Skip to content

[7.14] [DOCS] Add deprecation warnings for SSL settings #79282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 15, 2021
Merged

[7.14] [DOCS] Add deprecation warnings for SSL settings #79282

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions docs/reference/migration/migrate_7_14.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,107 @@ using any deprecated functionality, enable <<deprecation-logging, deprecation
logging>>.

// tag::notable-breaking-changes[]
[discrete]
[[breaking_714_tls_changes]]
==== Security changes

[[tls-ssl-transport-enabled-required]]
.The `xpack.security.transport.ssl.enabled` setting will be required to configure `xpack.security.transport.ssl` settings.
[%collapsible]
====
*Details* +
Configuring any SSL settings for
`xpack.security.transport.ssl` without also configuring
`xpack.security.transport.ssl.enabled` generates warnings in the deprecation
log. In 8.0, this configuration will result in errors.

*Impact* +
To avoid deprecation warnings, either:

* Explicitly set `xpack.security.transport.ssl.enabled` as `false`
* Discontinue use of other `xpack.security.transport.ssl` settings

If you want to enable SSL, follow the instructions to
{ref}/security-basic-setup.html#encrypt-internode-communication[encrypt internode communications with TLS]. As part of this configuration, explicitly set
`xpack.security.transport.ssl.enabled` as `true`.

For example:
[source,yaml]
--------------------------------------------------
xpack.security.transport.ssl.enabled: true <1>
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
--------------------------------------------------
<1> or `false`.
====

[[tls-ssl-http-enabled-required]]
.The `xpack.security.http.ssl.enabled` setting will be required to configure `xpack.security.http.ssl` settings.
[%collapsible]
====
*Details* +
Configuring any SSL settings for `xpack.security.http.ssl` without also
configuring `xpack.security.http.ssl.enabled` generates warnings in the
deprecation log. In 8.0, this configuration will result in errors.

*Impact* +
To avoid deprecation warnings, either:

* Explicitly set `xpack.security.http.ssl.enabled` as `false`
* Discontinue use of other `xpack.security.http.ssl` settings

If you want to enable SSL, follow the instructions to
{ref}/security-basic-setup-https.html#encrypt-http-communication[encrypt HTTP client communications for {es}]. As part
of this configuration, explicitly set `xpack.security.http.ssl.enabled`
as `true`.

For example:
[source,yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true <1>
xpack.security.http.ssl.certificate: elasticsearch.crt
xpack.security.http.ssl.key: elasticsearch.key
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
--------------------------------------------------
<1> or `false`.
====

[[tls-ssl-transport-cert-required]]
.A `xpack.security.transport.ssl` certificate and key will be required to enable SSL for the transport interface.
[%collapsible]
====
*Details* +
Enabling SSL for the transport interface without also configuring a certificate
and key through use of the `xpack.security.transport.ssl.keystore.path`
setting or the `xpack.security.transport.ssl.certificate` and
`xpack.security.transport.ssl.key` settings generates warnings in the
deprecation log. In 8.0, this configuration will result in errors.

*Impact* +
If `xpack.security.transport.ssl.enabled` is set to `true`, provide a
certificate and key using the `xpack.security.transport.ssl.keystore.path`
setting or the `xpack.security.transport.ssl.certificate` and
`xpack.security.transport.ssl.key` settings. If a certificate and key is not
provided, {es} will generate warnings in the deprecation log.
====

[[tls-ssl-http-cert-required]]
.A `xpack.security.http.ssl` certificate and key will be required to enable SSL for the HTTP layer.
[%collapsible]
====
*Details* +
Enabling SSL for the HTTP layer without also configuring a certificate and key
through use of the `xpack.security.http.ssl.keystore.path` setting or
the `xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key`
settings generates warnings in the deprecation log. In 8.0, this configuration
will result in errors.
*Impact* +
If `xpack.security.http.ssl.enabled` is set to `true`, provide a
certificate and key using the `xpack.security.http.ssl.keystore.path`
setting or the `xpack.security.http.ssl.certificate` and
`xpack.security.http.ssl.key` settings. If a certificate and key is not
provided, {es} will generate warnings in the deprecation log.
====

[discrete]
[[breaking_714_ccr_changes]]
Expand Down