[DOCS] Adds tutorial for getting started with TLS #87
Conversation
|
You can preview this content in https://doc-review-63bf6.firebaseapp.com/x2/security-getting-started.html |
lcawl
force-pushed
the
lcawley-gs-tls
branch
3 times, most recently
from
01f5a8b to
e02527b
Compare
lcawl
force-pushed
the
lcawley-gs-tls
branch
from
9fe59ba to
f629398
Compare
| when nodes are added to your cluster they just need to use a certificate signed | ||
| by the same CA and the node is automatically allowed to join the cluster. | ||
|
|
||
| . Pick a verification mode for the certificates. By default, {es} verifies that |
There was a problem hiding this comment.
I'd honestly be in favor of dropping this. Advising users on how to disable hostname verification before they even attempt TLS sets the wrong precedent
| certificates. | ||
|
|
||
| The `elasticsearch-certutil` command also prompts you for a password to protect | ||
| the file and key. If you plan to add more nodes to your cluster in the future, |
There was a problem hiding this comment.
users should always retain this file and store it securely. It holds the key to their cluster
| See {ref}/starting-elasticsearch.html[Starting {es}]. | ||
| -- | ||
|
|
||
| When TLS is enabled on an {es} cluster, {kib}, {ls}, and Beats must communicate |
There was a problem hiding this comment.
this is out of place since we haven't yet turned on HTTPS. Enabling Transport TLS does not require the other products to use TLS
| {ref}/configuring-tls.html#tls-http[Encrypting HTTP client communications]. | ||
|
|
||
| NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required. | ||
| If you enable TLS on the HTTP layer in {es}, you might need to make |
| create the `certs` folder on each node and copy the appropriate node certificate | ||
| to each node. | ||
|
|
||
| . Create a certificate for use by {kib}. |
There was a problem hiding this comment.
Maybe this should be Reformat CA certificate for use by {kib}
| . Create a certificate for use by {kib}. | ||
| + | ||
| -- | ||
| {kib} doesn't currently support PKCS#12 keystores, so we must create a PEM |
|
|
||
| ["source","sh",subs="attributes,callouts"] | ||
| ---------------------------------------------------------------------- | ||
| openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem |
There was a problem hiding this comment.
s/elastic-certificates.p12/elastic-stack-ca.p12
| openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem | ||
| ---------------------------------------------------------------------- | ||
|
|
||
| In this example, `elastic-certificates.p12` is the PKCS#12 keystore that you |
There was a problem hiding this comment.
In this example, elastic-stack-ca.p12 is the PKCS#12 keystore containing the Elasticsearch cluster's CA.
lcawl
force-pushed
the
lcawley-gs-tls
branch
from
f629398 to
202cea0
Compare
|
Replaced by #164 |
2 participants
Related to #68
The Stack Overview contains a tutorial for installing Elasticsearch, Kibana, Logstash, and Metricbeat.
This PR creates a new tutorial that describes how to encrypt communications using TLS. When #68 is approved, it might be used as a prerequisite for this TLS tutorial.