .put("xpack.security.transport.ssl.truststore.path", jksPath) .put("xpack.http.ssl.keystore.path", p12Path) .put("xpack.security.authc.realms.ad.type", "ad") .put("xpack.security.authc.realms.ad.ssl.certificate_authorities", pemPath) @@ -568,7 +559,7 @@ public void testReadCertificateInformation() throws Exception { @Network public void testThatSSLContextWithoutSettingsWorks() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); - SSLContext sslContext = sslService.sslContext(); + SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY)); try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) { // Execute a GET on a site known to have a valid certificate signed by a trusted public CA // This will result in a SSLHandshakeException if the SSLContext does not trust the CA, but the default @@ -580,12 +571,13 @@ public void testThatSSLContextWithoutSettingsWorks() throws Exception { @Network public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testclientStore) + .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); - SSLContext sslContext = new SSLService(settings, env).sslContext(); + SSLService sslService = new SSLService(settings, env); + SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl."))); try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) { // Execute a GET on a site known to have a valid certificate signed by a trusted public CA which will succeed because the JDK // certs are trusted by default @@ -610,9 +602,9 @@ public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception @Network public void testThatSSLIOSessionStrategytTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testclientStore) + .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); SSLIOSessionStrategy sslStrategy = new SSLService(settings, env).sslIOSessionStrategy(Settings.EMPTY); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java index 675e115e4cbfa..20ba15d0baf38 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java @@ -5,34 +5,20 @@ */ package org.elasticsearch.xpack.core.ssl; -import org.bouncycastle.operator.OperatorCreationException; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import javax.net.ssl.SSLContext; -import javax.security.auth.DestroyFailedException; - -import java.io.IOException; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; /** * Extending SSLService to make helper methods public to access in tests */ public class TestsSSLService extends SSLService { - public TestsSSLService(Settings settings, Environment environment) throws CertificateException, UnrecoverableKeyException, - NoSuchAlgorithmException, IOException, DestroyFailedException, KeyStoreException, OperatorCreationException { + public TestsSSLService(Settings settings, Environment environment) { super(settings, environment); } - @Override - public SSLContext sslContext() { - return super.sslContext(); - } - /** * Allows to get alternative ssl context, like for the http client */ diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java index dcc2308f9f0c1..e53b84ef0c6bd 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java @@ -17,7 +17,6 @@ import java.util.ArrayList; import java.util.List; -import java.util.Map; import static org.elasticsearch.xpack.core.XPackSettings.HTTP_SSL_ENABLED; import static org.elasticsearch.xpack.core.security.SecurityField.setting; @@ -39,16 +38,16 @@ class PkiRealmBootstrapCheck implements BootstrapCheck { private List loadSslConfigurations(Settings settings) { final List list = new ArrayList<>(); if (HTTP_SSL_ENABLED.get(settings)) { - list.add(sslService.sslConfiguration(SSLService.getHttpTransportSSLSettings(settings), Settings.EMPTY)); + list.add(sslService.sslConfiguration(SSLService.getHttpTransportSSLSettings(settings))); } if (XPackSettings.TRANSPORT_SSL_ENABLED.get(settings)) { final Settings transportSslSettings = settings.getByPrefix(setting("transport.ssl.")); - list.add(sslService.sslConfiguration(transportSslSettings, Settings.EMPTY)); + list.add(sslService.sslConfiguration(transportSslSettings)); settings.getGroups("transport.profiles.").values().stream() .map(SecurityNetty4Transport::profileSslSettings) - .map(s -> sslService.sslConfiguration(s, transportSslSettings)) + .map(sslService::sslConfiguration) .forEach(list::add); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java index b149fec3d3db8..a1cc140a1f8aa 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java @@ -41,6 +41,7 @@ import org.elasticsearch.xpack.core.common.socket.SocketAccess; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; +import org.elasticsearch.xpack.core.ssl.SSLClientAuth; import org.elasticsearch.xpack.security.authz.store.FileRolesStore; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.security.authc.file.FileUserPasswdStore; @@ -67,7 +68,6 @@ import java.util.Set; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.core.security.SecurityField.setting; /** * This is the command-line tool used for migrating users and roles from the file-based realm into the new native realm using the API for @@ -148,12 +148,19 @@ private String postURL(Settings settings, Environment env, String method, String HttpURLConnection conn; // If using SSL, need a custom service because it's likely a self-signed certificate if ("https".equalsIgnoreCase(uri.getScheme())) { - Settings sslSettings = settings.getByPrefix(setting("http.ssl.")); + final Settings sslSettings; + if (settings.hasValue("xpack.security.http.ssl.client_authentication") == false) { + sslSettings = Settings.builder().put(settings) + .put("xpack.security.http.ssl.client_authenticatiopn", SSLClientAuth.NONE) + .build(); + } else { + sslSettings = settings; + } final SSLService sslService = new SSLService(settings, env); final HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection(); AccessController.doPrivileged((PrivilegedAction) () -> { // Requires permission java.lang.RuntimePermission "setFactory"; - httpsConn.setSSLSocketFactory(sslService.sslSocketFactory(sslSettings)); + httpsConn.setSSLSocketFactory(sslService.sslSocketFactory(sslSettings.getByPrefix("xpack.security.http.ssl."))); return null; }); conn = httpsConn; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClient.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClient.java index f14911402d60f..9a53ef635f869 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClient.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClient.java @@ -89,8 +89,7 @@ public HttpResponse execute(String method, URL url, String user, SecureString pa final Settings sslSettings = SSLService.getHttpTransportSSLSettings(settings); // Requires permission java.lang.RuntimePermission "setFactory"; httpsConn.setSSLSocketFactory(sslService.sslSocketFactory(sslSettings)); - final boolean isHostnameVerificationEnabled = - sslService.getVerificationMode(sslSettings, Settings.EMPTY).isHostnameVerificationEnabled(); + final boolean isHostnameVerificationEnabled = sslService.getVerificationMode(sslSettings).isHostnameVerificationEnabled(); if (isHostnameVerificationEnabled == false) { httpsConn.setHostnameVerifier((hostname, session) -> true); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactory.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactory.java index aabea2eb854e7..df30129c35cb4 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactory.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactory.java @@ -141,8 +141,7 @@ protected static LDAPConnectionOptions connectionOptions(RealmConfig config, sslConfigurationSettings.verificationMode.getKey() + "] may not be used at the same time"); } else if (verificationModeExists) { - VerificationMode verificationMode = sslService.getVerificationMode(realmSSLSettings, - Settings.EMPTY); + VerificationMode verificationMode = sslService.getVerificationMode(realmSSLSettings); if (verificationMode == VerificationMode.FULL) { options.setSSLSocketVerifier(new HostNameSSLSocketVerifier(true)); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java index d7d231af68002..1afa6805dda2c 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java @@ -496,7 +496,7 @@ private static Tuple initializeProfileFilters(Destructiv Settings profileSettings = entry.getValue(); final Settings profileSslSettings = SecurityNetty4Transport.profileSslSettings(profileSettings); final boolean extractClientCert = transportSSLEnabled && - sslService.isSSLClientAuthEnabled(profileSslSettings, transportSSLSettings); + sslService.isSSLClientAuthEnabled(profileSslSettings); String type = TRANSPORT_TYPE_SETTING_TEMPLATE.apply(TRANSPORT_TYPE_SETTING_KEY).get(entry.getValue()); switch (type) { case "client": diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransport.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransport.java index 5b4543ccaf275..42dd7769a7e27 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransport.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransport.java @@ -45,7 +45,7 @@ public SecurityNetty4HttpServerTransport(Settings settings, NetworkService netwo this.sslSettings = SSLService.getHttpTransportSSLSettings(settings); this.sslService = sslService; if (ssl) { - this.sslConfiguration = sslService.sslConfiguration(sslSettings, Settings.EMPTY); + this.sslConfiguration = sslService.sslConfiguration(sslSettings); if (sslService.isConfigurationValidForServerUsage(sslConfiguration) == false) { throw new IllegalArgumentException("a key must be provided to run as a server. the key should be configured using the " + "[xpack.security.http.ssl.key] or [xpack.security.http.ssl.keystore.path] setting"); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java index 7773404762eb1..2ec57ceb51b89 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java @@ -67,19 +67,29 @@ public class SecurityNioTransport extends NioTransport { this.sslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings); final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl.")); if (sslEnabled) { - this.sslConfiguration = sslService.sslConfiguration(transportSSLSettings, Settings.EMPTY); + this.sslConfiguration = sslService.sslConfiguration(transportSSLSettings); Map profileSettingsMap = settings.getGroups("transport.profiles.", true); Map profileConfiguration = new HashMap<>(profileSettingsMap.size() + 1); for (Map.Entry entry : profileSettingsMap.entrySet()) { Settings profileSettings = entry.getValue(); final Settings profileSslSettings = SecurityNetty4Transport.profileSslSettings(profileSettings); - SSLConfiguration configuration = sslService.sslConfiguration(profileSslSettings, transportSSLSettings); + if (entry.getKey().equals(TcpTransport.DEFAULT_PROFILE)) { + // don't attempt to parse ssl settings from the profile; + // profiles need to be killed with fire + if (profileSslSettings.isEmpty()) { + continue; + } else { + throw new IllegalArgumentException("SSL settings should not be configured for the default profile. " + + "Use the [xpack.security.transport.ssl] settings instead."); + } + } + + SSLConfiguration configuration = sslService.sslConfiguration(profileSslSettings); profileConfiguration.put(entry.getKey(), configuration); } - if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) { - profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration); - } + assert profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false; + profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration); this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration); } else { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index 2f1123a9461de..3e1d601efffb0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -148,7 +148,7 @@ public Path nodeConfigPath(int nodeOrdinal) { public Settings transportClientSettings() { Settings superSettings = super.transportClientSettings(); Settings.Builder builder = Settings.builder().put(superSettings); - addClientSSLSettings(builder, ""); + addClientSSLSettings(builder, "xpack.security.transport."); addDefaultSecurityTransportType(builder, superSettings); if (randomBoolean()) { @@ -209,7 +209,7 @@ protected SecureString transportClientPassword() { private void addNodeSSLSettings(Settings.Builder builder) { if (sslEnabled) { if (usePEM) { - addSSLSettingsForPEMFiles(builder, "", + addSSLSettingsForPEMFiles(builder, "xpack.security.transport.", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt", @@ -217,11 +217,12 @@ private void addNodeSSLSettings(Settings.Builder builder) { "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), - sslEnabled, hostnameVerificationEnabled, false); + true, hostnameVerificationEnabled, false); } else { - addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", - "testnode", sslEnabled, hostnameVerificationEnabled, false); + addSSLSettingsForStore(builder, "xpack.security.transport.", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + true, hostnameVerificationEnabled, false); } } else if (randomBoolean()) { builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false); @@ -248,8 +249,8 @@ public void addClientSSLSettings(Settings.Builder builder, String prefix) { * @param resourcePathToStore the location of the keystore or truststore * @param password the password */ - public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password) { - addSSLSettingsForStore(builder, "", resourcePathToStore, password, true, true, true); + public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password, String prefix) { + addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true, true); } private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password, @@ -258,28 +259,30 @@ private static void addSSLSettingsForStore(Settings.Builder builder, String pref Path store = resolveResourcePath(resourcePathToStore); if (transportClient == false) { - builder.put(prefix + "xpack.security.http.ssl.enabled", false); + builder.put("xpack.security.http.ssl.enabled", false); } builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); - builder.put(prefix + "xpack.ssl.keystore.path", store); + builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); + builder.put(prefix + "ssl.keystore.path", store); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.keystore.password", password); + builder.put(prefix + "ssl.keystore.password", password); } else { + final String finalPrefix = prefix; addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password)); + secureSettings.setString(finalPrefix + "ssl.keystore.secure_password", password)); } if (randomBoolean()) { - builder.put(prefix + "xpack.ssl.truststore.path", store); + builder.put(prefix + "ssl.truststore.path", store); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.truststore.password", password); + builder.put(prefix + "ssl.truststore.password", password); } else { + final String finalPrefix = prefix; addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.truststore.secure_password", password)); + secureSettings.setString(finalPrefix + "ssl.truststore.secure_password", password)); } } } @@ -289,23 +292,27 @@ private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String p boolean hostnameVerificationEnabled, boolean transportClient) { if (transportClient == false) { - builder.put(prefix + "xpack.security.http.ssl.enabled", false); + builder.put("xpack.security.http.ssl.enabled", false); } builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); - builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath)) - .put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath)); + if (prefix.equals("")) { + prefix = "xpack."; + } + builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); + builder.put(prefix + "ssl.key", resolveResourcePath(keyPath)) + .put(prefix + "ssl.certificate", resolveResourcePath(certificatePath)); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.key_passphrase", password); + builder.put(prefix + "ssl.key_passphrase", password); } else { + final String finalPrefix = prefix; addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password)); + secureSettings.setString(finalPrefix + "ssl.secure_key_passphrase", password)); } if (trustedCertificates.isEmpty() == false) { - builder.put(prefix + "xpack.ssl.certificate_authorities", + builder.put(prefix + "ssl.certificate_authorities", Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates))); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 5610da6f75c6b..278c079fcbc64 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -38,15 +38,9 @@ public void testBootstrapCheckWithPkiRealm() throws Exception { .build(); assertFalse(runCheck(settings, env).isFailure()); - // disable client auth default - settings = Settings.builder().put(settings) - .put("xpack.ssl.client_authentication", "none") - .build(); - env = TestEnvironment.newEnvironment(settings); - assertTrue(runCheck(settings, env).isFailure()); - // enable ssl for http settings = Settings.builder().put(settings) + .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.http.ssl.enabled", true) .build(); env = TestEnvironment.newEnvironment(settings); @@ -75,6 +69,7 @@ public void testBootstrapCheckWithPkiRealm() throws Exception { // test with transport profile settings = Settings.builder().put(settings) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.client_authentication", "none") .put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional")) .build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java index a1e8cc3c4e993..d057f519ca923 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java @@ -229,7 +229,7 @@ protected void addDefaultSecurityTransportType(Settings.Builder builder, Setting SecuritySettingsSourceField.TEST_PASSWORD); if (remoteUseSSL) { - cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client."); + cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport."); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true); } if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java index 5b90b2e1e4609..a0985f18847a8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java @@ -111,7 +111,7 @@ public Settings nodeSettings(int nodeOrdinal) { .put("xpack.security.audit.index.settings.index.number_of_shards", 1) .put("xpack.security.audit.index.settings.index.number_of_replicas", 0); - addClientSSLSettings(builder, "xpack.security.audit.index.client."); + addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport."); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled); return builder.build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java index ebe6b6abf1860..2e12a6423078a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java @@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.test.NativeRealmIntegTestCase; -import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.xpack.core.security.authc.support.CharArrays; import org.elasticsearch.xpack.core.security.client.SecurityClient; import org.elasticsearch.xpack.security.SecurityLifecycleService; @@ -24,6 +23,7 @@ import java.util.HashSet; import java.util.Set; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForStore; import static org.hamcrest.Matchers.is; /** @@ -42,12 +42,15 @@ public static void setSSL() { @Override public Settings nodeSettings(int nodeOrdinal) { logger.info("--> use SSL? {}", useSSL); - Settings s = Settings.builder() + Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.enabled", useSSL) - .build(); - return s; + .put(NetworkModule.HTTP_ENABLED.getKey(), true); + addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + "xpack.security.http."); + builder.put("xpack.security.http.ssl.enabled", useSSL); + builder.put("xpack.security.http.ssl.client_authentication", "none"); + builder.put("xpack.security.transport.ssl.enabled", useSSL); + return builder.build(); } @Override @@ -71,7 +74,7 @@ public void testRetrieveUsers() throws Exception { SecurityClient c = new SecurityClient(client()); logger.error("--> creating users"); int numToAdd = randomIntBetween(1,10); - Set addedUsers = new HashSet(numToAdd); + Set addedUsers = new HashSet<>(numToAdd); for (int i = 0; i < numToAdd; i++) { String uname = randomAlphaOfLength(5); c.preparePutUser(uname, "s3kirt".toCharArray(), "role1", "user").get(); @@ -88,9 +91,10 @@ public void testRetrieveUsers() throws Exception { Settings.Builder builder = Settings.builder() .put("path.home", home) - .put("path.conf", conf.toString()); - SecuritySettingsSource.addSSLSettingsForStore(builder, - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode"); + .put("path.conf", conf.toString()) + .put("xpack.security.http.ssl.client_authentication", "none"); + addSSLSettingsForStore(builder, + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", "xpack.security.http."); Settings settings = builder.build(); logger.error("--> retrieving users using URL: {}, home: {}", url, home); @@ -130,9 +134,11 @@ public void testRetrieveRoles() throws Exception { String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8); String url = getHttpURL(); ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles(); - Settings.Builder builder = Settings.builder().put("path.home", home); - SecuritySettingsSource.addSSLSettingsForStore(builder, - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", "testclient"); + Settings.Builder builder = Settings.builder() + .put("path.home", home) + .put("xpack.security.http.ssl.client_authentication", "none"); + addSSLSettingsForStore(builder, + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", "testclient", "xpack.security.http."); Settings settings = builder.build(); logger.error("--> retrieving roles using URL: {}, home: {}", url, home); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index d127a45d53249..5d011335b83f2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -5,7 +5,6 @@ */ package org.elasticsearch.xpack.security.authc.esnative.tool; -import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.util.io.Streams; import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.SecureString; @@ -27,12 +26,6 @@ import java.net.URL; import java.nio.charset.StandardCharsets; import java.nio.file.Path; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; - -import javax.security.auth.DestroyFailedException; /** * This class tests {@link CommandLineHttpClient} For extensive tests related to @@ -58,19 +51,10 @@ public void shutdown() throws Exception { public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception { Path resource = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - Settings settings; - if (randomBoolean()) { - // with http ssl settings - secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); - settings = Settings.builder().put("xpack.security.http.ssl.truststore.path", resource.toString()) - .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings) - .build(); - } else { - // with global settings - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); - settings = Settings.builder().put("xpack.ssl.truststore.path", resource.toString()) - .put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings).build(); - } + secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); + Settings settings = Settings.builder().put("xpack.security.http.ssl.truststore.path", resource.toString()) + .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings) + .build(); CommandLineHttpClient client = new CommandLineHttpClient(settings, environment); HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1", new SecureString(new char[] { 'p' }), () -> null, is -> responseBuilder(is)); @@ -80,15 +64,16 @@ public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSet assertEquals("Http response body does not match", "complete", httpResponse.getResponseBody().get("test")); } - private MockWebServer createMockWebServer() throws IOException, UnrecoverableKeyException, CertificateException, - NoSuchAlgorithmException, KeyStoreException, OperatorCreationException, DestroyFailedException { + private MockWebServer createMockWebServer() { Path resource = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); - Settings settings = - Settings.builder().put("xpack.ssl.keystore.path", resource.toString()).setSecureSettings(secureSettings).build(); + secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); + Settings settings = Settings.builder().put("xpack.security.http.ssl.keystore.path", resource.toString()) + .put("xpack.security.http.ssl.client_authentication", "none") + .setSecureSettings(secureSettings) + .build(); TestsSSLService sslService = new TestsSSLService(settings, environment); - return new MockWebServer(sslService.sslContext(), false); + return new MockWebServer(sslService.sslContext(settings.getByPrefix("xpack.security.http.ssl.")), false); } private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java index e64a06d435fc1..b0031468300ac 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java @@ -70,6 +70,8 @@ protected Settings nodeSettings() { SecuritySettingsSource.addSecureSettings(builder, secureSettings -> secureSettings.setString("xpack.security.authc.realms.pki1.truststore.secure_password", "truststore-testnode-only")); + addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + "xpack.security.http."); return builder.build(); } @@ -87,7 +89,8 @@ protected boolean enableWarningsCheck() { public void testTransportClientCanAuthenticateViaPki() { Settings.Builder builder = Settings.builder(); - addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode"); + addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + "xpack.security.transport."); try (TransportClient client = createTransportClient(builder.build())) { client.addTransportAddress(randomFrom(node().injector().getInstance(Transport.class).boundAddress().boundAddresses())); IndexResponse response = client.prepareIndex("foo", "bar").setSource("pki", "auth").get(); @@ -152,8 +155,8 @@ private SSLContext getRestSSLContext(String keystoreResourcePath, String passwor private TransportClient createTransportClient(Settings additionalSettings) { Settings clientSettings = transportClientSettings(); - if (additionalSettings.getByPrefix("xpack.ssl.").isEmpty() == false) { - clientSettings = clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false); + if (additionalSettings.getByPrefix("xpack.security.transport.ssl.").isEmpty() == false) { + clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false); } Settings.Builder builder = Settings.builder().put(clientSettings, false) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java index 720ab17aedb45..0ce873b6d86f6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java @@ -49,6 +49,9 @@ protected Settings nodeSettings() { .put(NetworkModule.HTTP_ENABLED.getKey(), true) .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL) + .put("xpack.security.http.ssl.keystore.path", + getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) + .put("xpack.security.http.ssl.keystore.password", "testnode") .put("xpack.security.authc.realms.file.type", "file") .put("xpack.security.authc.realms.file.order", "0") .put("xpack.security.authc.realms.pki1.type", "pki") @@ -58,6 +61,9 @@ protected Settings nodeSettings() { .put("xpack.security.authc.realms.pki1.files.role_mapping", getDataPath("role_mapping.yml")) .put("transport.profiles.want_client_auth.port", randomClientPortRange) .put("transport.profiles.want_client_auth.bind_host", "localhost") + .put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.path", + getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) + .put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.password", "testnode") .put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL); SecuritySettingsSource.addSecureSettings(builder, secureSettings -> diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index fdcf720bf2606..da7e6e61dc056 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -111,15 +111,16 @@ public void testReadIdpMetadataFromHttps() throws Exception { final Path path = getDataPath("idp1.xml"); final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8); final MockSecureSettings mockSecureSettings = new MockSecureSettings(); - mockSecureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + mockSecureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", + .put("xpack.security.transport.ssl.keystore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) .put("path.home", createTempDir()) .setSecureSettings(mockSecureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings)); - try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(Settings.EMPTY), false)) { + try (MockWebServer proxyServer = + new MockWebServer(sslService.sslContext(settings.getByPrefix("xpack.security.transport.ssl.")), false)) { proxyServer.start(); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java index 0964bc5a45df7..2deae8b54e0c8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java @@ -32,7 +32,6 @@ import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; -import org.elasticsearch.xpack.core.ssl.SSLClientAuth; import org.elasticsearch.xpack.security.LocalStateSecurity; import org.junit.BeforeClass; @@ -66,30 +65,24 @@ protected Settings nodeSettings(int nodeOrdinal) { Settings.Builder settingsBuilder = Settings.builder(); String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100); - Path store; - try { - store = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); - assertThat(Files.exists(store), is(true)); - } catch (Exception e) { - throw new RuntimeException(e); - } + Path store = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); + assertThat(Files.exists(store), is(true)); settingsBuilder.put(super.nodeSettings(nodeOrdinal)) - .put("transport.profiles.client.xpack.security.ssl.truststore.path", store) // settings for client truststore - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) - .put("transport.profiles.client.xpack.security.type", "client") - .put("transport.profiles.client.port", randomClientPortRange) - // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent - .put("transport.profiles.client.bind_host", "localhost") - .put("xpack.security.audit.enabled", false) - .put(XPackSettings.WATCHER_ENABLED.getKey(), false) - .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); + .put("transport.profiles.client.xpack.security.ssl.keystore.path", store) // settings for client keystore + .put("transport.profiles.client.xpack.security.type", "client") + .put("transport.profiles.client.port", randomClientPortRange) + // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent + .put("transport.profiles.client.bind_host", "localhost") + .put("xpack.security.audit.enabled", false) + .put(XPackSettings.WATCHER_ENABLED.getKey(), false) + .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); if (randomBoolean()) { settingsBuilder.put("transport.profiles.default.xpack.security.type", "node"); // this is default lets set it randomly } SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> - secureSettings.setString("transport.profiles.client.xpack.security.ssl.truststore.secure_password", "testnode")); + secureSettings.setString("transport.profiles.client.xpack.security.ssl.keystore.secure_password", "testnode")); return settingsBuilder.build(); } @@ -118,7 +111,8 @@ public void testThatConnectionToServerTypeConnectionWorks() throws IOException, .put(Node.NODE_MASTER_SETTING.getKey(), false) .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); //.put("xpack.ml.autodetect_process", false); - addSSLSettingsForStore(nodeSettings, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode"); + addSSLSettingsForStore(nodeSettings, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + "xpack.security.transport."); try (Node node = new MockNode(nodeSettings.build(), Arrays.asList(LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class))) { node.start(); ensureStableCluster(cluster().size() + 1); @@ -156,7 +150,8 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept .put(Node.NODE_MASTER_SETTING.getKey(), false) .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); //.put("xpack.ml.autodetect_process", false); - addSSLSettingsForStore(nodeSettings, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode"); + addSSLSettingsForStore(nodeSettings, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + "xpack.security.transport."); try (Node node = new MockNode(nodeSettings.build(), Arrays.asList(LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class))) { node.start(); TransportService instance = node.injector().getInstance(TransportService.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/DNSOnlyHostnameVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/DNSOnlyHostnameVerificationTests.java index 54e313a9e4797..e0486f7e0b4ad 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/DNSOnlyHostnameVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/DNSOnlyHostnameVerificationTests.java @@ -97,7 +97,7 @@ public boolean transportSSLEnabled() { public Settings nodeSettings(int nodeOrdinal) { Settings defaultSettings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(defaultSettings.filter((s) -> s.startsWith("xpack.ssl.") == false), false) + .put(defaultSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false), false) .put("transport.host", hostName); Path keystorePath = nodeConfigPath(nodeOrdinal).resolve("keystore.jks"); try (OutputStream os = Files.newOutputStream(keystorePath)) { @@ -108,11 +108,11 @@ public Settings nodeSettings(int nodeOrdinal) { throw new ElasticsearchException("unable to write keystore for node", e); } SecuritySettingsSource.addSecureSettings(builder, secureSettings -> { - secureSettings.setString("xpack.ssl.keystore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); - secureSettings.setString("xpack.ssl.truststore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); }); - builder.put("xpack.ssl.keystore.path", keystorePath.toAbsolutePath()) - .put("xpack.ssl.truststore.path", keystorePath.toAbsolutePath()); + builder.put("xpack.security.transport.ssl.keystore.path", keystorePath.toAbsolutePath()) + .put("xpack.security.transport.ssl.truststore.path", keystorePath.toAbsolutePath()); List unicastHosts = defaultSettings.getAsList("discovery.zen.ping.unicast.hosts").stream() .map((s) -> { String port = s.substring(s.lastIndexOf(':'), s.length()); @@ -127,7 +127,7 @@ public Settings nodeSettings(int nodeOrdinal) { public Settings transportClientSettings() { Settings defaultSettings = super.transportClientSettings(); Settings.Builder builder = Settings.builder() - .put(defaultSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)); + .put(defaultSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)); Path path = createTempDir().resolve("keystore.jks"); try (OutputStream os = Files.newOutputStream(path)) { keystore.store(os, SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()); @@ -137,11 +137,11 @@ public Settings transportClientSettings() { throw new ElasticsearchException("unable to write keystore for node", e); } SecuritySettingsSource.addSecureSettings(builder, secureSettings -> { - secureSettings.setString("xpack.ssl.keystore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); - secureSettings.setString("xpack.ssl.truststore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); }); - builder.put("xpack.ssl.keystore.path", path.toAbsolutePath()) - .put("xpack.ssl.truststore.path", path.toAbsolutePath()); + builder.put("xpack.security.transport.ssl.keystore.path", path.toAbsolutePath()) + .put("xpack.security.transport.ssl.truststore.path", path.toAbsolutePath()); return builder.build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java index f03a4255b7fe7..4c3b8636e1487 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java @@ -32,7 +32,7 @@ protected boolean transportSSLEnabled() { protected Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false), false); + .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false), false); settings = builder.build(); // The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP @@ -54,27 +54,28 @@ protected Settings nodeSettings(int nodeOrdinal) { } SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> { - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode-ip-only"); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode-ip-only"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode-ip-only"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode-ip-only"); }); - return settingsBuilder.put("xpack.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client truststore - .put("xpack.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore + return settingsBuilder + .put("xpack.security.transport.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client truststore + .put("xpack.security.transport.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore .put(TcpTransport.BIND_HOST.getKey(), "127.0.0.1") .put("network.host", "127.0.0.1") - .put("xpack.ssl.client_authentication", SSLClientAuth.NONE) - .put("xpack.ssl.verification_mode", "full") + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE) + .put("xpack.security.transport.ssl.verification_mode", "full") .build(); } @Override protected Settings transportClientSettings() { Settings clientSettings = super.transportClientSettings(); - return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false)) - .put("xpack.ssl.verification_mode", "certificate") - .put("xpack.ssl.keystore.path", keystore.toAbsolutePath()) - .put("xpack.ssl.keystore.password", "testnode-ip-only") - .put("xpack.ssl.truststore.path", keystore.toAbsolutePath()) - .put("xpack.ssl.truststore.password", "testnode-ip-only") + return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false)) + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.keystore.path", keystore.toAbsolutePath()) + .put("xpack.security.transport.ssl.keystore.password", "testnode-ip-only") + .put("xpack.security.transport.ssl.truststore.path", keystore.toAbsolutePath()) + .put("xpack.security.transport.ssl.truststore.password", "testnode-ip-only") .build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java index 3ef298f3f232d..15203d4dbc3f5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java @@ -47,9 +47,9 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase { public void createSSLService() throws Exception { Path testNodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testNodeStore) + .put("xpack.security.http.ssl.keystore.path", testNodeStore) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java index 3d9227319a870..d1e1e2ae083f4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java @@ -42,10 +42,10 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase { public void createSSLService() throws Exception { Path testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) .build(); @@ -107,7 +107,7 @@ public void testNoClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -121,7 +121,7 @@ public void testOptionalClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -200,7 +200,7 @@ public void testTransportSSLOverridesGlobalSSL() throws Exception { assertFalse(engine.getWantClientAuth()); // get the global and verify that it is different in that it requires client auth - final SSLEngine globalEngine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); + final SSLEngine globalEngine = sslService.createSSLEngine(Settings.EMPTY); assertTrue(globalEngine.getNeedClientAuth()); assertFalse(globalEngine.getWantClientAuth()); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java index 148453b5f84b0..a0a1ca08e613a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java @@ -34,7 +34,7 @@ protected boolean transportSSLEnabled() { protected Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder settingsBuilder = Settings.builder(); - settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.ssl.") == false), false); + settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false); Path keystore; try { /* @@ -49,13 +49,13 @@ protected Settings nodeSettings(int nodeOrdinal) { } SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> { - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode-no-subjaltname"); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode-no-subjaltname"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode-no-subjaltname"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode-no-subjaltname"); }); - return settingsBuilder.put("xpack.ssl.keystore.path", keystore.toAbsolutePath()) - .put("xpack.ssl.truststore.path", keystore.toAbsolutePath()) + return settingsBuilder.put("xpack.security.transport.ssl.keystore.path", keystore.toAbsolutePath()) + .put("xpack.security.transport.ssl.truststore.path", keystore.toAbsolutePath()) // disable hostname verification as this test uses certs without a valid SAN or DNS in the CN - .put("xpack.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.verification_mode", "certificate") .build(); } @@ -66,16 +66,16 @@ protected Settings transportClientSettings() { Settings settings = super.transportClientSettings(); // remove all ssl settings Settings.Builder builder = Settings.builder(); - builder.put(settings.filter( k -> k.startsWith("xpack.ssl.") == false), false); + builder.put(settings.filter( k -> k.startsWith("xpack.security.transport.ssl.") == false), false); - builder.put("xpack.ssl.verification_mode", "certificate") - .put("xpack.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client keystore - .put("xpack.ssl.keystore.password", "testnode-no-subjaltname"); + builder.put("xpack.security.transport.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client keystore + .put("xpack.security.transport.ssl.keystore.password", "testnode-no-subjaltname"); if (randomBoolean()) { // randomly set the truststore, if not set the keystore should be used - builder.put("xpack.ssl.truststore.path", keystore.toAbsolutePath()) - .put("xpack.ssl.truststore.password", "testnode-no-subjaltname"); + builder.put("xpack.security.transport.ssl.truststore.path", keystore.toAbsolutePath()) + .put("xpack.security.transport.ssl.truststore.password", "testnode-no-subjaltname"); } return builder.build(); } @@ -86,7 +86,7 @@ public void testThatHostnameMismatchDeniesTransportClientConnection() throws Exc InetSocketAddress inetSocketAddress = transportAddress.address(); Settings settings = Settings.builder().put(transportClientSettings()) - .put("xpack.ssl.verification_mode", "full") + .put("xpack.security.transport.ssl.verification_mode", "full") .build(); try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SimpleSecurityNioTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SimpleSecurityNioTransportTests.java index 0a7ee13b9e296..dd589064f6969 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SimpleSecurityNioTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SimpleSecurityNioTransportTests.java @@ -54,13 +54,8 @@ public class SimpleSecurityNioTransportTests extends AbstractSimpleTransportTestCase { private SSLService createSSLService() { - Path testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.keystore.path", testnodeStore) - .setSecureSettings(secureSettings) + .put(getSSLSettings()) .put("path.home", createTempDir()) .build(); try { @@ -70,13 +65,25 @@ private SSLService createSSLService() { } } + private Settings getSSLSettings() { + Path testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); + MockSecureSettings secureSettings = new MockSecureSettings(); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + return Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .setSecureSettings(secureSettings) + .build(); + } + public MockTransportService nioFromThreadPool(Settings settings, ThreadPool threadPool, final Version version, ClusterSettings clusterSettings, boolean doHandshake) { NamedWriteableRegistry namedWriteableRegistry = new NamedWriteableRegistry(Collections.emptyList()); NetworkService networkService = new NetworkService(Collections.emptyList()); Settings settings1 = Settings.builder() .put(settings) - .put("xpack.security.transport.ssl.enabled", true).build(); + .put(getSSLSettings()) + .build(); Transport transport = new SecurityNioTransport(settings1, threadPool, networkService, BigArrays.NON_RECYCLING_INSTANCE, new MockPageCacheRecycler(settings), namedWriteableRegistry, new NoneCircuitBreakerService(), createSSLService()) { @@ -159,7 +166,7 @@ public void testBindUnavailableAddress() { @SuppressForbidden(reason = "Need to open socket connection") public void testRenegotiation() throws Exception { SSLService sslService = createSSLService(); - SocketFactory factory = sslService.sslSocketFactory(Settings.EMPTY); + SocketFactory factory = sslService.sslSocketFactory(getSSLSettings().getByPrefix("xpack.security.transport.ssl.")); try (SSLSocket socket = (SSLSocket) factory.createSocket()) { SocketAccess.doPrivileged(() -> socket.connect(serviceA.boundAddress().publishAddress().address())); @@ -176,10 +183,10 @@ public void testRenegotiation() throws Exception { stream.writeInt(-1); stream.flush(); - socket.startHandshake(); CountDownLatch renegotiationLatch = new CountDownLatch(1); HandshakeCompletedListener secondListener = event -> renegotiationLatch.countDown(); socket.addHandshakeCompletedListener(secondListener); + socket.startHandshake(); AtomicReference error = new AtomicReference<>(); CountDownLatch catchReadErrorsLatch = new CountDownLatch(1); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java index 2fa376ec85408..a30eeb5b8bad9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java @@ -44,11 +44,13 @@ protected Settings nodeSettings(int nodeOrdinal) { final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); return Settings.builder() - .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.ssl") == false)) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .put("xpack.ssl.certificate_authorities", certPath) - .put("xpack.ssl.verification_mode", "certificate") // disable hostname verificate since these certs aren't setup for that + .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verificate since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") .build(); } @@ -57,11 +59,13 @@ protected Settings transportClientSettings() { final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); return Settings.builder() - .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .put("xpack.ssl.certificate_authorities", certPath) - .put("xpack.ssl.verification_mode", "certificate") // disable hostname verification since these certs aren't setup for that + .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verificate since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") .build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java index 37f13806c2388..946f229ec9277 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java @@ -49,9 +49,12 @@ public class SslIntegrationTests extends SecurityIntegTestCase { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder().put(super.nodeSettings(nodeOrdinal)) - .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.enabled", true).build(); + final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", + "testnode", "xpack.security.http."); + return builder.put(NetworkModule.HTTP_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.enabled", true) + .build(); } @Override @@ -65,7 +68,7 @@ public void testThatUnconfiguredCiphersAreRejected() { .put(transportClientSettings()) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) - .putList("xpack.ssl.cipher_suites", "TLS_ECDH_anon_WITH_RC4_128_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA") + .putList("xpack.security.transport.ssl.cipher_suites", "TLS_ECDH_anon_WITH_RC4_128_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA") .build(), LocalStateSecurity.class)) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); @@ -84,7 +87,7 @@ public void testThatTransportClientUsingSSLv3ProtocolIsRejected() { .put(transportClientSettings()) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) - .putList("xpack.ssl.supported_protocols", new String[]{"SSLv3"}) + .putList("xpack.security.transport.ssl.supported_protocols", new String[]{"SSLv3"}) .build(), LocalStateSecurity.class)) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); @@ -99,14 +102,16 @@ public void testThatTransportClientUsingSSLv3ProtocolIsRejected() { public void testThatConnectionToHTTPWorks() throws Exception { Settings.Builder builder = Settings.builder(); - addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", "testclient"); - SSLService service = new SSLService(builder.build(), null); + addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", "testclient", + "xpack.http."); + final Settings settings = builder.build(); + SSLService service = new SSLService(settings, null); CredentialsProvider provider = new BasicCredentialsProvider(); provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(), new String(nodeClientPassword().getChars()))); try (CloseableHttpClient client = HttpClients.custom() - .setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(Settings.EMPTY), + .setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(settings.getByPrefix("xpack.http.ssl.")), SSLConnectionSocketFactory.getDefaultHostnameVerifier())) .setDefaultCredentialsProvider(provider).build(); CloseableHttpResponse response = SocketAccess.doPrivileged(() -> client.execute(new HttpGet(getNodeUrl())))) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java index 1d7ec67762ba0..24aa46e5e9a4a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java @@ -52,10 +52,14 @@ protected Settings nodeSettings(int nodeOrdinal) { String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100); String randomNoClientAuthPortRange = randomNoClientAuthPort + "-" + (randomNoClientAuthPort+100); - Path store; + Path testnodeClientProfileStore; + Path testnodeStore; try { - store = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.jks"); - assertThat(Files.exists(store), is(true)); + testnodeClientProfileStore = + getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.jks"); + assertThat(Files.exists(testnodeClientProfileStore), is(true)); + testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); + assertThat(Files.exists(testnodeStore), is(true)); } catch (Exception e) { throw new RuntimeException(e); } @@ -66,11 +70,15 @@ protected Settings nodeSettings(int nodeOrdinal) { .put("transport.profiles.client.port", randomClientPortRange) // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent .put("transport.profiles.client.bind_host", "localhost") - .put("transport.profiles.client.xpack.security.ssl.truststore.path", store.toAbsolutePath()) + .put("transport.profiles.client.xpack.security.ssl.keystore.path", testnodeStore.toAbsolutePath()) + .put("transport.profiles.client.xpack.security.ssl.keystore.password", "testnode") + .put("transport.profiles.client.xpack.security.ssl.truststore.path", testnodeClientProfileStore.toAbsolutePath()) .put("transport.profiles.client.xpack.security.ssl.truststore.password", "testnode-client-profile") .put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange) .put("transport.profiles.no_client_auth.bind_host", "localhost") .put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE) + .put("transport.profiles.no_client_auth.xpack.security.ssl.keystore.path", testnodeStore.toAbsolutePath()) + .put("transport.profiles.no_client_auth.xpack.security.ssl.keystore.password", "testnode") .build(); logger.info("node {} settings:\n{}", nodeOrdinal, settings); return settings; @@ -83,7 +91,7 @@ protected boolean transportSSLEnabled() { private TransportClient createTransportClient(Settings additionalSettings) { Settings settings = Settings.builder() - .put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) + .put(transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) .put("xpack.security.transport.ssl.enabled", true) @@ -148,7 +156,7 @@ public void testThatProfileTransportClientCanConnectToClientProfile() throws Exc Settings.Builder builder = Settings.builder(); addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.jks", - "testclient-client-profile"); + "testclient-client-profile", "xpack.security.transport."); try (TransportClient transportClient = createTransportClient(builder.build())) { transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client"))); assertGreenClusterState(transportClient); @@ -165,7 +173,7 @@ public void testThatProfileTransportClientCanConnectToNoClientAuthProfile() thro Settings.Builder builder = Settings.builder(); addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.jks", - "testclient-client-profile"); + "testclient-client-profile", "xpack.security.transport."); try (TransportClient transportClient = createTransportClient(builder.build())) { transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("no_client_auth"))); @@ -183,7 +191,7 @@ public void testThatProfileTransportClientCannotConnectToDefaultProfile() throws Settings.Builder builder = Settings.builder(); addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.jks", - "testclient-client-profile"); + "testclient-client-profile", "xpack.security.transport."); try (TransportClient transportClient = createTransportClient(builder.build())) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); transportClient.addTransportAddress(transportAddress); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java index 0c885840a1734..b94111093879a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java @@ -10,6 +10,7 @@ import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy; import org.apache.http.ssl.SSLContexts; import org.apache.http.util.EntityUtils; +import org.bouncycastle.util.io.Streams; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.client.Response; @@ -17,6 +18,7 @@ import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.MockSecureSettings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.test.SecurityIntegTestCase; @@ -28,16 +30,18 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.TrustManagerFactory; import java.io.IOException; import java.io.InputStream; +import java.io.UncheckedIOException; import java.nio.file.Files; import java.nio.file.Path; +import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.SecureRandom; import java.security.cert.CertPathBuilderException; +import java.util.HashSet; import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.containsString; @@ -47,13 +51,41 @@ public class SSLClientAuthTests extends SecurityIntegTestCase { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder() - .put(super.nodeSettings(nodeOrdinal)) + Settings baseSettings = super.nodeSettings(nodeOrdinal); + + Settings.Builder builder = Settings.builder().put(baseSettings); + baseSettings.getByPrefix("xpack.security.transport.ssl.") + .keySet() + .forEach(k -> { + String httpKey = "xpack.security.http.ssl." + k; + String value = baseSettings.get("xpack.security.transport.ssl." + k); + if (value != null) { + builder.put(httpKey, baseSettings.get("xpack.security.transport.ssl." + k)); + } + }); + + MockSecureSettings secureSettings = (MockSecureSettings) builder.getSecureSettings(); + for (String key : new HashSet<>(secureSettings.getSettingNames())) { + SecureString value = secureSettings.getString(key); + if (value == null) { + try { + if (key.startsWith("xpack.security.transport.ssl.")) { + byte[] file = Streams.readAll(secureSettings.getFile(key)); + secureSettings.setFile(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), file); + } + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } else if (key.startsWith("xpack.security.transport.ssl.")) { + secureSettings.setString(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), value.toString()); + } + } + + return builder // invert the require auth settings - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE) .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED) - .put("transport.profiles.default.xpack.security.ssl.client_authentication", SSLClientAuth.NONE) .put(NetworkModule.HTTP_ENABLED.getKey(), true) .build(); } @@ -94,11 +126,11 @@ public void testThatTransportWorksWithoutSslClientAuth() throws IOException { } MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient-client-profile"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient-client-profile"); Settings settings = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.client_authentication", SSLClientAuth.NONE) - .put("xpack.ssl.keystore.path", store) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE) + .put("xpack.security.transport.ssl.keystore.path", store) .setSecureSettings(secureSettings) .put("cluster.name", internalCluster().getClusterName()) .put(SecurityField.USER_SETTING.getKey(), diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java index 3e05c88953aed..297318e670157 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java @@ -73,18 +73,19 @@ public Settings nodeSettings(int nodeOrdinal) { } Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false)); + .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)); SecuritySettingsSource.addSSLSettingsForStore(builder, - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode"); + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", "xpack.security.transport."); builder.put("resource.reload.interval.high", "1s") - .put("xpack.ssl.keystore.path", nodeStorePath); + .put("xpack.security.transport.ssl.keystore.path", nodeStorePath); - if (builder.get("xpack.ssl.truststore.path") != null) { - builder.put("xpack.ssl.truststore.path", nodeStorePath); + if (builder.get("xpack.security.transport.ssl.truststore.path") != null) { + builder.put("xpack.security.transport.ssl.truststore.path", nodeStorePath); } + builder.put("xpack.security.transport.ssl.enabled", true); return builder.build(); } @@ -105,17 +106,17 @@ public void testThatSSLConfigurationReloadsOnModification() throws Exception { keyStore.store(out, SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()); } MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", SecuritySettingsSourceField.TEST_PASSWORD); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.keystore.path", keystorePath) - .put("xpack.ssl.truststore.path", nodeStorePath) + .put("xpack.security.transport.ssl.keystore.path", keystorePath) + .put("xpack.security.transport.ssl.truststore.path", nodeStorePath) .setSecureSettings(secureSettings) .build(); String node = randomFrom(internalCluster().getNodeNames()); SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); - SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(settings); + SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(settings.getByPrefix("xpack.security.transport.ssl.")); TransportAddress address = internalCluster() .getInstance(Transport.class, node).boundAddress().publishAddress(); try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java index 4e76e59e5962f..2e5f2dffd377e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java @@ -89,9 +89,9 @@ public static void setupCertificates() throws Exception { nodeSSL = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.verification_mode", "certificate") - .putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString()) - .put("xpack.ssl.key", trustedCert.getKeyPath()) - .put("xpack.ssl.certificate", trustedCert.getCertPath()) + .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString()) + .put("xpack.security.transport.ssl.key", trustedCert.getKeyPath()) + .put("xpack.security.transport.ssl.certificate", trustedCert.getCertPath()) .build(); } @@ -109,12 +109,12 @@ public Settings nodeSettings(int nodeOrdinal) { Settings parentSettings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) + .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)) .put(nodeSSL); restrictionsPath = configPath.resolve("trust_restrictions.yml"); writeRestrictions("*.trusted"); - builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath); + builder.put("xpack.security.transport.ssl.trust_restrictions.path", restrictionsPath); builder.put("resource.reload.interval.high", RESOURCE_RELOAD_MILLIS + "ms"); return builder.build(); @@ -132,7 +132,7 @@ private void writeRestrictions(String trustedPattern) { protected Settings transportClientSettings() { Settings parentSettings = super.transportClientSettings(); Settings.Builder builder = Settings.builder() - .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) + .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)) .put(nodeSSL); return builder.build(); } @@ -187,15 +187,15 @@ public void testRestrictionsAreReloaded() throws Exception { private void tryConnect(CertificateInfo certificate) throws Exception { Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.key", certificate.getKeyPath()) - .put("xpack.ssl.certificate", certificate.getCertPath()) - .putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString()) - .put("xpack.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.key", certificate.getKeyPath()) + .put("xpack.security.transport.ssl.certificate", certificate.getCertPath()) + .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString()) + .put("xpack.security.transport.ssl.verification_mode", "certificate") .build(); String node = randomFrom(internalCluster().getNodeNames()); SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); - SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(settings); + SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(settings.getByPrefix("xpack.security.transport.ssl.")); TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress(); try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) { assertThat(socket.isConnected(), is(true)); diff --git a/x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/common/http/HttpClient.java b/x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/common/http/HttpClient.java index 729696ffa3518..da032fc464a73 100644 --- a/x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/common/http/HttpClient.java +++ b/x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/common/http/HttpClient.java @@ -79,7 +79,7 @@ public HttpClient(Settings settings, HttpAuthRegistry httpAuthRegistry, SSLServi // ssl setup Settings sslSettings = settings.getByPrefix(SETTINGS_SSL_PREFIX); - boolean isHostnameVerificationEnabled = sslService.getVerificationMode(sslSettings, Settings.EMPTY).isHostnameVerificationEnabled(); + boolean isHostnameVerificationEnabled = sslService.getVerificationMode(sslSettings).isHostnameVerificationEnabled(); HostnameVerifier verifier = isHostnameVerificationEnabled ? new DefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE; SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslService.sslSocketFactory(sslSettings), verifier); clientBuilder.setSSLSocketFactory(factory); diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index 2a02c5300bded..a4b37dc44cc2f 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -75,7 +75,7 @@ public void init() throws Exception { } @After - public void shutdown() throws Exception { + public void shutdown() { webServer.close(); } @@ -170,79 +170,59 @@ public void testNoPathSpecified() throws Exception { public void testHttps() throws Exception { Path resource = getDataPath("/org/elasticsearch/xpack/security/keystore/truststore-testnode-only.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - Settings settings; - if (randomBoolean()) { - secureSettings.setString("xpack.http.ssl.truststore.secure_password", "truststore-testnode-only"); - settings = Settings.builder() - .put("xpack.http.ssl.truststore.path", resource.toString()) - .setSecureSettings(secureSettings) - .build(); - } else { - secureSettings.setString("xpack.ssl.truststore.secure_password", "truststore-testnode-only"); - settings = Settings.builder() - .put("xpack.ssl.truststore.path", resource.toString()) - .setSecureSettings(secureSettings) - .build(); - } + secureSettings.setString("xpack.http.ssl.truststore.secure_password", "truststore-testnode-only"); + Settings settings = Settings.builder() + .put("xpack.http.ssl.truststore.path", resource.toString()) + .setSecureSettings(secureSettings) + .build(); httpClient = new HttpClient(settings, authRegistry, new SSLService(settings, environment)); secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); Settings settings2 = Settings.builder() - .put("xpack.ssl.keystore.path", getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.jks")) + .put("xpack.http.ssl.keystore.path", getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.jks")) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); - testSslMockWebserver(sslService.sslContext(), false); + testSslMockWebserver(sslService.sslContext(settings2.getByPrefix("xpack.http.ssl.")), false); } public void testHttpsDisableHostnameVerification() throws Exception { Path resource = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.jks"); - Settings settings; - if (randomBoolean()) { - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testnode-no-subjaltname"); - settings = Settings.builder() - .put("xpack.http.ssl.truststore.path", resource.toString()) - .put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE)) - .setSecureSettings(secureSettings) - .build(); - } else { - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode-no-subjaltname"); - settings = Settings.builder() - .put("xpack.ssl.truststore.path", resource.toString()) - .put("xpack.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE)) - .setSecureSettings(secureSettings) - .build(); - } + MockSecureSettings serverSecureSettings = new MockSecureSettings(); + serverSecureSettings.setString("xpack.http.ssl.truststore.secure_password", "testnode-no-subjaltname"); + final Settings settings = Settings.builder() + .put("xpack.http.ssl.truststore.path", resource.toString()) + .put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE)) + .setSecureSettings(serverSecureSettings) + .build(); httpClient = new HttpClient(settings, authRegistry, new SSLService(settings, environment)); MockSecureSettings secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it only defines a truststore - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode-no-subjaltname"); + secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode-no-subjaltname"); Settings settings2 = Settings.builder() - .put("xpack.ssl.keystore.path", + .put("xpack.http.ssl.keystore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.jks")) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); - testSslMockWebserver(sslService.sslContext(), false); + testSslMockWebserver(sslService.sslContext(settings2.getByPrefix("xpack.http.ssl.")), false); } public void testHttpsClientAuth() throws Exception { Path resource = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", resource.toString()) + .put("xpack.http.ssl.keystore.path", resource.toString()) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings, environment); httpClient = new HttpClient(settings, authRegistry, sslService); - testSslMockWebserver(sslService.sslContext(), true); + testSslMockWebserver(sslService.sslContext(settings.getByPrefix("xpack.http.ssl.")), true); } private void testSslMockWebserver(SSLContext sslContext, boolean needClientAuth) throws IOException { @@ -364,14 +344,14 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { // on top of that the proxy request is HTTPS but the real request is HTTP only MockSecureSettings serverSecureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore - serverSecureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + serverSecureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); Settings serverSettings = Settings.builder() - .put("xpack.ssl.keystore.path", getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.jks")) + .put("xpack.http.ssl.keystore.path", getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.jks")) .setSecureSettings(serverSecureSettings) .build(); TestsSSLService sslService = new TestsSSLService(serverSettings, environment); - try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(), false)) { + try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(serverSettings.getByPrefix("xpack.http.ssl.")), false)) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index a51f764308072..4668b90fc9b6b 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -159,8 +159,8 @@ subprojects { setting 'xpack.security.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - setting 'xpack.ssl.keystore.password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + setting 'xpack.security.transport.ssl.keystore.password', 'testnode' setting 'xpack.license.self_generated.type', 'trial' dependsOn copyTestNodeKeystore extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') @@ -205,8 +205,8 @@ subprojects { // some tests rely on the translog not being flushed setting 'indices.memory.shard_inactive_time', '20m' setting 'xpack.security.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' setting 'xpack.license.self_generated.type', 'trial' dependsOn copyTestNodeKeystore extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java index c6e10130db7c2..83c4772eeabe2 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java @@ -56,13 +56,12 @@ public class OpenLdapTests extends ESTestCase { public static final String LDAPTRUST_PATH = "/idptrust.jks"; private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray()); - private boolean useGlobalSSL; private SSLService sslService; private ThreadPool threadPool; private Settings globalSettings; @Before - public void init() throws Exception { + public void init() { threadPool = new TestThreadPool("OpenLdapTests thread pool"); } @@ -84,26 +83,15 @@ public void initializeSslSocketFactory() throws Exception { * If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - useGlobalSSL = randomBoolean(); MockSecureSettings mockSecureSettings = new MockSecureSettings(); Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); - if (useGlobalSSL) { - builder.put("xpack.ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.ssl.truststore.secure_password", "changeit"); - - // fake realm to load config with certificate verification mode - builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.security.authc.realms.bar.ssl.truststore.secure_password", "changeit"); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - } else { - // fake realms so ssl will get loaded - builder.put("xpack.security.authc.realms.foo.ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.security.authc.realms.foo.ssl.truststore.secure_password", "changeit"); - builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); - builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.security.authc.realms.bar.ssl.truststore.secure_password", "changeit"); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - } + // fake realms so ssl will get loaded + builder.put("xpack.security.authc.realms.foo.ssl.truststore.path", truststore); + mockSecureSettings.setString("xpack.security.authc.realms.foo.ssl.truststore.secure_password", "changeit"); + builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); + builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); + mockSecureSettings.setString("xpack.security.authc.realms.bar.ssl.truststore.secure_password", "changeit"); + builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); globalSettings = builder.setSecureSettings(mockSecureSettings).build(); Environment environment = TestEnvironment.newEnvironment(globalSettings); sslService = new SSLService(globalSettings, environment); @@ -256,9 +244,6 @@ private Settings buildLdapSettings(String ldapUrl, String userTemplate, String g Settings.Builder builder = Settings.builder() .put(LdapTestCase.buildLdapSettings(ldapUrl, userTemplate, groupSearchBase, scope)); builder.put("group_search.user_attribute", "uid"); - if (useGlobalSSL) { - return builder.build(); - } return builder .put("ssl.truststore.path", getDataPath(LDAPTRUST_PATH)) .put("ssl.truststore.password", "changeit") diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java index c008b5260f82b..aee09b59a1502 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java @@ -53,10 +53,10 @@ public void init() throws Exception { * If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - globalSecureSettings = newSecureSettings("xpack.ssl.truststore.secure_password", "changeit"); + globalSecureSettings = newSecureSettings("xpack.security.authc.realms.ldap.ssl.truststore.secure_password", "changeit"); globalSettings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.truststore.path", keystore) + .put("xpack.security.authc.realms.ldap.ssl.truststore.path", keystore) .setSecureSettings(globalSecureSettings) .build(); threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests"); diff --git a/x-pack/qa/rolling-upgrade/build.gradle b/x-pack/qa/rolling-upgrade/build.gradle index bc49f33549a37..88a96cf288c32 100644 --- a/x-pack/qa/rolling-upgrade/build.gradle +++ b/x-pack/qa/rolling-upgrade/build.gradle @@ -143,8 +143,8 @@ subprojects { setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.security.audit.outputs', 'index' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - setting 'xpack.ssl.keystore.password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + setting 'xpack.security.transport.ssl.keystore.password', 'testnode' dependsOn copyTestNodeKeystore extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') if (withSystemKey) { @@ -184,8 +184,8 @@ subprojects { setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' setting 'node.attr.upgraded', 'first' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.audit.enabled', 'true' @@ -222,8 +222,8 @@ subprojects { setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.security.audit.outputs', 'index' diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index 8c19ba0303f78..7de74ae403655 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -153,8 +153,10 @@ integTestCluster { setting 'xpack.security.transport.ssl.enabled', 'true' // ceremony to set up ssl - setting 'xpack.ssl.keystore.path', 'test-node.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'keypass' + setting 'xpack.security.transport.ssl.keystore.path', 'test-node.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass' + setting 'xpack.security.http.ssl.keystore.path', 'test-node.jks' + keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass' setting 'xpack.license.self_generated.type', 'trial' diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index 98594917129f2..b577453a25256 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -50,8 +50,8 @@ public void init() throws Exception { globalSettings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.truststore.path", keystore) - .setSecureSettings(newSecureSettings("xpack.ssl.truststore.secure_password", "changeit")) + .put("xpack.security.authc.realms.ldap.ssl.truststore.path", keystore) + .setSecureSettings(newSecureSettings("xpack.security.authc.realms.ldap.ssl.truststore.secure_password", "changeit")) .build(); sslService = new SSLService(globalSettings, env); threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests"); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java index 7ef1bd674a32b..d406ff3bd2869 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java @@ -47,11 +47,9 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase { protected SSLService sslService; protected Settings globalSettings; - protected boolean useGlobalSSL; @Before public void initializeSslSocketFactory() throws Exception { - useGlobalSSL = randomBoolean(); Path truststore = getDataPath("../ldap/support/ADtrust.jks"); /* * Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext. @@ -59,23 +57,13 @@ public void initializeSslSocketFactory() throws Exception { * verification tests since a re-established connection does not perform hostname verification. */ Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); - if (useGlobalSSL) { - builder.put("xpack.ssl.truststore.path", truststore) - .put("xpack.ssl.truststore.password", "changeit"); - - // fake realm to load config with certificate verification mode - builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.bar.ssl.truststore.password", "changeit"); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - } else { - // fake realms so ssl will get loaded - builder.put("xpack.security.authc.realms.foo.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.foo.ssl.truststore.password", "changeit"); - builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); - builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.bar.ssl.truststore.password", "changeit"); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - } + // fake realms so ssl will get loaded + builder.put("xpack.security.authc.realms.foo.ssl.truststore.path", truststore); + builder.put("xpack.security.authc.realms.foo.ssl.truststore.password", "changeit"); + builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); + builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); + builder.put("xpack.security.authc.realms.bar.ssl.truststore.password", "changeit"); + builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); globalSettings = builder.build(); Environment environment = TestEnvironment.newEnvironment(globalSettings); sslService = new SSLService(globalSettings, environment); @@ -92,16 +80,14 @@ Settings buildAdSettings(String ldapUrl, String adDomainName, String userSearchD .put(ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING.getKey(), AD_LDAPS_PORT) .put(ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING.getKey(), AD_GC_LDAP_PORT) .put(ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING.getKey(), AD_GC_LDAPS_PORT) - .put("follow_referrals", FOLLOW_REFERRALS); + .put("follow_referrals", FOLLOW_REFERRALS) + .put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) + .put("ssl.truststore.password", "changeit"); if (randomBoolean()) { builder.put("ssl.verification_mode", hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE); } else { builder.put(SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING, hostnameVerification); } - if (useGlobalSSL == false) { - builder.put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) - .put("ssl.truststore.password", "changeit"); - } return builder.build(); } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java index 1d73d1f0d2979..c51084dde820b 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java @@ -103,13 +103,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase protected static final String TESTNODE_KEYSTORE = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"; protected static RealmConfig realmConfig; protected static List roleMappings; - protected static boolean useGlobalSSL; @BeforeClass public static void setupRealm() { realmConfig = randomFrom(RealmConfig.values()); roleMappings = realmConfig.selectRoleMappings(ESTestCase::randomBoolean); - useGlobalSSL = randomBoolean(); ESLoggerFactory.getLogger("test").info("running test with realm configuration [{}], with direct group to role mapping [{}]. " + "Settings [{}]", realmConfig, realmConfig.mapGroupsAsRoles, realmConfig.settings); } @@ -213,24 +211,6 @@ private List getRoleMappingContent(Function co .collect(Collectors.toList()); } - @Override - protected Settings transportClientSettings() { - if (useGlobalSSL) { - Path store = getDataPath(TESTNODE_KEYSTORE); - Settings.Builder builder = Settings.builder() - .put(super.transportClientSettings().filter((s) -> s.startsWith("xpack.ssl.") == false)); - addSslSettingsForStore(builder, store, "testnode"); - return builder.build(); - } else { - return super.transportClientSettings(); - } - } - - @Override - protected boolean transportSSLEnabled() { - return useGlobalSSL; - } - protected final void configureFileRoleMappings(Settings.Builder builder, List mappings) { String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n")); Path nodeFiles = createTempDir(); @@ -438,11 +418,9 @@ protected Settings buildSettings(Path store, String password, int order) { .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles) - .put(this.settings); - if (useGlobalSSL == false) { - builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.truststore.path", store) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.truststore.password", password); - } + .put(this.settings) + .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.truststore.path", store) + .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.truststore.password", password); return builder.build(); } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index 2f1aa0f5eb573..00a3a392e757b 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -278,14 +278,9 @@ public void testStandardLdapConnection() throws Exception { null, true)) .put("follow_referrals", FOLLOW_REFERRALS) + .put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) + .put("ssl.truststore.password", "changeit") .build(); - if (useGlobalSSL == false) { - settings = Settings.builder() - .put(settings) - .put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) - .put("ssl.truststore.password", "changeit") - .build(); - } RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -316,13 +311,11 @@ public void testHandlingLdapReferralErrors() throws Exception { LdapSearchScope.SUB_TREE, null, ignoreReferralErrors); - if (useGlobalSSL == false) { - settings = Settings.builder() - .put(settings) - .put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) - .put("ssl.truststore.password", "changeit") - .build(); - } + settings = Settings.builder() + .put(settings) + .put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) + .put("ssl.truststore.password", "changeit") + .build(); RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -345,13 +338,11 @@ public void testHandlingLdapReferralErrors() throws Exception { public void testStandardLdapWithAttributeGroups() throws Exception { String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; Settings settings = LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false); - if (useGlobalSSL == false) { - settings = Settings.builder() - .put(settings) - .put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) - .put("ssl.truststore.password", "changeit") - .build(); - } + settings = Settings.builder() + .put(settings) + .put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) + .put("ssl.truststore.password", "changeit") + .build(); RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -408,10 +399,8 @@ private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean ho builder.put(SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING, hostnameVerification); } - if (useGlobalSSL == false) { - builder.put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) - .put("ssl.truststore.password", "changeit"); - } + builder.put("ssl.truststore.path", getDataPath("../ldap/support/ADtrust.jks")) + .put("ssl.truststore.password", "changeit"); if (useBindUser) { final String user = randomFrom("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", "cap@ad.test.elasticsearch.com", diff --git a/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash b/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash index d75f75b383ada..4053320a3e57e 100644 --- a/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash +++ b/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash @@ -248,9 +248,12 @@ node.master: true node.data: false discovery.zen.ping.unicast.hosts: ["127.0.0.1:9301"] -xpack.ssl.key: $ESCONFIG/certs/node-master/node-master.key -xpack.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt -xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.transport.ssl.key: $ESCONFIG/certs/node-master/node-master.key +xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt +xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.http.ssl.key: $ESCONFIG/certs/node-master/node-master.key +xpack.security.http.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt +xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] xpack.security.transport.ssl.enabled: true transport.tcp.port: 9300 @@ -331,9 +334,12 @@ node.master: false node.data: true discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"] -xpack.ssl.key: $ESCONFIG/certs/node-data/node-data.key -xpack.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt -xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.transport.ssl.key: $ESCONFIG/certs/node-data/node-data.key +xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt +xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.http.ssl.key: $ESCONFIG/certs/node-data/node-data.key +xpack.security.http.ssl.certificate: $ESCONFIG/certs//node-data/node-data.crt +xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] xpack.security.transport.ssl.enabled: true transport.tcp.port: 9301 From 51b7660a4d9530d748c26e7b58ff079948d4538b Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 13 Dec 2018 09:20:36 -0700 Subject: [PATCH 02/10] dont enable ssl unless we really need to --- .../elasticsearch/test/SecuritySettingsSource.java | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index 1d218212be10a..d041c482c9a55 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -222,6 +222,7 @@ public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, Strin private void addNodeSSLSettings(Settings.Builder builder) { if (sslEnabled) { + builder.put("xpack.security.transport.ssl.enabled", true); if (usePEM) { addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled); } else { @@ -262,12 +263,6 @@ private static void addSSLSettingsForStore(Settings.Builder builder, String pref boolean sslEnabled, boolean hostnameVerificationEnabled, boolean transportClient) { Path store = resolveResourcePath(resourcePathToStore); - - if (transportClient == false) { - builder.put("xpack.security.http.ssl.enabled", false); - } - builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); builder.put(prefix + "ssl.keystore.path", store); if (transportClient) { @@ -328,12 +323,6 @@ public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String ke private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password, String certificatePath, List trustedCertificates, boolean sslEnabled, boolean hostnameVerificationEnabled, boolean transportClient) { - - if (transportClient == false) { - builder.put("xpack.security.http.ssl.enabled", false); - } - builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - if (prefix.equals("")) { prefix = "xpack.security.transport."; } From 5e31047d053ae276202945ed2d05278179221d47 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 13 Dec 2018 09:23:29 -0700 Subject: [PATCH 03/10] cleanup --- .../test/SecuritySettingsSource.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index d041c482c9a55..adeb4a7f86569 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -217,7 +217,7 @@ public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, Strin "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), - true, hostnameVerificationEnabled, false); + hostnameVerificationEnabled, false); } private void addNodeSSLSettings(Settings.Builder builder) { @@ -227,8 +227,8 @@ private void addNodeSSLSettings(Settings.Builder builder) { addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled); } else { addSSLSettingsForStore(builder, "xpack.security.transport.", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", - true, hostnameVerificationEnabled, false); + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + hostnameVerificationEnabled, false); } } else if (randomBoolean()) { builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false); @@ -236,16 +236,17 @@ private void addNodeSSLSettings(Settings.Builder builder) { } public void addClientSSLSettings(Settings.Builder builder, String prefix) { + builder.put("xpack.security.transport.ssl.enabled", sslEnabled); if (usePEM) { addSSLSettingsForPEMFiles(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), - sslEnabled, hostnameVerificationEnabled, true); + hostnameVerificationEnabled, true); } else { addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", - "testclient", sslEnabled, hostnameVerificationEnabled, true); + "testclient", hostnameVerificationEnabled, true); } } @@ -256,12 +257,11 @@ public void addClientSSLSettings(Settings.Builder builder, String prefix) { * @param password the password */ public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password, String prefix) { - addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true, true); + addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true); } private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password, - boolean sslEnabled, boolean hostnameVerificationEnabled, - boolean transportClient) { + boolean hostnameVerificationEnabled, boolean transportClient) { Path store = resolveResourcePath(resourcePathToStore); builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); builder.put(prefix + "ssl.keystore.path", store); @@ -300,7 +300,7 @@ private static void addSSLSettingsForStore(Settings.Builder builder, String pref */ public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password, String certificatePath, List trustedCertificates) { - addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true, true); + addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true); } /** @@ -317,11 +317,11 @@ public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String ke */ public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password, String certificatePath, String prefix, List trustedCertificates) { - addSSLSettingsForPEMFiles(builder, prefix, keyPath, password, certificatePath, trustedCertificates, true, true, true); + addSSLSettingsForPEMFiles(builder, prefix, keyPath, password, certificatePath, trustedCertificates, true, true); } private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password, - String certificatePath, List trustedCertificates, boolean sslEnabled, + String certificatePath, List trustedCertificates, boolean hostnameVerificationEnabled, boolean transportClient) { if (prefix.equals("")) { prefix = "xpack.security.transport."; From b7f0f46afb888cb2e30d224e895a0816c85e2670 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 13 Dec 2018 09:43:45 -0700 Subject: [PATCH 04/10] fix pkiauthtests --- .../authc/pki/PkiAuthenticationTests.java | 8 ++- ...ServerTransportFilterIntegrationTests.java | 65 ++++++++++--------- 2 files changed, 38 insertions(+), 35 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java index cc4b91fe66488..52c87c75a13a7 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java @@ -160,9 +160,11 @@ private TransportClient createTransportClient(Settings additionalSettings) { clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false); } - Settings.Builder builder = Settings.builder().put(clientSettings, false) - .put(additionalSettings) - .put("cluster.name", node().settings().get("cluster.name")); + Settings.Builder builder = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) + .put(clientSettings, false) + .put(additionalSettings) + .put("cluster.name", node().settings().get("cluster.name")); builder.remove(SecurityField.USER_SETTING.getKey()); builder.remove("request.headers.Authorization"); return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java index acccee3a26a00..2383f3b3ac739 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java @@ -40,6 +40,7 @@ import java.nio.file.Path; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.concurrent.CountDownLatch; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; @@ -68,7 +69,7 @@ protected Settings nodeSettings(int nodeOrdinal) { addSSLSettingsForNodePEMFiles(settingsBuilder, "transport.profiles.client.xpack.security.", true); Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); settingsBuilder.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities", - Arrays.asList(certPath.toString())) // settings for client truststore + Collections.singletonList(certPath.toString())) // settings for client truststore .put("transport.profiles.client.xpack.security.type", "client") .put("transport.profiles.client.port", randomClientPortRange) // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent @@ -96,20 +97,20 @@ public void testThatConnectionToServerTypeConnectionWorks() throws IOException, // test that starting up a node works Settings.Builder nodeSettings = Settings.builder() - .put("node.name", "my-test-node") - .put("network.host", "localhost") - .put("cluster.name", internalCluster().getClusterName()) - .put("discovery.zen.ping.unicast.hosts", unicastHost) - .put("discovery.zen.minimum_master_nodes", - internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) - .put("xpack.security.enabled", true) - .put("xpack.security.audit.enabled", false) - .put(XPackSettings.WATCHER_ENABLED.getKey(), false) - .put("path.home", home) - .put(Node.NODE_MASTER_SETTING.getKey(), false) - .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) - .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); - //.put("xpack.ml.autodetect_process", false); + .put("node.name", "my-test-node") + .put("network.host", "localhost") + .put("cluster.name", internalCluster().getClusterName()) + .put("discovery.zen.ping.unicast.hosts", unicastHost) + .put("discovery.zen.minimum_master_nodes", + internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) + .put("xpack.security.enabled", true) + .put("xpack.security.audit.enabled", false) + .put("xpack.security.transport.ssl.enabled", true) + .put(XPackSettings.WATCHER_ENABLED.getKey(), false) + .put("path.home", home) + .put(Node.NODE_MASTER_SETTING.getKey(), false) + .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) + .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); Collection> mockPlugins = Arrays.asList( LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class); addSSLSettingsForPEMFiles( @@ -138,22 +139,22 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept // test that starting up a node works Settings.Builder nodeSettings = Settings.builder() - .put("xpack.security.authc.realms.file.file.order", 0) - .put("node.name", "my-test-node") - .put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD) - .put("cluster.name", internalCluster().getClusterName()) - .put("discovery.zen.ping.unicast.hosts", unicastHost) - .put("discovery.zen.minimum_master_nodes", - internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) - .put("xpack.security.enabled", true) - .put("xpack.security.audit.enabled", false) - .put(XPackSettings.WATCHER_ENABLED.getKey(), false) - .put("discovery.initial_state_timeout", "0s") - .put("path.home", home) - .put(Node.NODE_MASTER_SETTING.getKey(), false) - .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) - .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); - //.put("xpack.ml.autodetect_process", false); + .put("xpack.security.authc.realms.file.file.order", 0) + .put("node.name", "my-test-node") + .put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD) + .put("cluster.name", internalCluster().getClusterName()) + .put("discovery.zen.ping.unicast.hosts", unicastHost) + .put("discovery.zen.minimum_master_nodes", + internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) + .put("xpack.security.enabled", true) + .put("xpack.security.audit.enabled", false) + .put("xpack.security.transport.ssl.enabled", true) + .put(XPackSettings.WATCHER_ENABLED.getKey(), false) + .put("discovery.initial_state_timeout", "0s") + .put("path.home", home) + .put(Node.NODE_MASTER_SETTING.getKey(), false) + .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) + .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); Collection> mockPlugins = Arrays.asList( LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class); addSSLSettingsForPEMFiles( @@ -161,7 +162,7 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) { node.start(); TransportService instance = node.injector().getInstance(TransportService.class); From 48b1adf9c6d41440b5f1c1cdb22957523ada1f2c Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 13 Dec 2018 10:41:35 -0700 Subject: [PATCH 05/10] rollback pem -> jks changes --- .../xpack/core/ssl/SSLServiceTests.java | 154 +++++++++--------- .../esnative/ESNativeMigrateToolTests.java | 24 ++- .../tool/CommandLineHttpClientTests.java | 9 +- 3 files changed, 100 insertions(+), 87 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index 5615f25339320..9b697e9f08f01 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -83,6 +83,8 @@ public class SSLServiceTests extends ESTestCase { private Path testnodeStore; private String testnodeStoreType; private Path testclientStore; + private Path testnodeCert; + private Path testnodeKey; private Environment env; @Before @@ -97,6 +99,8 @@ public void setup() throws Exception { testnodeStoreType = randomBoolean() ? "PKCS12" : null; } logger.info("Using [{}] key/truststore [{}]", testnodeStoreType, testnodeStore); + testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); + testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); testclientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks"); env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); } @@ -138,10 +142,10 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { public void testThatSslContextCachingWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); @@ -165,9 +169,9 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) + .setSecureSettings(secureSettings) + .build(); final SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); @@ -182,9 +186,9 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) + .setSecureSettings(secureSettings) + .build(); final SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); sslService.createSSLEngine(configuration, null, -1); @@ -196,12 +200,12 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { public void testThatSSLv3IsNotEnabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); @@ -219,9 +223,9 @@ public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.truststore.path", testclientStore) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.truststore.path", testclientStore) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); @@ -234,10 +238,10 @@ public void testCreateWithKeystoreIsValidForServer() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); @@ -248,21 +252,21 @@ public void testValidForServer() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.truststore.path", testnodeStore) - .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); settings = Settings.builder() - .put("xpack.security.transport.ssl.truststore.path", testnodeStore) - .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .build(); + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .build(); sslService = new SSLService(settings, env); assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); } @@ -274,9 +278,9 @@ public void testGetVerificationMode() throws Exception { is(XPackSettings.VERIFICATION_MODE_DEFAULT)); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.verification_mode", "certificate") - .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") - .build(); + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") + .build(); sslService = new SSLService(settings, env); assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE)); assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(), @@ -288,9 +292,9 @@ public void testIsSSLClientAuthEnabled() throws Exception { assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled()); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.client_authentication", "optional") + .put("xpack.security.transport.ssl.client_authentication", "optional") .put("transport.profiles.foo.port", "9400-9410") - .build(); + .build(); sslService = new SSLService(settings, env); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl"))); @@ -298,9 +302,9 @@ public void testIsSSLClientAuthEnabled() throws Exception { public void testThatHttpClientAuthDefaultsToNone() throws Exception { final Settings globalSettings = Settings.builder() - .put("xpack.security.http.ssl.enabled", true) - .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) - .build(); + .put("xpack.security.http.ssl.enabled", true) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) + .build(); final SSLService sslService = new SSLService(globalSettings, env); final SSLConfiguration globalConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl"); @@ -314,12 +318,12 @@ public void testThatTruststorePasswordIsRequired() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .put("xpack.security.transport.ssl.truststore.path", testnodeStore) - .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) - .build(); + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .build(); ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); assertThat(e.getMessage(), is("failed to initialize a TrustManagerFactory")); @@ -327,9 +331,9 @@ public void testThatTruststorePasswordIsRequired() throws Exception { public void testThatKeystorePasswordIsRequired() throws Exception { Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .build(); + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .build(); ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); assertThat(e.getMessage(), is("failed to create trust manager")); @@ -340,13 +344,13 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { ciphers.add("foo"); ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) - .build(); + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .setSecureSettings(secureSettings) + .putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) + .build(); SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); @@ -357,14 +361,14 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { public void testInvalidCiphersOnlyThrowsException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" }) - .build(); + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .setSecureSettings(secureSettings) + .putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" }) + .build(); IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env)); assertThat(e.getMessage(), is("none of the ciphers [foo, bar] are supported by this JVM")); @@ -372,12 +376,12 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); @@ -387,12 +391,12 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl"); final SSLSocketFactory factory = sslService.sslSocketFactory(config); @@ -412,12 +416,12 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java index 42e8cd9095a14..66bff81e5dd56 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java @@ -20,10 +20,12 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Path; +import java.util.Collections; import java.util.HashSet; import java.util.Set; -import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForStore; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; @@ -50,8 +52,7 @@ public Settings nodeSettings(int nodeOrdinal) { logger.info("--> use SSL? {}", useSSL); Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)); - addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", - "xpack.security.http."); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); builder.put("xpack.security.http.ssl.enabled", useSSL); return builder.build(); } @@ -96,8 +97,13 @@ public void testRetrieveUsers() throws Exception { .put("path.home", home) .put("path.conf", conf.toString()) .put("xpack.security.http.ssl.client_authentication", "none"); - addSSLSettingsForStore(builder, - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", "xpack.security.http."); + addSSLSettingsForPEMFiles( + builder, + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", + "testnode", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", + "xpack.security.http.", + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); Settings settings = builder.build(); logger.error("--> retrieving users using URL: {}, home: {}", url, home); @@ -140,8 +146,12 @@ public void testRetrieveRoles() throws Exception { Settings.Builder builder = Settings.builder() .put("path.home", home) .put("xpack.security.http.ssl.client_authentication", "none"); - addSSLSettingsForStore(builder, - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", "testclient", "xpack.security.http."); + addSSLSettingsForPEMFiles(builder, + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", + "testclient", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", + "xpack.security.http.", + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); Settings settings = builder.build(); logger.error("--> retrieving roles using URL: {}, home: {}", url, home); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index 4fca790a5c3bb..dd4b747c5b19b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -44,16 +44,15 @@ public void setup() throws Exception { } @After - public void shutdown() throws Exception { + public void shutdown() { webServer.close(); } public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); - Settings settings = Settings.builder().put("xpack.security.http.ssl.certificate_authorities", certPath.toString()) - .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings) + Settings settings = Settings.builder() + .put("xpack.security.http.ssl.certificate_authorities", certPath.toString()) + .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE) .build(); CommandLineHttpClient client = new CommandLineHttpClient(settings, environment); HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1", From df1819aac1fc04a2b8ee2899fc87a321599e77b3 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 13 Dec 2018 11:18:33 -0700 Subject: [PATCH 06/10] update docs --- .../configuring-tls-docker.asciidoc | 26 +-- .../tls-transport.asciidoc | 4 +- .../settings/security-settings.asciidoc | 167 ++++-------------- docs/reference/settings/ssl-settings.asciidoc | 11 +- x-pack/docs/en/rest-api/security/ssl.asciidoc | 10 +- .../auditing/forwarding-logs.asciidoc | 16 +- .../configuring-pki-realm.asciidoc | 2 +- .../ccs-clients-integrations/java.asciidoc | 18 +- .../en/security/fips-140-compliance.asciidoc | 6 +- 9 files changed, 79 insertions(+), 181 deletions(-) diff --git a/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc b/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc index e7e1a00208adc..6de8157a3ad88 100644 --- a/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc +++ b/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc @@ -112,11 +112,14 @@ services: - xpack.license.self_generated.type=trial <2> - xpack.security.enabled=true - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key + - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.security.transport.ssl.enabled=true - xpack.security.transport.ssl.verification_mode=certificate <3> - - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt - - xpack.ssl.key=$CERTS_DIR/es01/es01.key + - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt + - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] ports: - 9200:9200 @@ -138,11 +141,14 @@ services: - xpack.license.self_generated.type=trial - xpack.security.enabled=true - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key + - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt - - xpack.ssl.key=$CERTS_DIR/es02/es02.key + - xpack.security.transport.ssl.verification_mode=certificate <3> + - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt + - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] wait_until_ready: @@ -197,9 +203,9 @@ WARNING: Windows users not running PowerShell will need to remove `\` and join l ---- docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \ auto --batch \ --Expack.ssl.certificate=certificates/es01/es01.crt \ --Expack.ssl.certificate_authorities=certificates/ca/ca.crt \ --Expack.ssl.key=certificates/es01/es01.key \ +-Expack.security.http.ssl.certificate=certificates/es01/es01.crt \ +-Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt \ +-Expack.security.http.ssl.key=certificates/es01/es01.key \ --url https://localhost:9200" ---- -- diff --git a/docs/reference/security/securing-communications/tls-transport.asciidoc b/docs/reference/security/securing-communications/tls-transport.asciidoc index c2306545536aa..efcfdf1fa4a99 100644 --- a/docs/reference/security/securing-communications/tls-transport.asciidoc +++ b/docs/reference/security/securing-communications/tls-transport.asciidoc @@ -25,7 +25,7 @@ xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 <3> <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command and you want to enable strict hostname checking, set the verification mode to `full`. -See <> for a description of these values. +See <> for a description of these values. <2> If you created a separate certificate for each node, then you might need to customize this path on each node. If the filename matches the node name, you can @@ -54,7 +54,7 @@ xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt" <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command and you want to enable strict hostname checking, set the verification mode to `full`. -See <> for a description of these values. +See <> for a description of these values. <2> The full path to the node key file. This must be a location within the {es} configuration directory. <3> The full path to the node certificate. This must be a location within the diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index e97ad2edc77c5..19d2430cbed00 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -474,20 +474,18 @@ The default is `jks`. `ssl.verification_mode`:: Indicates the type of verification when using `ldaps` to protect against man in the middle attacks and certificate forgery. Values are `none`, `certificate`, -and `full`. Defaults to the value of `xpack.ssl.verification_mode`. +and `full`. Defaults to `full`. + -See <> for an explanation of -these values. +See <> for an explanation of these values. `ssl.supported_protocols`:: -Supported protocols for TLS/SSL (with versions). Defaults to the value of -`xpack.ssl.supported_protocols`. +Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2,TLSv1.1,TLSv1`. `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when communicating with the LDAP server. Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ -Java Cryptography Architecture documentation]. Defaults to the value of -`xpack.ssl.cipher_suites`. +Java Cryptography Architecture documentation]. See <> +for the default value. `cache.ttl`:: Specifies the time-to-live for cached user entries. A user and a hash of its @@ -720,20 +718,18 @@ The default is `jks`. `ssl.verification_mode`:: Indicates the type of verification when using `ldaps` to protect against man in the middle attacks and certificate forgery. Values are `none`, `certificate`, -and `full`. Defaults to the value of `xpack.ssl.verification_mode`. +and `full`. Defaults to `full`. + -See <> for an explanation of -these values. +See <> for an explanation of these values. `ssl.supported_protocols`:: -Supported protocols for TLS/SSL (with versions). Defaults to the value of -`xpack.ssl.supported_protocols`. +Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2, TLSv1.1, TLSv1`. `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when communicating with the Active Directory server. Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ -Java Cryptography Architecture documentation]. Defaults to the value of -`xpack.ssl.cipher_suites`. +Java Cryptography Architecture documentation]. See <> for +the default values. `cache.ttl`:: Specifies the time-to-live for cached user entries. A user and a hash of its @@ -1136,8 +1132,7 @@ One of `full` certificate path, but not the hostname) or `none` (perform no verification). Defaults to `full`. + -See <> for a more detailed -explanation of these values. +See <> for a more detailed explanation of these values. `ssl.supported_protocols`:: Specifies the supported protocols for TLS/SSL. @@ -1208,13 +1203,10 @@ through the list of URLs will continue until a successful connection is made. [float] [[ssl-tls-settings]] ==== Default TLS/SSL settings -You can configure the following TLS/SSL settings in -`elasticsearch.yml`. For more information, see -{stack-ov}/encrypting-communications.html[Encrypting communications]. These settings will be used -for all of {xpack} unless they have been overridden by more specific -settings such as those for HTTP or Transport. +In general, the values below represent the default values for the various TLS +settings. For more information, see {stack-ov}/encrypting-communications.html[Encrypting communications]. -`xpack.ssl.supported_protocols`:: +`ssl.supported_protocols`:: Supported protocols with versions. Valid protocols: `SSLv2Hello`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, `TLSv1`. @@ -1224,15 +1216,15 @@ NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hell or `SSLv3`. See <>. -- -`xpack.ssl.client_authentication`:: +`ssl.client_authentication`:: Controls the server's behavior in regard to requesting a certificate from client connections. Valid values are `required`, `optional`, and `none`. `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. -Defaults to `required`. This global setting is not applicable for HTTP, see +Defaults to `required`, except for HTTP, which defaults to `none`. See <>. -`xpack.ssl.verification_mode`:: +`ssl.verification_mode`:: Controls the verification of certificates. Valid values are: - `full`, which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server's hostname (or IP @@ -1247,7 +1239,7 @@ Controls the verification of certificates. Valid values are: + The default value is `full`. -`xpack.ssl.cipher_suites`:: +`ssl.cipher_suites`:: Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, @@ -1261,109 +1253,12 @@ Jurisdiction Policy Files_ has been installed, the default value also includes ` ===== Default TLS/SSL key and trusted certificate settings The following settings are used to specify a private key, certificate, and the -trusted certificates that should be used when communicating over an SSL/TLS connection. -If none of the settings below are specified, this will default to the <>. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be -trusted along with the certificate(s) from the <>. The key and certificate must be in place -for connections that require client authentication or when acting as a SSL enabled server. - -[float] -===== PEM encoded files - -When using PEM encoded files, use the following settings: - -`xpack.ssl.key`:: -Path to the PEM encoded file containing the private key. - -`xpack.ssl.key_passphrase`:: -The passphrase that is used to decrypt the private key. This value is -optional as the key might not be encrypted. - -`xpack.ssl.secure_key_passphrase` (<>):: -The passphrase that is used to decrypt the private key. This value is -optional as the key might not be encrypted. - -`xpack.ssl.certificate`:: -Path to a PEM encoded file containing the certificate (or certificate chain) -that will be presented to clients when they connect. - -`xpack.ssl.certificate_authorities`:: -List of paths to the PEM encoded certificate files that should be trusted. - -[float] -===== Java keystore files - -When using Java keystore files (JKS), which contain the private key, certificate -and certificates that should be trusted, use the following settings: - -`xpack.ssl.keystore.path`:: -Path to the keystore that holds the private key and certificate. - -`xpack.ssl.keystore.password`:: -Password to the keystore. - -`xpack.ssl.keystore.secure_password` (<>):: -Password to the keystore. - -`xpack.ssl.keystore.key_password`:: -Password for the private key in the keystore. Defaults to the -same value as `xpack.ssl.keystore.password`. - -`xpack.ssl.keystore.secure_key_password` (<>):: -Password for the private key in the keystore. - -`xpack.ssl.truststore.path`:: -Path to the truststore file. - -`xpack.ssl.truststore.password`:: -Password to the truststore. - -`xpack.ssl.truststore.secure_password` (<>):: -Password to the truststore. - -WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use Java -keystore files. See <>. - -[float] -===== PKCS#12 files - -When using PKCS#12 container files (`.p12` or `.pfx`), which contain the -private key, certificate, and certificates that should be trusted, use -the following settings: - -`xpack.ssl.keystore.path`:: -Path to the PKCS#12 file that holds the private key and certificate. - -`xpack.ssl.keystore.type`:: -Set this to `PKCS12`. - -`xpack.ssl.keystore.password`:: -Password to the PKCS#12 file. - -`xpack.ssl.keystore.secure_password` (<>):: -Password to the PKCS#12 file. - -`xpack.ssl.keystore.key_password`:: -Password for the private key in the PKCS12 file. -Defaults to the same value as `xpack.ssl.keystore.password`. - -`xpack.ssl.keystore.secure_key_password` (<>):: -Password for the private key in the PKCS12 file. - -`xpack.ssl.truststore.path`:: -Path to the truststore file. - -`xpack.ssl.truststore.type`:: -Set this to `PKCS12`. - -`xpack.ssl.truststore.password`:: -Password to the truststore. - -`xpack.ssl.truststore.secure_password` (<>):: -Password to the truststore. - -WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use PKCS#12 -keystore files. See <>. +trusted certificates that should be used when communicating over an SSL/TLS +connection. If no trusted certificates are configured, the default certificates +that are trusted by the JVM will be trusted along with the certificate(s) +associated with a key in the same context. The key and certificate must be in +place for connections that require client authentication or when acting as a +SSL enabled server. [[pkcs12-truststore-note]] [NOTE] @@ -1383,12 +1278,12 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for When using a PKCS#11 cryptographic token, which contains the private key, certificate, and certificates that should be trusted, use -the following settings: +the following in each configured SSL context: -`xpack.ssl.keystore.type`:: +`ssl.keystore.type`:: Set this to `PKCS11`. -`xpack.ssl.truststore.type`:: +`ssl.truststore.type`:: Set this to `PKCS11`. @@ -1396,10 +1291,8 @@ Set this to `PKCS11`. [NOTE] When configuring the PKCS#11 token that your JVM is configured to use as a keystore or a truststore for Elasticsearch, the PIN for the token can be -configured by setting the appropriate value to `xpack.ssl.truststore.password` -or `xpack.ssl.truststore.secure_password`. In the absence of the above, {es} will -fallback to use he appropriate JVM setting (`-Djavax.net.ssl.trustStorePassword`) -if that is set. +configured by setting the appropriate value to `ssl.truststore.password` +or `ssl.truststore.secure_password` in the context that you are configuring. Since there can only be one PKCS#11 token configured, only one keystore and truststore will be usable for configuration in {es}. This in turn means that only one certificate can be used for TLS both in the transport and the @@ -1438,7 +1331,7 @@ append the portion of the setting after `xpack.security.transport.`. For the key setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`. [[auditing-tls-ssl-settings]] -:ssl-prefix: xpack.security.audit.index.client.xpack +:ssl-prefix: xpack.security.audit.index.client.xpack.security.transport :component: Auditing :client-auth-default!: :server!: diff --git a/docs/reference/settings/ssl-settings.asciidoc b/docs/reference/settings/ssl-settings.asciidoc index 2d513c7423745..955de7a62f4ca 100644 --- a/docs/reference/settings/ssl-settings.asciidoc +++ b/docs/reference/settings/ssl-settings.asciidoc @@ -12,7 +12,7 @@ endif::server[] +{ssl-prefix}.ssl.supported_protocols+:: Supported protocols with versions. Valid protocols: `SSLv2Hello`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, -`TLSv1`. Defaults to the value of `xpack.ssl.supported_protocols`. +`TLSv1`. ifdef::server[] +{ssl-prefix}.ssl.client_authentication+:: @@ -21,7 +21,7 @@ from client connections. Valid values are `required`, `optional`, and `none`. `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. ifndef::client-auth-default[] -Defaults to the value of `xpack.ssl.client_authentication`. +Defaults to `none``. endif::client-auth-default[] ifdef::client-auth-default[] Defaults to +{client-auth-default}+. @@ -31,15 +31,12 @@ endif::server[] ifdef::verifies[] +{ssl-prefix}.ssl.verification_mode+:: Controls the verification of certificates. Valid values are `none`, -`certificate`, and `full`. -See <> for a description of these values. -Defaults to the value of `xpack.ssl.verification_mode`. +`certificate`, and `full`. Defaults to `full`. endif::verifies[] +{ssl-prefix}.ssl.cipher_suites+:: Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ -Java Cryptography Architecture documentation]. Defaults to the value of -`xpack.ssl.cipher_suites`. +Java Cryptography Architecture documentation]. Defaults to ``. ===== {component} TLS/SSL Key and Trusted Certificate Settings diff --git a/x-pack/docs/en/rest-api/security/ssl.asciidoc b/x-pack/docs/en/rest-api/security/ssl.asciidoc index 69541af52b8b5..6600a66d9e63d 100644 --- a/x-pack/docs/en/rest-api/security/ssl.asciidoc +++ b/x-pack/docs/en/rest-api/security/ssl.asciidoc @@ -19,16 +19,16 @@ Transport Layer Security (TLS), see The API returns a list that includes certificates from all TLS contexts including: -* {xpack} default TLS settings * Settings for transport and HTTP interfaces * TLS settings that are used within authentication realms * TLS settings for remote monitoring exporters The list includes certificates that are used for configuring trust, such as -those configured in the `xpack.ssl.truststore` and -`xpack.ssl.certificate_authorities` settings. It also includes certificates that -that are used for configuring server identity, such as `xpack.ssl.keystore` and -`xpack.ssl.certificate` settings. +those configured in the `xpack.security.transport.ssl.truststore` and +`xpack.security.transport.ssl.certificate_authorities` settings. It also +includes certificates that are used for configuring server identity, such as +`xpack.security.transport.ssl.keystore` and +`xpack.security.transport.ssl.certificate` settings. The list does not include certificates that are sourced from the default SSL context of the Java Runtime Environment (JRE), even if those certificates are in diff --git a/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc b/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc index 0b79af593b6ea..3b494f337383a 100644 --- a/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc +++ b/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc @@ -46,8 +46,8 @@ to the `elasticsearch.yml` file: [source,yaml] ----------------------------------------------------------- xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true -xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 -xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12 +xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.path: certs/remote-elastic-certificates.p12 +xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.path: certs/remote-elastic-certificates.p12 ----------------------------------------------------------- For more information about these settings, see @@ -61,9 +61,9 @@ For more information about these settings, see [source, yaml] -------------------------------------------------- xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true -xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key -xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt -xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] +xpack.security.audit.index.client.xpack.security.transport.ssl.key: /home/es/config/audit-client.key +xpack.security.audit.index.client.xpack.security.transport.ssl.certificate: /home/es/config/audit-client.crt +xpack.security.audit.index.client.xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] -------------------------------------------------- For more information about these settings, see @@ -78,9 +78,9 @@ your {es} keystore: -- [source,shell] ----------------------------------------------------------- -bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.secure_password -bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.secure_password ----------------------------------------------------------- -- @@ -89,7 +89,7 @@ bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.trust -- [source,shell] ----------------------------------------------------------- -bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.secure_key_passphrase ----------------------------------------------------------- -- diff --git a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc index 4f050cf937f7f..10e108da3c0f1 100644 --- a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc @@ -92,7 +92,7 @@ In particular this means: * The interface must _trust_ the certificate that is presented by the client by configuring either the `truststore` or `certificate_authorities` paths, or by setting `verification_mode` to `none`. See - <> for an explanation of this + <> for an explanation of this setting. * The _protocols_ supported by the interface must be compatible with those used by the client. diff --git a/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc b/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc index 3c537ef5ee2eb..c8f85ed343f07 100644 --- a/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc +++ b/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc @@ -104,9 +104,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() .put("cluster.name", "myClusterName") .put("xpack.security.user", "transport_client_user:x-pack-test-password") - .put("xpack.ssl.key", "/path/to/client.key") - .put("xpack.ssl.certificate", "/path/to/client.crt") - .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", "/path/to/client.key") + .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt") + .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt") ... .build()); -------------------------------------------------------------------------------------------------- @@ -124,9 +125,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() .put("cluster.name", "myClusterName") .put("xpack.security.user", "transport_client_user:x-pack-test-password") - .put("xpack.ssl.key", "/path/to/client.key") - .put("xpack.ssl.certificate", "/path/to/client.crt") - .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", "/path/to/client.key") + .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt") + .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt") .put("xpack.security.transport.ssl.enabled", "true") ... .build()) @@ -154,7 +156,7 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() .put("cluster.name", "myClusterName") .put("xpack.security.user", "test_user:x-pack-test-password") - .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") + .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt") .put("xpack.security.transport.ssl.enabled", "true") ... .build()) @@ -163,7 +165,7 @@ TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() ------------------------------------------------------------------------------------------------------ NOTE: If you are using a public CA that is already trusted by the Java runtime, - you do not need to set the `xpack.ssl.certificate_authorities`. + you do not need to set the `xpack.security.transport.ssl.certificate_authorities`. [float] [[connecting-anonymously]] diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index 0216e61784cdb..6bc9be512db4e 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -50,12 +50,12 @@ and able to run {es} successfully in a FIPS 140-2 enabled JVM. ==== TLS SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot -be used for <> +be used for <> NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module (the FIPS Approved Security Provider that your JVM uses). All the ciphers that are configured by default in {es} are FIPS 140-2 compliant and as such can be -used in a FIPS 140-2 JVM. (see <>) +used in a FIPS 140-2 JVM. (see <>) [float] ==== TLS Keystores and keys @@ -71,7 +71,7 @@ options, and for trust material you can use `*.certificate_authorities`. FIPS 140-2 compliance dictates that the length of the public keys used for TLS must correspond to the strength of the symmetric key algorithm in use in TLS. -Depending on the value of <> that +Depending on the value of <> that you select to use, the TLS keys must have corresponding length according to the following table: From f7db3012b4741ecf077104ab0c0f690ed39ba6cf Mon Sep 17 00:00:00 2001 From: jaymode Date: Mon, 7 Jan 2019 13:15:51 -0700 Subject: [PATCH 07/10] docs --- docs/reference/migration/migrate_7_0/settings.asciidoc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/reference/migration/migrate_7_0/settings.asciidoc b/docs/reference/migration/migrate_7_0/settings.asciidoc index 6144888fb545d..9a271c65271a3 100644 --- a/docs/reference/migration/migrate_7_0/settings.asciidoc +++ b/docs/reference/migration/migrate_7_0/settings.asciidoc @@ -121,3 +121,13 @@ xpack.security.authc.realms: Any realm specific secure settings that have been stored in the elasticsearch keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated in a similar way. + +[float] +[[tls-setting-fallback]] +==== TLS/SSL settings + +The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed. +The removal of these default settings also removes the ability for a component to +fallback to a default configuration when using TLS. Each component (realm, transport, http, +http client, etc) must now be configured with their own settings for TLS if it is being +used. From 0861087cf5eea8a1381dee23555a01f5a3977f91 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 10 Jan 2019 13:25:28 -0700 Subject: [PATCH 08/10] address feedback --- .../settings/security-settings.asciidoc | 2 +- x-pack/docs/en/rest-api/security/ssl.asciidoc | 4 ++-- .../security/authc/saml/SamlRealmTests.java | 10 +++++----- .../xpack/ssl/SSLClientAuthTests.java | 17 ++++++++++++++--- .../watcher/common/http/HttpClientTests.java | 16 ++++++++-------- 5 files changed, 30 insertions(+), 19 deletions(-) diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index d7591b893fe20..bc2455e1eb71d 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -1199,7 +1199,7 @@ through the list of URLs will continue until a successful connection is made. [float] [[ssl-tls-settings]] -==== Default TLS/SSL settings +==== Default values for TLS/SSL settings In general, the values below represent the default values for the various TLS settings. For more information, see {stack-ov}/encrypting-communications.html[Encrypting communications]. diff --git a/x-pack/docs/en/rest-api/security/ssl.asciidoc b/x-pack/docs/en/rest-api/security/ssl.asciidoc index 25f9a1472c013..d3480ac8bc006 100644 --- a/x-pack/docs/en/rest-api/security/ssl.asciidoc +++ b/x-pack/docs/en/rest-api/security/ssl.asciidoc @@ -30,8 +30,8 @@ The list includes certificates that are used for configuring trust, such as those configured in the `xpack.security.transport.ssl.truststore` and `xpack.security.transport.ssl.certificate_authorities` settings. It also includes certificates that are used for configuring server identity, such as -`xpack.security.transport.ssl.keystore` and -`xpack.security.transport.ssl.certificate` settings. +`xpack.security.http.ssl.keystore` and +`xpack.security.http.ssl.certificate` settings. The list does not include certificates that are sourced from the default SSL context of the Java Runtime Environment (JRE), even if those certificates are in diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 36f0b17f7cc8f..a749084de6e4e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -123,20 +123,20 @@ public void testReadIdpMetadataFromHttps() throws Exception { final Path path = getDataPath("idp1.xml"); final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8); final MockSecureSettings mockSecureSettings = new MockSecureSettings(); - mockSecureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); + mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.key", + .put("xpack.security.http.ssl.key", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem")) - .put("xpack.security.transport.ssl.certificate", + .put("xpack.security.http.ssl.certificate", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) - .put("xpack.security.transport.ssl.certificate_authorities", + .put("xpack.security.http.ssl.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) .put("path.home", createTempDir()) .setSecureSettings(mockSecureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings)); try (MockWebServer proxyServer = - new MockWebServer(sslService.sslContext(settings.getByPrefix("xpack.security.transport.ssl.")), false)) { + new MockWebServer(sslService.sslContext(settings.getByPrefix("xpack.security.http.ssl.")), false)) { proxyServer.start(); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java index 1356795a248da..7075a677a26ce 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java @@ -9,7 +9,6 @@ import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy; import org.apache.http.ssl.SSLContexts; import org.apache.http.util.EntityUtils; -import org.bouncycastle.util.io.Streams; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.client.Request; @@ -33,8 +32,9 @@ import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; - +import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.InputStream; import java.io.UncheckedIOException; import java.nio.file.Files; import java.nio.file.Path; @@ -77,7 +77,7 @@ protected Settings nodeSettings(int nodeOrdinal) { if (value == null) { try { if (key.startsWith("xpack.security.transport.ssl.")) { - byte[] file = Streams.readAll(secureSettings.getFile(key)); + byte[] file = toByteArray(secureSettings.getFile(key)); secureSettings.setFile(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), file); } } catch (IOException e) { @@ -177,4 +177,15 @@ private SSLContext getSSLContext() { throw new ElasticsearchException("failed to initialize SSLContext", e); } } + + private byte[] toByteArray(InputStream is) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + byte[] internalBuffer = new byte[1024]; + int read = is.read(internalBuffer); + while (read != -1) { + baos.write(internalBuffer, 0, read); + read = is.read(internalBuffer); + } + return baos.toByteArray(); + } } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index 4afc804ecb6bf..24695b371fc1d 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -174,15 +174,15 @@ public void testHttps() throws Exception { try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null)) { secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore - secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings2 = Settings.builder() - .put("xpack.security.transport.ssl.key", keyPath) - .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.http.ssl.key", keyPath) + .put("xpack.security.http.ssl.certificate", certPath) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); - testSslMockWebserver(client, sslService.sslContext("xpack.security.transport.ssl"), false); + testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false); } } @@ -202,15 +202,15 @@ public void testHttpsDisableHostnameVerification() throws Exception { try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null)) { MockSecureSettings secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it only defines a truststore - secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname"); Settings settings2 = Settings.builder() - .put("xpack.security.transport.ssl.key", keyPath) - .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.http.ssl.key", keyPath) + .put("xpack.security.http.ssl.certificate", certPath) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); - testSslMockWebserver(client, sslService.sslContext("xpack.security.transport.ssl"), false); + testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false); } } From c641adef7853769139146dad185638d373d378df Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 10 Jan 2019 14:05:42 -0700 Subject: [PATCH 09/10] fix test --- .../elasticsearch/xpack/security/authc/saml/SamlRealmTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index a749084de6e4e..d139d99bf9ce2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -136,7 +136,7 @@ public void testReadIdpMetadataFromHttps() throws Exception { .build(); TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings)); try (MockWebServer proxyServer = - new MockWebServer(sslService.sslContext(settings.getByPrefix("xpack.security.http.ssl.")), false)) { + new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) { proxyServer.start(); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); From 337d694bb7b6bd393c6ed82962709f5cece6baa3 Mon Sep 17 00:00:00 2001 From: jaymode Date: Fri, 11 Jan 2019 13:14:08 -0700 Subject: [PATCH 10/10] pkcs11 docs --- .../settings/security-settings.asciidoc | 25 ------------------- docs/reference/settings/ssl-settings.asciidoc | 12 ++++++++- 2 files changed, 11 insertions(+), 26 deletions(-) diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index bc2455e1eb71d..0a88a19f6f050 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -1271,31 +1271,6 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for `openssl pkcs12 -info` output, or `trustedCertEntry` in the `keytool -list` output. -[float] -===== PKCS#11 tokens - -When using a PKCS#11 cryptographic token, which contains the -private key, certificate, and certificates that should be trusted, use -the following in each configured SSL context: - -`ssl.keystore.type`:: -Set this to `PKCS11`. - -`ssl.truststore.type`:: -Set this to `PKCS11`. - - -[[pkcs11-truststore-note]] -[NOTE] -When configuring the PKCS#11 token that your JVM is configured to use as -a keystore or a truststore for Elasticsearch, the PIN for the token can be -configured by setting the appropriate value to `ssl.truststore.password` -or `ssl.truststore.secure_password` in the context that you are configuring. -Since there can only be one PKCS#11 token configured, only one keystore and -truststore will be usable for configuration in {es}. This in turn means -that only one certificate can be used for TLS both in the transport and the -http layer. - [[http-tls-ssl-settings]] :ssl-prefix: xpack.security.http :component: HTTP diff --git a/docs/reference/settings/ssl-settings.asciidoc b/docs/reference/settings/ssl-settings.asciidoc index 104d7763ec13a..1ff9ebc03ae8d 100644 --- a/docs/reference/settings/ssl-settings.asciidoc +++ b/docs/reference/settings/ssl-settings.asciidoc @@ -155,4 +155,14 @@ via the following settings: Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore. +{ssl-prefix}.truststore.type+:: -Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore. \ No newline at end of file +Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore. + +[NOTE] +When configuring the PKCS#11 token that your JVM is configured to use as +a keystore or a truststore for Elasticsearch, the PIN for the token can be +configured by setting the appropriate value to `ssl.truststore.password` +or `ssl.truststore.secure_password` in the context that you are configuring. +Since there can only be one PKCS#11 token configured, only one keystore and +truststore will be usable for configuration in {es}. This in turn means +that only one certificate can be used for TLS both in the transport and the +http layer.