From ea82503f491bac8ff636eae7d8924ed7f182b198 Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Tue, 14 Jan 2020 11:38:14 -0500 Subject: [PATCH] Clarify the section on TLS for "Securing the reporting endpoints" (#54741) --- docs/user/security/reporting.asciidoc | 40 +++++++++++++++++---------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/docs/user/security/reporting.asciidoc b/docs/user/security/reporting.asciidoc index c2ed295e83ce9..5f5d85fe8d3be 100644 --- a/docs/user/security/reporting.asciidoc +++ b/docs/user/security/reporting.asciidoc @@ -125,23 +125,33 @@ the {reporting} endpoints to authorized users. This requires that you: . Enable {security} on your {es} cluster. For more information, see {ref}/security-getting-started.html[Getting Started with Security]. -. Configure an SSL certificate for Kibana. For more information, see -<>. -. Configure {watcher} to trust the Kibana server's certificate by adding it to -the {watcher} truststore on each node: -.. Import the {kib} server certificate into the {watcher} truststore using -Java Keytool: +. Configure TLS/SSL encryption for the {kib} server. For more information, see +<>. +. Specify the {kib} server's CA certificate chain in `elasticsearch.yml`: + -[source,shell] ---------------------------------------------------------- -keytool -importcert -keystore watcher-truststore.jks -file server.crt ---------------------------------------------------------- -+ -NOTE: If the truststore doesn't already exist, it is created. +-- +If you are using your own CA to sign the {kib} server certificate, then you need +to specify the CA certificate chain in {es} to properly establish trust in TLS +connections between {watcher} and {kib}. If your CA certificate chain is +contained in a PKCS #12 trust store, specify it like so: + +[source,yaml] +-------------------------------------------------------------------------------- +xpack.http.ssl.truststore.path: "/path/to/your/truststore.p12" +xpack.http.ssl.truststore.type: "PKCS12" +xpack.http.ssl.truststore.password: "optional decryption password" +-------------------------------------------------------------------------------- + +Otherwise, if your CA certificate chain is in PEM format, specify it like so: + +[source,yaml] +-------------------------------------------------------------------------------- +xpack.http.ssl.certificate_authorities: ["/path/to/your/cacert1.pem", "/path/to/your/cacert2.pem"] +-------------------------------------------------------------------------------- + +For more information, see {ref}/notification-settings.html#ssl-notification-settings[the {watcher} HTTP TLS/SSL Settings]. +-- -.. Make sure the `xpack.http.ssl.truststore.path` setting in -`elasticsearch.yml` specifies the location of the {watcher} -truststore. . Add one or more users who have the permissions necessary to use {kib} and {reporting}. For more information, see <>.