diff --git a/docs/reference/index.asciidoc b/docs/reference/index.asciidoc index 179cec517c188..7f82553f0c561 100644 --- a/docs/reference/index.asciidoc +++ b/docs/reference/index.asciidoc @@ -66,7 +66,7 @@ include::data-rollup-transform.asciidoc[] include::rest-api/index.asciidoc[] -include::security/index.asciidoc[] +include::{xes-repo-dir}/security/index.asciidoc[] include::{xes-repo-dir}/watcher/index.asciidoc[] diff --git a/docs/reference/security/index.asciidoc b/docs/reference/security/index.asciidoc deleted file mode 100644 index ed11b5916cb2c..0000000000000 --- a/docs/reference/security/index.asciidoc +++ /dev/null @@ -1,18 +0,0 @@ -[[secure-cluster]] -= Secure a cluster - -[partintro] --- -The {stack-security-features} enable you to easily secure a cluster. You can -password-protect your data as well as implement more advanced security -measures such as encrypting communications, role-based access control, -IP filtering, and auditing. - -* <> -* <> - --- - -include::overview.asciidoc[] - -include::{xes-repo-dir}/security/configuring-es.asciidoc[] diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 19947e40b5553..dfa0c72b5e2d9 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -18,7 +18,7 @@ The following is a list of the events that can be generated: realm type. | `access_denied` | | | Logged when an authenticated user attempts to execute an action they do not have the necessary - <> to perform. + <> to perform. | `access_granted` | | | Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system @@ -28,7 +28,7 @@ The following is a list of the events that can be generated: another user that they have the necessary privileges to do. | `run_as_denied` | | | Logged when an authenticated user attempts to <> another user action they do not have the necessary - <> to do so. + <> to do so. | `tampered_request` | | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been diff --git a/x-pack/docs/en/security/authentication/index.asciidoc b/x-pack/docs/en/security/authentication/index.asciidoc index 8ef1685df70fe..39221efb26f44 100644 --- a/x-pack/docs/en/security/authentication/index.asciidoc +++ b/x-pack/docs/en/security/authentication/index.asciidoc @@ -11,13 +11,8 @@ include::native-realm.asciidoc[] include::pki-realm.asciidoc[] include::saml-realm.asciidoc[] include::kerberos-realm.asciidoc[] - -include::{xes-repo-dir}/security/authentication/custom-realm.asciidoc[] - -include::{xes-repo-dir}/security/authentication/anonymous-access.asciidoc[] - -include::{xes-repo-dir}/security/authentication/user-cache.asciidoc[] - -include::{xes-repo-dir}/security/authentication/saml-guide.asciidoc[] - -include::{xes-repo-dir}/security/authentication/oidc-guide.asciidoc[] +include::custom-realm.asciidoc[] +include::anonymous-access.asciidoc[] +include::user-cache.asciidoc[] +include::saml-guide.asciidoc[] +include::oidc-guide.asciidoc[] diff --git a/x-pack/docs/en/security/authorization/index.asciidoc b/x-pack/docs/en/security/authorization/index.asciidoc index d6df16e41e04d..df8210c4dd5ad 100644 --- a/x-pack/docs/en/security/authorization/index.asciidoc +++ b/x-pack/docs/en/security/authorization/index.asciidoc @@ -3,7 +3,7 @@ include::overview.asciidoc[] include::built-in-roles.asciidoc[] -include::{xes-repo-dir}/security/authorization/managing-roles.asciidoc[] +include::managing-roles.asciidoc[] include::privileges.asciidoc[] @@ -11,12 +11,12 @@ include::document-level-security.asciidoc[] include::field-level-security.asciidoc[] -include::{xes-repo-dir}/security/authorization/alias-privileges.asciidoc[] +include::alias-privileges.asciidoc[] -include::{xes-repo-dir}/security/authorization/mapping-roles.asciidoc[] +include::mapping-roles.asciidoc[] -include::{xes-repo-dir}/security/authorization/field-and-document-access-control.asciidoc[] +include::field-and-document-access-control.asciidoc[] -include::{xes-repo-dir}/security/authorization/run-as-privilege.asciidoc[] +include::run-as-privilege.asciidoc[] -include::{xes-repo-dir}/security/authorization/custom-authorization.asciidoc[] +include::custom-authorization.asciidoc[] diff --git a/x-pack/docs/en/security/ccs-clients-integrations.asciidoc b/x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc similarity index 67% rename from x-pack/docs/en/security/ccs-clients-integrations.asciidoc rename to x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc index e5a477e3c153c..566731edbbb56 100644 --- a/x-pack/docs/en/security/ccs-clients-integrations.asciidoc +++ b/x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc @@ -2,17 +2,17 @@ [[ccs-clients-integrations]] == Cross cluster search, clients, and integrations -When using {ref}/modules-cross-cluster-search.html[Cross Cluster Search] +When using <> you need to take extra steps to secure communications with the connected clusters. -* <> +* <> You will need to update the configuration for several clients to work with a secured cluster: -* <> -* <> +* <> +* <> The {es} {security-features} enable you to secure your {es} cluster. But @@ -32,14 +32,9 @@ be secured as well, or at least communicate with the cluster in a secured way: * {kibana-ref}/secure-reporting.html[Reporting] * {winlogbeat-ref}/securing-beats.html[Winlogbeat] -include::ccs-clients-integrations/cross-cluster.asciidoc[] - -include::ccs-clients-integrations/java.asciidoc[] - -include::ccs-clients-integrations/http.asciidoc[] - -include::ccs-clients-integrations/hadoop.asciidoc[] - -include::ccs-clients-integrations/beats.asciidoc[] - -include::ccs-clients-integrations/monitoring.asciidoc[] +include::cross-cluster.asciidoc[] +include::java.asciidoc[] +include::http.asciidoc[] +include::hadoop.asciidoc[] +include::beats.asciidoc[] +include::monitoring.asciidoc[] diff --git a/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc b/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc index 37c7e38f651bd..a46767629a003 100644 --- a/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc +++ b/x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc @@ -1,7 +1,7 @@ [[secure-monitoring]] === Monitoring and security -The <> consist of two components: +The {stack} {monitor-features} consist of two components: an agent that you install on on each {es} and Logstash node, and a Monitoring UI in {kib}. The monitoring agent collects and indexes metrics from the nodes and you visualize the data through the Monitoring dashboards in {kib}. The agent @@ -17,7 +17,7 @@ with the monitoring cluster. For more information, see: -* {ref}/configuring-monitoring.html[Configuring monitoring in {es}] +* <> * {kibana-ref}/monitoring-xpack-kibana.html[Configuring monitoring in {kib}] * {logstash-ref}/configuring-logstash.html[Configuring monitoring for Logstash nodes] diff --git a/x-pack/docs/en/security/configuring-es.asciidoc b/x-pack/docs/en/security/configuring-es.asciidoc index ea42b971a7688..266ecf1d248d8 100644 --- a/x-pack/docs/en/security/configuring-es.asciidoc +++ b/x-pack/docs/en/security/configuring-es.asciidoc @@ -8,8 +8,7 @@ The {es} {security-features} enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and -auditing. For more information, see -{stack-ov}/elasticsearch-security.html[Securing the {stack}]. +auditing. . Verify that you are using a license that includes the specific {security-features} you want. @@ -21,7 +20,7 @@ For more information, see https://www.elastic.co/subscriptions and . Verify that the `xpack.security.enabled` setting is `true` on each node in your cluster. If you are using basic or trial licenses, the default value is `false`. -For more information, see {ref}/security-settings.html[Security settings in {es}]. +For more information, see <>. . If you plan to run {es} in a Federal Information Processing Standard (FIPS) 140-2 enabled JVM, see <>. @@ -32,8 +31,7 @@ For more information, see {ref}/security-settings.html[Security settings in {es} NOTE: This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more -information, see -{stack-ov}/encrypting-communications.html[Encrypting communications]. +information, see <>. -- @@ -43,7 +41,7 @@ information, see + -- The {es} {security-features} provide -{stack-ov}/built-in-users.html[built-in users] to +<> to help you get up and running. The +elasticsearch-setup-passwords+ command is the simplest method to set the built-in users' passwords for the first time. @@ -137,25 +135,19 @@ Events are logged to a dedicated `_audit.json` file in -- To walk through the configuration of {security-features} in {es}, {kib}, {ls}, and {metricbeat}, see -{stack-ov}/security-getting-started.html[Getting started with security]. - -include::{es-repo-dir}/security/securing-communications/securing-elasticsearch.asciidoc[] - -include::{es-repo-dir}/security/securing-communications/configuring-tls-docker.asciidoc[] - -include::{es-repo-dir}/security/securing-communications/enabling-cipher-suites.asciidoc[] - -include::{es-repo-dir}/security/securing-communications/separating-node-client-traffic.asciidoc[] +<>. +include::securing-communications/securing-elasticsearch.asciidoc[] +include::securing-communications/configuring-tls-docker.asciidoc[] +include::securing-communications/enabling-cipher-suites.asciidoc[] +include::securing-communications/separating-node-client-traffic.asciidoc[] include::authentication/configuring-active-directory-realm.asciidoc[] include::authentication/configuring-file-realm.asciidoc[] include::authentication/configuring-ldap-realm.asciidoc[] include::authentication/configuring-native-realm.asciidoc[] include::authentication/configuring-pki-realm.asciidoc[] include::authentication/configuring-saml-realm.asciidoc[] - include::authentication/configuring-kerberos-realm.asciidoc[] - -include::{es-repo-dir}/security/reference/files.asciidoc[] +include::reference/files.asciidoc[] include::fips-140-compliance.asciidoc[] diff --git a/x-pack/docs/en/security/get-started-security.asciidoc b/x-pack/docs/en/security/get-started-security.asciidoc index d2ad7349b6c67..0c08a2acf1e85 100644 --- a/x-pack/docs/en/security/get-started-security.asciidoc +++ b/x-pack/docs/en/security/get-started-security.asciidoc @@ -18,7 +18,7 @@ IMPORTANT: To complete this tutorial, you must install the default {es} and authentication {security-features}. When you install these products, they apply basic licenses with no expiration dates. All of the subsequent steps in this tutorial assume that you are using a basic license. For more information, see -{subscriptions} and <>. +{subscriptions} and {stack-ov}/license-management.html[License management]. -- diff --git a/x-pack/docs/en/security/index.asciidoc b/x-pack/docs/en/security/index.asciidoc index 41227d7c67cbd..8fdc75d4c61e8 100644 --- a/x-pack/docs/en/security/index.asciidoc +++ b/x-pack/docs/en/security/index.asciidoc @@ -1,109 +1,42 @@ [role="xpack"] -[[elasticsearch-security]] -= Securing the {stack} +[[secure-cluster]] += Secure a cluster [partintro] -- The {stack-security-features} enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, -IP filtering, and auditing. This guide describes how to configure the security -features you need, and interact with your secured cluster. - -Security protects Elasticsearch clusters by: - -* <> - with password protection, role-based access control, and IP filtering. -* <> - with message authentication and SSL/TLS encryption. -* <> - so you know who's doing what to your cluster and the data it stores. - -[float] -[[preventing-unauthorized-access]] -=== Preventing unauthorized access - -To prevent unauthorized access to your Elasticsearch cluster, you must have a -way to _authenticate_ users. This simply means that you need a way to validate -that a user is who they claim to be. For example, you have to make sure only -the person named _Kelsey Andorra_ can sign in as the user `kandorra`. The -{es-security-features} provide a standalone authentication mechanism that enables -you to quickly password-protect your cluster. If you're already using -<>, <>, or -<> to manage users in your organization, the {security-features} -are able to integrate with those systems to perform user authentication. - -In many cases, simply authenticating users isn't enough. You also need a way to -control what data users have access to and what tasks they can perform. The -{es-security-features} enable you to _authorize_ users by assigning access -_privileges_ to _roles_ and assigning those roles to users. For example, this -<> mechanism (a.k.a RBAC) enables -you to specify that the user `kandorra` can only perform read operations on the -`events` index and can't do anything at all with other indices. - -The {security-features} also support <>. -You can whitelist and blacklist specific IP addresses or subnets to control -network-level access to a server. - -[float] -[[preserving-data-integrity]] -=== Preserving data integrity - -A critical part of security is keeping confidential data confidential. -Elasticsearch has built-in protections against accidental data loss and -corruption. However, there's nothing to stop deliberate tampering or data -interception. The {stack-security-features} preserve the integrity of your -data by <> to and from nodes. For even -greater protection, you can increase the <> and -<>. - - -[float] -[[maintaining-audit-trail]] -=== Maintaining an audit trail - -Keeping a system secure takes vigilance. By using {stack-security-features} to -maintain an audit trail, you can easily see who is accessing your cluster and -what they're doing. By analyzing access patterns and failed attempts to access -your cluster, you can gain insights into attempted attacks and data breaches. -Keeping an auditable log of the activity in your cluster can also help diagnose -operational issues. - -[float] -=== Where to Go Next - -* <> - steps through how to install and start using Security for basic authentication. - -* <> - provides more information about how Security supports user authentication, - authorization, and encryption. - +IP filtering, and auditing. + +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> * <> - shows you how to interact with an Elasticsearch cluster protected by the - {stack-security-features}. - -[float] -=== Have Comments, Questions, or Feedback? +* <> +* <> +* <> +* <> -Head over to our {security-forum}[Security Discussion Forum] -to share your experience, questions, and suggestions. -- +include::overview.asciidoc[] +include::configuring-es.asciidoc[] include::how-security-works.asciidoc[] - include::authentication/index.asciidoc[] - include::authorization/index.asciidoc[] - -include::{xes-repo-dir}/security/auditing/index.asciidoc[] - -include::{xes-repo-dir}/security/securing-communications.asciidoc[] - -include::{xes-repo-dir}/security/using-ip-filtering.asciidoc[] - -include::{xes-repo-dir}/security/ccs-clients-integrations.asciidoc[] - +include::auditing/index.asciidoc[] +include::securing-communications/index.asciidoc[] +include::using-ip-filtering.asciidoc[] +include::ccs-clients-integrations/index.asciidoc[] include::get-started-security.asciidoc[] - include::securing-communications/tutorial-tls-intro.asciidoc[] +include::troubleshooting.asciidoc[] +include::limitations.asciidoc[] + diff --git a/x-pack/docs/en/security/limitations.asciidoc b/x-pack/docs/en/security/limitations.asciidoc index 1c7c39809f53b..8a0561254b475 100644 --- a/x-pack/docs/en/security/limitations.asciidoc +++ b/x-pack/docs/en/security/limitations.asciidoc @@ -1,6 +1,9 @@ [role="xpack"] [[security-limitations]] == Security limitations +++++ +Limitations +++++ [float] === Plugins diff --git a/docs/reference/security/overview.asciidoc b/x-pack/docs/en/security/overview.asciidoc similarity index 100% rename from docs/reference/security/overview.asciidoc rename to x-pack/docs/en/security/overview.asciidoc diff --git a/docs/reference/security/reference/files.asciidoc b/x-pack/docs/en/security/reference/files.asciidoc similarity index 100% rename from docs/reference/security/reference/files.asciidoc rename to x-pack/docs/en/security/reference/files.asciidoc diff --git a/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc b/x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/configuring-tls-docker.asciidoc rename to x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc diff --git a/docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc b/x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc similarity index 96% rename from docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc rename to x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc index 51d5e5f6de650..4e51f5e43ff24 100644 --- a/docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc +++ b/x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[ciphers]] -=== Enabling Cipher Suites for Stronger Encryption +=== Enabling cipher suites for stronger encryption The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to increase the strength of diff --git a/x-pack/docs/en/security/securing-communications.asciidoc b/x-pack/docs/en/security/securing-communications/index.asciidoc similarity index 67% rename from x-pack/docs/en/security/securing-communications.asciidoc rename to x-pack/docs/en/security/securing-communications/index.asciidoc index 2ccea2c53659f..e4e9d1b47883a 100644 --- a/x-pack/docs/en/security/securing-communications.asciidoc +++ b/x-pack/docs/en/security/securing-communications/index.asciidoc @@ -17,14 +17,4 @@ This section shows how to: The authentication of new nodes helps prevent a rogue node from joining the cluster and receiving data through replication. -include::{es-repo-dir}/security/securing-communications/setting-up-ssl.asciidoc[] - -[[ciphers]] -=== Enabling cipher suites for stronger encryption - -See {ref}/ciphers.html[Enabling Cipher Suites for Stronger Encryption]. - -[[separating-node-client-traffic]] -=== Separating node-to-node and client traffic - -See {ref}/separating-node-client-traffic.html[Separating node-to-node and client traffic]. +include::setting-up-ssl.asciidoc[] diff --git a/docs/reference/security/securing-communications/node-certificates.asciidoc b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/node-certificates.asciidoc rename to x-pack/docs/en/security/securing-communications/node-certificates.asciidoc diff --git a/docs/reference/security/securing-communications/securing-elasticsearch.asciidoc b/x-pack/docs/en/security/securing-communications/securing-elasticsearch.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/securing-elasticsearch.asciidoc rename to x-pack/docs/en/security/securing-communications/securing-elasticsearch.asciidoc diff --git a/docs/reference/security/securing-communications/separating-node-client-traffic.asciidoc b/x-pack/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/separating-node-client-traffic.asciidoc rename to x-pack/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc diff --git a/docs/reference/security/securing-communications/setting-up-ssl.asciidoc b/x-pack/docs/en/security/securing-communications/setting-up-ssl.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/setting-up-ssl.asciidoc rename to x-pack/docs/en/security/securing-communications/setting-up-ssl.asciidoc diff --git a/docs/reference/security/securing-communications/tls-ad.asciidoc b/x-pack/docs/en/security/securing-communications/tls-ad.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-ad.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-ad.asciidoc diff --git a/docs/reference/security/securing-communications/tls-http.asciidoc b/x-pack/docs/en/security/securing-communications/tls-http.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-http.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-http.asciidoc diff --git a/docs/reference/security/securing-communications/tls-ldap.asciidoc b/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-ldap.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc diff --git a/docs/reference/security/securing-communications/tls-transport.asciidoc b/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-transport.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-transport.asciidoc diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc index bf070cb76bce3..8eac7a5addc43 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc @@ -5,7 +5,7 @@ You can add more nodes to your cluster and optionally designate specific purposes for each node. For example, you can allocate master nodes, data nodes, ingest nodes, machine learning nodes, and dedicated coordinating nodes. For -details about each node type, see {ref}/modules-node.html[Nodes]. +details about each node type, see <>. Let's add two nodes to our cluster! @@ -110,7 +110,7 @@ The default value for this setting is `127.0.0.1, [::1]`, therefore it isn't actually required in this tutorial. When you want to form a cluster with nodes on other hosts, however, you must use this setting to provide a list of master-eligible nodes to seed the discovery process. For more information, see -{ref}/modules-discovery-hosts-providers.html[Discovery]. +<>. -- . On each node, enable TLS for transport communications. You must also configure @@ -139,7 +139,7 @@ package, run the following command from each {es} directory: ./bin/elasticsearch ---------------------------------------------------------------------- -See {ref}/starting-elasticsearch.html[Starting {es}]. +See <>. If you encounter errors, you can see some common problems and solutions in <>. @@ -149,7 +149,7 @@ If you encounter errors, you can see some common problems and solutions in + -- For example, log into {kib} with the `elastic` built-in user. Go to -*Dev Tools > Console* and run the {ref}/cluster-health.html[cluster health API]: +*Dev Tools > Console* and run the <>: [source,js] ---------------------------------- @@ -159,7 +159,7 @@ GET _cluster/health Confirm the `number_of_nodes` in the response from this API. -You can also use the {ref}/cat-nodes.html[cat nodes API] to identify the master +You can also use the <> to identify the master node: [source,js] @@ -175,7 +175,7 @@ node. Now that you have multiple nodes, your data can be distributed across the cluster in multiple primary and replica shards. For more information about the concepts of clusters, nodes, and shards, see -{ref}/getting-started.html[Getting started with {es}]. +<>. [float] [[encrypting-internode-nextsteps]] @@ -183,7 +183,7 @@ concepts of clusters, nodes, and shards, see Congratulations! You've encrypted communications between the nodes in your cluster and can pass the -{ref}/bootstrap-checks-xpack.html#bootstrap-checks-tls[TLS bootstrap check]. +<>. If you want to encrypt communications between other products in the {stack}, see <>. diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc index ba6b030455b59..4c4436c2ec633 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc @@ -68,7 +68,7 @@ The output file is a PKCS#12 keystore that includes a node certificate, node key and CA certificate. -- -TIP: The {ref}/certutil.html[elasticsearch-certutil] command has a lot more +TIP: The <> command has a lot more options. For example, it can generate Privacy Enhanced Mail (PEM) formatted certificates and keys. It can also generate certificate signing requests (CSRs) that you can use to obtain signed certificates from a commercial or diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc index 48863c9e32660..155d7db0da908 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc @@ -9,12 +9,12 @@ IMPORTANT: When you enable {es} {security-features}, unless you have a trial license, you must use Transport Layer Security (TLS) to encrypt internode communication. By following the steps in this tutorial tutorial, you learn how to meet the minimum requirements to pass the -{ref}/bootstrap-checks-xpack.html#bootstrap-checks-tls[TLS bootstrap check]. +<>. . (Optional) Name the cluster. + -- -For example, add the {ref}/cluster.name.html[cluster.name] setting in the +For example, add the <> setting in the `ES_PATH_CONF/elasticsearch.yml` file: [source,yaml] @@ -26,7 +26,7 @@ TIP: The `ES_PATH_CONF` environment variable contains the path for the {es} configuration files. If you installed {es} using archive distributions (`zip` or `tar.gz`), it defaults to `ES_HOME/config`. If you used package distributions (Debian or RPM), it defaults to `/etc/elasticsearch`. For more information, see -{ref}/settings.html[Configuring {es}]. +<>. The default cluster name is `elasticsearch`. You should choose a unique name, however, to ensure that your nodes join the right cluster. @@ -35,7 +35,7 @@ however, to ensure that your nodes join the right cluster. . (Optional) Name the {es} node. + -- -For example, add the {ref}/node.name.html[node.name] setting in the +For example, add the <> setting in the `ES_PATH_CONF/elasticsearch.yml` file: [source,yaml] @@ -79,8 +79,8 @@ TIP: If you are starting a cluster with multiple master-eligible nodes for the first time, add all of those node names to the `cluster.initial_master_nodes` setting. -See {ref}/modules-discovery-bootstrap-cluster.html[Bootstrapping a cluster] and -{ref}/discovery-settings.html[Important discovery and cluster formation settings]. +See <> and +<>. -- . Enable Transport Layer Security (TLS/SSL) for transport (internode) @@ -108,7 +108,7 @@ generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial. For more information, see <> and -{ref}/security-settings.html#transport-tls-ssl-settings[Transport TLS settings]. +<>. -- . Store the password for the PKCS#12 file in the {es} keystore. @@ -151,7 +151,7 @@ command from the {es} directory: NOTE: If you already configured passwords for these users in other tutorials, you can skip this step. -include::{stack-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users] +include::{xes-repo-dir}/security/get-started-builtin-users.asciidoc[tag=create-users] After you setup the password for the `kibana` built-in user, <>. @@ -159,7 +159,7 @@ After you setup the password for the `kibana` built-in user, For example, run the following commands to create the {kib} keystore and add the `kibana` built-in user and its password in secure settings: -include::{stack-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user] +include::{xes-repo-dir}/security/get-started-kibana-users.asciidoc[tag=store-kibana-user] -- . Start {kib}. diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc index 49cf5ffdd0aa2..bab7f4385b452 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc @@ -8,7 +8,7 @@ used a cluster with a single {es} node to get up and running with the {stack}. You can add as many nodes as you want in a cluster but they must be able to communicate with each other. The communication between nodes in a cluster is -handled by the {ref}/modules-transport.html[transport module]. To secure your +handled by the <>. To secure your cluster, you must ensure that the internode communications are encrypted. NOTE: In this tutorial, we add more nodes by installing more copies of {es} on @@ -19,8 +19,8 @@ When you are deploying a production environment, however, you are generally adding nodes on different machines so that your cluster is resilient to outages and avoids data loss. In a production scenario, there are additional requirements that are not covered in this tutorial. See -{ref}/bootstrap-checks.html#dev-vs-prod-mode[Development vs production mode] and -{ref}/add-elasticsearch-nodes.html[Adding nodes to your cluster]. +<> and +<>. [float] [[encrypting-internode-prerequisites]] @@ -39,7 +39,7 @@ IMPORTANT: To complete this tutorial, you must install the default {es} and When you install these products, they apply basic licenses with no expiration dates. All of the subsequent steps in this tutorial assume that you are using a basic license. For more information, see {subscriptions} and -<>. +{stack-ov}/license-management.html[License management]. include::tutorial-tls-certificates.asciidoc[] include::tutorial-tls-internode.asciidoc[] diff --git a/x-pack/docs/en/security/troubleshooting.asciidoc b/x-pack/docs/en/security/troubleshooting.asciidoc index 34344b8a38c8e..3e7d7ba30b73f 100644 --- a/x-pack/docs/en/security/troubleshooting.asciidoc +++ b/x-pack/docs/en/security/troubleshooting.asciidoc @@ -2,7 +2,7 @@ [[security-troubleshooting]] == Troubleshooting security ++++ -Security +Troubleshooting ++++ Use the information in this section to troubleshoot common problems and find @@ -22,14 +22,18 @@ answers for frequently asked questions. * <> -To get help, see <>. +For issues that you cannot fix yourself … we’re here to help. +If you are an existing Elastic customer with a support contract, please create +a ticket in the +https://support.elastic.co/customers/s/login/[Elastic Support portal]. +Or post in the https://discuss.elastic.co/[Elastic forum]. [[security-trb-settings]] === Some settings are not returned via the nodes settings API *Symptoms:* -* When you use the {ref}/cluster-nodes-info.html[nodes info API] to retrieve +* When you use the <> to retrieve settings for a node, some information is missing. *Resolution:* @@ -76,7 +80,7 @@ jacknich : monitoring,unknown_role* <1> <1> `unknown_role` was not found in `roles.yml` For more information about this command, see the -{ref}/users-command.html[`elasticsearch-users` command]. +<>. -- . If you are authenticating to LDAP, a number of configuration options can cause @@ -95,7 +99,7 @@ scenarios. | _group to role mapping_| Either the `role_mapping.yml` file or the location for this file could be -misconfigured. For more information, see {ref}/security-files.html[Security files]. +misconfigured. For more information, see <>. |_role definition_| @@ -135,7 +139,7 @@ recognizes `role1` as an expected parameter. The solution here is to quote the parameter: `-r "role1,role2"`. For more information about this command, see -{ref}/users-command.html[`elasticsearch-users` command]. +<>. [[trouble-shoot-active-directory]] === Users are frequently locked out of Active Directory @@ -275,7 +279,7 @@ verify that all nodes are using the same setting for `xpack.security.transport.ssl.enabled`. For more information about this setting, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. -- `java.io.StreamCorruptedException: invalid internal transport message format, got`:: @@ -287,7 +291,7 @@ connects to a node that has encrypted communication disabled. Please verify that all nodes are using the same setting for `xpack.security.transport.ssl.enabled`. For more information about this setting, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. -- `java.lang.IllegalArgumentException: empty text`:: @@ -303,7 +307,7 @@ xpack.security.http.ssl.enabled: true ---------------- For more information about this setting, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. -- `ERROR: unsupported ciphers [...] were requested but cannot be used in this JVM`:: @@ -406,7 +410,7 @@ module use following Kerberos realm setting: xpack.security.authc.realms..krb.debug: true ---------------- -For detailed information, see {ref}/security-settings.html#ref-kerberos-settings[Kerberos realm settings]. +For detailed information, see <>. Sometimes you may need to go deeper to understand the problem during SPNEGO GSS context negotiation or look at the Kerberos message exchange. To enable @@ -416,7 +420,7 @@ Kerberos/SPNEGO debug logging on JVM, add following JVM system properties: `-Dsun.security.spnego.debug=true` -For more information about JVM system properties, see {ref}/jvm-options.html[configuring JVM options]. +For more information about JVM system properties, see <>. [[trb-security-saml]] === Common SAML issues @@ -597,7 +601,7 @@ and the most commonly encountered ones are: . `urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy`: The SAML Identity Provider cannot support releasing a NameID with the requested format. When creating SAML Authentication Requests, {es} sets the NameIDPolicy element of the Authentication request with the appropriate value. This is controlled - by the {ref}/security-settings.html#ref-saml-settings[`nameid_format`] configuration parameter in + by the <> configuration parameter in `elasticsearch.yml`, which if not set defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. This instructs the Identity Provider to return a NameID with that specific format in the SAML Response. If the SAML Identity Provider cannot grant that request, for example because it is configured to release a @@ -700,7 +704,7 @@ Otherwise, {kib} cannot connect to {es}. [[trb-security-setup]] === Setup-passwords command fails due to connection failure -The {ref}/setup-passwords.html[elasticsearch-setup-passwords command] sets +The <> sets passwords for the built-in users by sending user management API requests. If your cluster uses SSL/TLS for the HTTP (REST) interface, the command attempts to establish a connection with the HTTPS protocol. If the connection attempt fails, @@ -777,7 +781,7 @@ Alternatively, set the `xpack.security.http.ssl.enabled` setting to `true`. `xpack.security.http.ssl.verification_mode` to `certificate`. For more information about these settings, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. [[trb-security-path]] === Failures due to relocation of the configuration files @@ -793,7 +797,7 @@ log that indicate a config file is in a deprecated location. By default, in 6.2 and earlier releases, the security configuration files are located in the `ES_PATH_CONF/x-pack` directory, where `ES_PATH_CONF` is an environment variable that defines the location of the -{ref}/settings.html#config-files-location[config directory]. +<>. In 6.3 and later releases, the config directory no longer contains an `x-pack` directory. The files that were stored in this folder, such as the @@ -807,5 +811,5 @@ deprecated, however, and you should move your files out of that folder. In 6.3 and later releases, settings such as `files.role_mapping` default to `ES_PATH_CONF/role_mapping.yml`. If you do not want to use the default locations, you must update the settings appropriately. See -{ref}/security-settings.html[Security settings in {es}]. +<>.