From 93e10586b48d0d34f5d5e28ad7dd56332e498397 Mon Sep 17 00:00:00 2001 From: Adam Locke Date: Fri, 15 Oct 2021 15:58:35 -0400 Subject: [PATCH] [7.9] [DOCS] Add deprecation warnings for SSL settings (#79291) --- docs/reference/migration/migrate_7_9.asciidoc | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/docs/reference/migration/migrate_7_9.asciidoc b/docs/reference/migration/migrate_7_9.asciidoc index 9a189b304fa88..2193af071f477 100644 --- a/docs/reference/migration/migrate_7_9.asciidoc +++ b/docs/reference/migration/migrate_7_9.asciidoc @@ -51,6 +51,109 @@ not recreate the built-in templates after deletion. //end::notable-breaking-changes[] //tag::notable-breaking-changes[] +[discrete] +[[breaking_79_tls_changes]] +=== Security changes + +[[tls-ssl-transport-enabled-required]] +.The `xpack.security.transport.ssl.enabled` setting will be required to configure `xpack.security.transport.ssl` settings. +[%collapsible] +==== +*Details* + +Configuring any SSL settings for +`xpack.security.transport.ssl` without also configuring +`xpack.security.transport.ssl.enabled` generates warnings in the deprecation +log. In 8.0, this configuration will result in errors. + +*Impact* + +To avoid deprecation warnings, either: + +* Explicitly set `xpack.security.transport.ssl.enabled` as `false` +* Discontinue use of other `xpack.security.transport.ssl` settings + +If you want to enable SSL, follow the instructions to +{ref}/configuring-tls.html#tls-transport[encrypt communications between nodes]. As part of this configuration, explicitly set +`xpack.security.transport.ssl.enabled` as `true`. + +For example: +[source,yaml] +-------------------------------------------------- +xpack.security.transport.ssl.enabled: true <1> +xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 +xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 +-------------------------------------------------- +<1> or `false`. +==== + +[[tls-ssl-http-enabled-required]] +.The `xpack.security.http.ssl.enabled` setting will be required to configure `xpack.security.http.ssl` settings. +[%collapsible] +==== +*Details* + +Configuring any SSL settings for `xpack.security.http.ssl` without also +configuring `xpack.security.http.ssl.enabled` generates warnings in the +deprecation log. In 8.0, this configuration will result in errors. + +*Impact* + +To avoid deprecation warnings, either: + +* Explicitly set `xpack.security.http.ssl.enabled` as `false` +* Discontinue use of other `xpack.security.http.ssl` settings + +If you want to enable SSL, follow the instructions to +{ref}/configuring-tls.html#tls-http[encrypt HTTP client communications for {es}]. As part +of this configuration, explicitly set `xpack.security.http.ssl.enabled` +as `true`. + +For example: +[source,yaml] +-------------------------------------------------- +xpack.security.http.ssl.enabled: true <1> +xpack.security.http.ssl.certificate: elasticsearch.crt +xpack.security.http.ssl.key: elasticsearch.key +xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ] +-------------------------------------------------- +<1> or `false`. +==== + +[[tls-ssl-transport-cert-required]] +.A `xpack.security.transport.ssl` certificate and key will be required to enable SSL for the transport interface. +[%collapsible] +==== +*Details* + +Enabling SSL for the transport interface without also configuring a certificate +and key through use of the `xpack.security.transport.ssl.keystore.path` +setting or the `xpack.security.transport.ssl.certificate` and +`xpack.security.transport.ssl.key` settings generates warnings in the +deprecation log. In 8.0, this configuration will result in errors. + +*Impact* + +If `xpack.security.transport.ssl.enabled` is set to `true`, provide a +certificate and key using the `xpack.security.transport.ssl.keystore.path` +setting or the `xpack.security.transport.ssl.certificate` and +`xpack.security.transport.ssl.key` settings. If a certificate and key is not +provided, {es} will generate warnings in the deprecation log. +==== + +[[tls-ssl-http-cert-required]] +.A `xpack.security.http.ssl` certificate and key will be required to enable SSL for the HTTP layer. +[%collapsible] +==== +*Details* + +Enabling SSL for the HTTP layer without also configuring a certificate and key +through use of the `xpack.security.http.ssl.keystore.path` setting or +the `xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key` +settings generates warnings in the deprecation log. In 8.0, this configuration +will result in errors. + +*Impact* + +If `xpack.security.http.ssl.enabled` is set to `true`, provide a +certificate and key using the `xpack.security.http.ssl.keystore.path` +setting or the `xpack.security.http.ssl.certificate` and +`xpack.security.http.ssl.key` settings. If a certificate and key is not +provided, {es} will generate warnings in the deprecation log. +==== + [discrete] [[breaking_79_script_cache_changes]] === Script cache changes