Add API integration tests for Interactive Setup. (#111879)

.eslintrc.js

@@ -498,6 +498,7 @@ module.exports = {
         'x-pack/plugins/apm/**/*.js',
         'test/*/config.ts',
         'test/*/config_open.ts',
+        'test/*/*.config.ts',
         'test/*/{tests,test_suites,apis,apps}/**/*',
         'test/visual_regression/tests/**/*',
         'x-pack/test/*/{tests,test_suites,apis,apps}/**/*',
@@ -1596,6 +1597,7 @@ module.exports = {
     {
       files: [
         'src/plugins/interactive_setup/**/*.{js,mjs,ts,tsx}',
+        'test/interactive_setup_api_integration/**/*.{js,mjs,ts,tsx}',
         'x-pack/plugins/encrypted_saved_objects/**/*.{js,mjs,ts,tsx}',
         'x-pack/plugins/security/**/*.{js,mjs,ts,tsx}',
         'x-pack/plugins/spaces/**/*.{js,mjs,ts,tsx}',

.github/CODEOWNERS

@@ -244,7 +244,6 @@
 /packages/kbn-std/ @elastic/kibana-core
 /packages/kbn-config/ @elastic/kibana-core
 /packages/kbn-logging/ @elastic/kibana-core
-/packages/kbn-crypto/ @elastic/kibana-core
 /packages/kbn-http-tools/ @elastic/kibana-core
 /src/plugins/saved_objects_management/ @elastic/kibana-core
 /src/dev/run_check_published_api_changes.ts @elastic/kibana-core
@@ -285,9 +284,11 @@
 /packages/kbn-i18n/  @elastic/kibana-localization @elastic/kibana-core
 #CC# /x-pack/plugins/translations/ @elastic/kibana-localization @elastic/kibana-core
 
-# Security
+# Kibana Platform Security
+/packages/kbn-crypto/ @elastic/kibana-security
 /src/core/server/csp/ @elastic/kibana-security @elastic/kibana-core
 /src/plugins/interactive_setup/ @elastic/kibana-security
+/test/interactive_setup_api_integration/ @elastic/kibana-security
 /x-pack/plugins/spaces/ @elastic/kibana-security
 /x-pack/plugins/encrypted_saved_objects/ @elastic/kibana-security
 /x-pack/plugins/security/ @elastic/kibana-security

packages/kbn-dev-utils/certs/README.md

@@ -30,15 +30,17 @@ The password used for both of these is "storepass". Other copies are also provid
 
 [Elasticsearch cert-util](https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html) and [OpenSSL](https://www.openssl.org/) were used to generate these certificates. The following commands were used from the root directory of Elasticsearch:
 
+__IMPORTANT:__ CA keystore (ca.p12) is not checked in intentionally, talk to @elastic/kibana-security if you need it to sign new certificates.
+
 ```
 # Generate the PKCS #12 keystore for a CA, valid for 50 years
-bin/elasticsearch-certutil ca -days 18250 --pass castorepass
+bin/elasticsearch-certutil ca --out ca.p12 -days 18250 --pass castorepass
 
 # Generate the PKCS #12 keystore for Elasticsearch and sign it with the CA
-bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name elasticsearch --dns localhost --pass storepass
+bin/elasticsearch-certutil cert --out elasticsearch.p12 -days 18250 --ca ca.p12 --ca-pass castorepass --name elasticsearch --dns localhost --pass storepass
 
 # Generate the PKCS #12 keystore for Kibana and sign it with the CA
-bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name kibana --dns localhost --pass storepass
+bin/elasticsearch-certutil cert --out kibana.p12 -days 18250 --ca ca.p12 --ca-pass castorepass --name kibana --dns localhost --pass storepass
 
 # Copy the PKCS #12 keystore for Elasticsearch with an empty password
 openssl pkcs12 -in elasticsearch.p12 -nodes -passin pass:"storepass" -passout pass:"" | openssl pkcs12 -export -out elasticsearch_emptypassword.p12 -passout pass:""

packages/kbn-dev-utils/certs/ca.crt

@@ -1,29 +1,29 @@
 Bag Attributes
     friendlyName: elasticsearch
-    localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 31 39 38 30 33 37 
+    localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 32 31 39 33
 Key Attributes: <No Attributes>
 Bag Attributes
     friendlyName: ca
     2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
-subject=/CN=Elastic Certificate Tool Autogenerated CA
+subject=CN = Elastic Certificate Tool Autogenerated CA
-issuer=/CN=Elastic Certificate Tool Autogenerated CA
+issuer=CN = Elastic Certificate Tool Autogenerated CA
 -----BEGIN CERTIFICATE-----
-MIIDSzCCAjOgAwIBAgIUW0brhEtYK3tUBYlXnUa+AMmAX6kwDQYJKoZIhvcNAQEL
+MIIDTDCCAjSgAwIBAgIVAJUW7Ky1rVeyYxsS1dGcF3HZpknsMA0GCSqGSIb3DQEB
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
+CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-cmF0ZWQgQ0EwIBcNMTkxMjI3MTcwMjMyWhgPMjA2OTEyMTQxNzAyMzJaMDQxMjAw
+ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU0MVoYDzIwNzExMDAxMTAxNTQxWjA0MTIw
-BgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2VuZXJhdGVkIENB
+MAYDVQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBD
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplO5m5Xy8xERyA0/G5SM
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSQK7Q/wBblLXhD8WZc
-Nu2QXkfS+m7ZTFjSmtwqX7BI1I6ISI4Yw8QxzcIgSbEGlSqb7baeT+A/1JQj0gZN
+HO0mwEOILBVRCY2wcSLaibfzxvX/EhX7mAbozrCgj0hOTFZldzoSHURZmLUntONF
-KOnKbazl+ujVRJpsfpt5iUsnQyVPheGekcHkB+9WkZPgZ1oGRENr/4Eb1VImQf+Y
+vUxWyR3ulAXuCfpvxoh7+WJWWvk0m8iI5GzwYjCYoRDRgLrzPlNSRd6CuW4z5vXC
-yo/FUj8X939tYW0fficAqYKv8/4NWpBUbeop8wsBtkz738QKlmPkMwC4FbuF2/bN
+sT7MjE69iAEmXR6bdV6GvQ3kBVUJVCz23QbXLCl4gzWAWsfXuNx1+ZjJXeM/eEkH
-vNuzQuRbGMVmPeyivZJRfDAMKExoXjCCLmbShdg4dUHsUjVeWQZ6s4vbims+8qF9
+dQbmBoG6jKJtnSlXjG/s2aSi/Jv/GoHJJT7YQXSvWFpklu3Dk9c+FacQoz95HZD1
-b4bseayScQNNU3hc5mkfhEhSM0KB0lDpSvoCxuXvXzb6bOk7xIdYo+O4vHUhvSkQ
+qbaruKq1SjIG6Leht3DNpNT7n5q1EQeZ5uhhWMAI81vRgAZYZxwGJQF19Qgz13D6
-mwIDAQABo1MwUTAdBgNVHQ4EFgQUGu0mDnvDRnBdNBG8DxwPdWArB0kwHwYDVR0j
+de8CAwEAAaNTMFEwHQYDVR0OBBYEFDBMKsCOW9DGKTccGhyfU8NS6d6eMB8GA1Ud
-BBgwFoAUGu0mDnvDRnBdNBG8DxwPdWArB0kwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+IwQYMBaAFDBMKsCOW9DGKTccGhyfU8NS6d6eMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
-hkiG9w0BAQsFAAOCAQEASv/FYOwWGnQreH8ulcVupGeZj25dIjZiuKfJmslH8QN/
+KoZIhvcNAQELBQADggEBABf0ZznDu2m9IVn7ThLPb5UJU/rZiTkRyP6cqPFFtSww
-pVCIzAxNZjGjCpKxbJoCu5U9USaBylbhigeBJEq4wmYTs/WPu4uYMgDj0MILuHin
+TiZ0+AS5phGFV8f/znC/scU2u57EAl8DWSalJZTXJMekboFpfXJME/BK66I6wdSi
-RQqgEVG0uADGEgH2nnk8DeY8gQvGpJRQGlXNK8pb+pCsy6F8k/svGOeBND9osHfU
+TfL99HjYR6LYyjvkXhoIBhR1eCw1zwm8IGzRV++/zY5ksYb5GQ9smFr3TNgqgdsv
-CVEo5nXjfq6JCFt6hPx7kl4h3/j3C4wNy/Dv/QINdpPsl6CnF17Q9R9d60WFv42/
+GnPJgytVc/sYXuc1l7MS8j1Q+JLhpIymDKCJ2CB+x2p2oMYqJmFstc8I0z6vZtiM
-pkl7W1hszCG9foNJOJabuWfVoPkvKQjoCvPitZt/hCaFZAW49PmAVhK+DAohQ91l
+zeyy07qK71uOfD5F1HHw/rv738yrlq7NwAH9fc3/0fPueyjTHSQtKiSBfc0phEMz
-TZhDmYqHoXNiRDQiUT68OS7RlfKgNpr/vMTZXDxpmw==
+TV7Px45EUVFhn9YgIHGBSKPkA5QCC3bPNb6iYGREDcU=
 -----END CERTIFICATE-----

packages/kbn-dev-utils/certs/elasticsearch.crt

@@ -1,29 +1,29 @@
 Bag Attributes
     friendlyName: elasticsearch
-    localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 31 39 38 30 33 37 
+    localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 32 31 39 33
 Key Attributes: <No Attributes>
 Bag Attributes
     friendlyName: elasticsearch
-    localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 31 39 38 30 33 37 
+    localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 32 31 39 33
-subject=/CN=elasticsearch
+subject=CN = elasticsearch
-issuer=/CN=Elastic Certificate Tool Autogenerated CA
+issuer=CN = Elastic Certificate Tool Autogenerated CA
 -----BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgIVAI93OQE6tZffPyzenSg3ljE3JJBzMA0GCSqGSIb3DQEB
+MIIDPzCCAiegAwIBAgIUCTO1pAvYtfaJndsQwa9cS/AtoSowDQYJKoZIhvcNAQEL
-CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
+BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDMxN1oYDzIwNjkxMjE0MTcwMzE3WjAYMRYw
+cmF0ZWQgQ0EwIBcNMjExMDEzMTAxNTUyWhgPMjA3MTEwMDExMDE1NTJaMBgxFjAU
-FAYDVQQDEw1lbGFzdGljc2VhcmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+BgNVBAMTDWVsYXN0aWNzZWFyY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-CgKCAQEA2EkPfvE3ZNMjHCAQZhpImoXBCIN6KavvJSbVHRtLzAXB4wxige+vFQWb
+AoIBAQCJK4KLS0kSIM+eqdMq4nO1p7nQ7ADUXIYjeRKaCycSJ7sj//1FRdj2NhLb
-4umqPeEeVH7FvrsRqn24tUgGIkag9p9AOwYxfcT3vwNqcK/EztIlYFs72pmYg7Ez
+gdSX2VGIUZyOw4ptw6bGo0A7KyFE4yJZdG9m+VC1PFck3WaIdQHFdxgMia9deIHx
-s6+qLc/YSLOT3aMoHKDHE93z1jYIDGccyjGbv9NsdgCbLHD0TQuqm+7pKy1MZoJm
+sU1ETnC4PstdkrsZZpf5+twS6O9TaIQolG6nEShst075v2b3y0NDHcxKW+BtSw27
-0qn4KYw4kXakVNWlxm5GIwr8uqU/w4phrikcOOWqRzsxByoQajypLOA4eD/uWnI2
+HEHlchhP/Uj4haVMABQahfP8gv5vlHqStuOOWeoSgwF5FngCekx+ZeoIf5wVWfE1
-zGyPQy7Bkxojiy1ss0CVlrl8fJgcjC4PONpm1ibUSX3SoZ8PopPThR6gvvwoQolR
+SzDlU7L/JdYOrAp+kN+2g+b4qcr+WvFNCEwbhjJjd9/VIJ5z9kIjJhG9z1NilPhR
-rYu4+D+rsX7q/ldA6vBOiHBD8r4QoQIDAQABo2MwYTAdBgNVHQ4EFgQUSlIMCYYd
+RVPG4njS6PxTufejbWN/360HfZbZAgMBAAGjYzBhMB0GA1UdDgQWBBR0kfoZtlNi
-e72A0rUqaCkjVPkGPIwwHwYDVR0jBBgwFoAUGu0mDnvDRnBdNBG8DxwPdWArB0kw
+ZKxVBPhhpipoXdTQMjAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAU
-FAYDVR0RBA0wC4IJbG9jYWxob3N0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQAD
+BgNVHREEDTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOC
-ggEBAImbzBVAEjiLRsNDLP7QAl0k7lVmfQRFz5G95ZTAUSUgbqqymDvry47yInFF
+AQEAkNcEM6mBzCdECFtuor3lfxrXzmrIo3wUspbv6Rrm4+n6TwJIYp6ydf4OcruR
-3o12TuI1GxK5zHzi+qzpJLyrnGwGK5JBR+VGxIBBKFVcFh1WNGKV6kSO/zBzO7PO
+Uv5feevaYXwDRHBkIEGvhU5po6sGp6k7ppXS5bgrEtAhJSK8SOsLINnbJLnptmZQ
-4Jw4G7By/ImWvS0RBhBUQ9XbQZN3WcVkVVV8UQw5Y7JoKtM+fzyEKXKRCTsvgH+h
+Jharcks5STEqfJFB2QBZvFSLLpvO9g/N8sMro6ZvaUXhfW9DNpd6GIUXQiMhKLex
-3+fUBgqwal2Mz4KPH57Jrtk209dtn7tnQxHTNLo0niHyEcfrpuG3YFqTwekr+5FF
+t80Sb4zuahTRqUSi2j5Hoq8ouc7U9T/RmA3zXNmzq7YvL/gv2it67qdyKvpzoX7t
-FniIcYHPGjag1WzLIdyhe88FFpuav19mlCaxBACc7t97v+euSVUWnsKpy4dLydpv
+HJaT1HU0o5Xi/Ol33C/wvfRe05UrHEUil148n/XWz3EJky7El2LYbg36/++mVTHX
-NxJiI9eWbJZ7f5VM7o64pm7U1cU=
+xUXS+FdZ1rBlGnGwOHTPHj5FMQ==
 -----END CERTIFICATE-----

packages/kbn-dev-utils/certs/elasticsearch.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA2EkPfvE3ZNMjHCAQZhpImoXBCIN6KavvJSbVHRtLzAXB4wxi
+MIIEowIBAAKCAQEAiSuCi0tJEiDPnqnTKuJztae50OwA1FyGI3kSmgsnEie7I//9
-ge+vFQWb4umqPeEeVH7FvrsRqn24tUgGIkag9p9AOwYxfcT3vwNqcK/EztIlYFs7
+RUXY9jYS24HUl9lRiFGcjsOKbcOmxqNAOyshROMiWXRvZvlQtTxXJN1miHUBxXcY
-2pmYg7Ezs6+qLc/YSLOT3aMoHKDHE93z1jYIDGccyjGbv9NsdgCbLHD0TQuqm+7p
+DImvXXiB8bFNRE5wuD7LXZK7GWaX+frcEujvU2iEKJRupxEobLdO+b9m98tDQx3M
-Ky1MZoJm0qn4KYw4kXakVNWlxm5GIwr8uqU/w4phrikcOOWqRzsxByoQajypLOA4
+SlvgbUsNuxxB5XIYT/1I+IWlTAAUGoXz/IL+b5R6krbjjlnqEoMBeRZ4AnpMfmXq
-eD/uWnI2zGyPQy7Bkxojiy1ss0CVlrl8fJgcjC4PONpm1ibUSX3SoZ8PopPThR6g
+CH+cFVnxNUsw5VOy/yXWDqwKfpDftoPm+KnK/lrxTQhMG4YyY3ff1SCec/ZCIyYR
-vvwoQolRrYu4+D+rsX7q/ldA6vBOiHBD8r4QoQIDAQABAoIBAB+s44YV0aUEfvnZ
+vc9TYpT4UUVTxuJ40uj8U7n3o21jf9+tB32W2QIDAQABAoIBAAdC/+q65hfpF8S5
-gE1TwBpRSGn0x2le8tEgFMoEe19P4Itd/vdEoQGVJrVevz38wDJjtpYuU3ICo5B5
+Dd5X1bNYuUwXqmWTrmBDYRo5m+xooQ4jV7eqnnVOYIoxYd1WGmxikay3KmVsNbCP
-EdznNx+nRwLd71WaCSaCW45RT6Nyh2LLOcLUB9ARnZ7NNUEsVWKgWiF1iaRXr5Ar
+ZO+c9WptsdxVfy5O5ZhqpNxlQi/YLetTxjins1p57jsq3UHP+0StwltmULRkC4im
-S1Ct7RPT7hV2mnbHgfTuNcuWZ1D5BUcqNczNoHsV6guFChiwTr7ZObnKj4qJLwdu
+4K65mS3ruw9g6Ei87kxvGeW73coha0syjORYGcFUynX/DfLi5svUjtSyVUQ1KCiU
-ioYYWno4ZLgsk4SfW6DXUCvfKROfYdDd2rGu0NQ4QxT3Q98AsXlrlUITBQbpQEgy
+KYc0q+SzsgXd71Ngr/HZR4ncCoACW3q/pLp0AUvDY0wZMkACOav2m9D2AnRPbPrA
-5GSTEh/4sRYj4NQZqncDpPgXm22kYdU7voBjt/zu66oq1W6kKQ4JwPmyc2SI0haa
++/n7LlrD0+LDScZx5nwO3ToFZuTDUXt3G0UWRaQfqiAZxNs2oeOc2gKegEJnPKIo
-/pyCMtkCgYEA/y3vs59RvrM6xpT77lf7WigSBbIBQxeKs9RGNoN0Nn/eR0MlQAUG
+/BLN/D8CgYEAvMmtcZyrw8vifpP32erSBx2+wftt2JA9GdtZlOxu/kbWH7DAZ75g
-SmCkkEOcUGuVMnoo5Kc73IP/Q1+O4UGg7f1Gs8KeFPFQMm/wcSL7obvRWray1Bw6
+YUT0nkcIRrvAS5FCVpOIENZit0RIvA5gM08Brko2mBIRQAbMWmu+c7RUBIa2xVDF
-ohITJPqZYZrw3hmkOMxkLpvUydivN1Unm7BezjOa+T/+OaV3PyAYufsCgYEA2Psb
+kjputhlWTT7xY03VbJThqUG4oK+zJJSb/RfRM4x2dRYskb7MEwqZFzcCgYEAugFT
-S8OQhFiVbOKlMYOebvG+AnhAzJiSVus9R9NcViv20E61PRj2rfA398pYpZ8nxaQp
+t/0Lj+OXR+2pcjPk5VmxjCv4xohNOaX4YZ4/rK4H+gi9iyx232zE/1Dtz5SB4+uw
-cWGy+POZbkxRCprZ1GHkwWjaQysgeOCbJv8nQ2oh5C0ZCaGw6lfmi2mN097+Prmx
+6hx7Aw3r5U9h1fauT60rSrydChEpFqcfpNQca7HncbF2DDdtEX+ZBkBDZ/U3LJ6Y
-QE8j8OKj3wVI6bniCF7vzwfG3c5cU73elLTAWRMCgYBoA/eDRlvx2ekJbU1MGDzy
+pI4o0vCLmiqZYbQ/+4v2f2/5ZqrzyMKLJ3zeqm8CgYAfCHP3ag6eJ+S6c+5ZJw2R
-wQann6l4Ca6WIt8D9Y13caPPdIVIlUO9KauqyoR7G39TdgwZODnkZ0Gz2s3I8BGD
+V+Vkk8URxVwV5QXLwjXYnKJUIUTviM7lDmW7oueMYQ6SHXWvL589TVB62cGvEBnm
-MQyS1a/OZZcFGC/wTgw4HvD1gydd4qvbyHZZSnUfHiM0xUr1hAsKHKceJ980NNfS
+NUWMdeyVgNrPEI8FChMLiAgLmm1u8AEaMXrDelTCa+dYMJI1wB98KC6GU3t6NueR
-VJAwiUSQeQ9NvC7hYlnx5QKBgDxESsmZcRuBa0eKEC4Xi7rvBEK1WfI58nOX9TZs
+ahnchGlwg82dw6ReOO7DbwKBgGe5Sbg2EfaBUeE4dN9MdP44kDu8YZREedwF44Z8
-+3mnzm7/XZGxzFp1nWYC2uptsWNQ/H3UkBxbtOMQ6XWTmytFYX9i+zSq1uMcJ5wG
+OsHOooAZ06kCeJ+LBifiN1skU3KIAjXq/+XqI3vSUpqAXx/rT1Lz7xaoDyOkuo6u
-RMaRxQYWjJzDP1tnvM4+LDmL93w+oX/mO2pd2PxKAH2CtshybhNH6rGS7swHsboG
+AdNEd+38qfmSBu5VGz5TI8ObCNOG9VP+OmG25gJocvP7EhryJ9lU1d0cw6lWY0b3
-FmLnAoGAYTnTcWD1qiwjbJR5ZdukAjIq39cGcf0YOVJCiaFS+5vTirbw04ARvNyM
+6StdAoGBAKUkfbN7qbB+jiZt/6ArYWQE4PL4pqi+B+84xSrp46e41mmocezKhnsp
-rxU8EpVN1sKC411pgNvlm6KZJHwihRRQoY+UI2fn78bHBH991QhlrTPO6TBZx7Aw
+DxdcuZyg9OXs1xi6AaJtCbelho9bT8jC51GZSFvf887fvGVq7j1TgxWp4mvlqiX7
-+hzyxqAiSBX65dQo0e4C15wZysQO/bdT5Def0+UTDR8j8ZgMAQg=
+tztiggaPXwRZQiThxdJaCIadw26hxdLNOcdGOl/u2m0rudvwybab
 -----END RSA PRIVATE KEY-----

packages/kbn-dev-utils/certs/kibana.crt

@@ -1,29 +1,29 @@
 Bag Attributes
     friendlyName: kibana
-    localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 32 32 33 30 33 39 
+    localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 38 38 30 33
 Key Attributes: <No Attributes>
 Bag Attributes
     friendlyName: kibana
-    localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 32 32 33 30 33 39 
+    localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 38 38 30 33
-subject=/CN=kibana
+subject=CN = kibana
-issuer=/CN=Elastic Certificate Tool Autogenerated CA
+issuer=CN = Elastic Certificate Tool Autogenerated CA
 -----BEGIN CERTIFICATE-----
-MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB
+MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB
 CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w
+ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w
-DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ
+DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU
+nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY
-FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q
+KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N
-OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ
+mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW
-s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU
+LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY
-vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T
+6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i
-BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz
+u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp
-V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE
+yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/
+DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj
-z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv
+WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS
-+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX
+zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR
-TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy
+nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo
-b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk
+DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD
-cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O
+s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5
-eOUsdwn1yDKHRxDHyA==
+dzkzSBV7H6+/MD3Y8Q==
 -----END CERTIFICATE-----

packages/kbn-dev-utils/certs/kibana.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAkMGGG0LW0QSieLjWXNviIEVPuzTS9tWXm0JRCDICu4wKjjK7
+MIIEpQIBAAKCAQEAt573y9/9ug/BJC7KPrfUtJvrUiYqS7AVrNHQqXPCkSf/oow0
-Ftm+QwE8+NRXfhkBVBVGGI8KPj0I+rCR7ITiaP4DW99h68nbzCO2D73r5LM5LhBg
+ZwEOZTpjgHMbeN0jWCha9BJ7UBGcmGkcDCDPGj0dFmFv1VeaOH6tqPyZ5h6s2SUS
-n18UNw8NkUwAi4A9EDgpMB7590zH9JaJaFf3jxlmmQ2GWl4t2uQ3VovxxRaCcrIB
+QsGavuVogogz7dNdjZkRmAjFMY5RMHo7nunYiwHkIWf7HzeI1Kdte2zBB64R6zQV
-dCVdn+l8ioSZBmhHybPaVl9uvcx/10LxjceARIpiaWAfIeCZw2DxSIkHao/rJdm/
+k8MCflJOUwUDIb4gliym7Cq35bgOgxh1q1zeKR+15mn/2cnPQGC/58cL91UB2cyA
-pEtYR/ZC+YAQDF4xVL3DZ1/j5sk48iaxqO+ZNJLvrKQX9WzMLkLd7kpjPk0CF5Lx
+Cv1P1jQoBSSd6qBWGOk1MAwzWt9Jko9euTjnbPTflZlJQwtyBYh1d6LAVrHElOBy
-Q5ktAzlREq6QORAtUwVBkc+qPyPPF8eDLne+9QIDAQABAoIBAHl9suxWYKz00te3
+XekCfIbh6xSy1eMuIrutnpeO0K/v/FLd0s3iFwIDAQABAoIBAAKgqzzHI/Xdfi7l
-alJtSZAEHDLm1tjL034/XnseXiTCGGnYMiWvgnwCIgZFUVlH61GCuV4LT3GFEHA2
+iS5e6hPQPAytECOMza/vQV7+EZWLLtIlfdB63Y5e8107XclxJ1gpHQLAyvPz3zui
-mYKE1PGBn5gQF8MpnAvtPPRhVgaQVUFQBYg86F59h8mWnC545sciG4+DsA/apUem
+cWzOVrhc5zAn98uOmTM1bjMXXkptO52l3/4wOrsq7upt8YmgjIZXX5Q/N+HZfq7v
-wJSOn/u+Odni/AwEV0ALolZFBhl+0rccSr+6paJnzJ7QNiIn6EWbgb0n9WXqkhap
+aNqsJQBO6B6pmBiJGROrS6/y9/Yt+3jDolgtI6fifYZcMXACoal++BAXbiHYPoff
-TqoPclBHm0ObeBI6lNyfvBZ8HB3hyjWZInNCaAs9DnkNPh4evuttUn/KlOPOVn9r
++nG5lHrAdQoEfNACNnGFlq2O85EWmr3qxUsZV8TblOirAuaUFk5KhhDvTOfTknHY
-xz2UYsmVW6E+yPXUpSYkFQN9aaPF6alOz8PIfF8Wit7pmZMmInluGcwi/us9+ZTN
+pW8Z4ttD26+QITyUbI56flgLOfe57y0u4XsOPtWQWEteIBxBFsB9MMj4B8XYdiO/
-8gNvpoECgYEA0KC7XEoXRsBTN4kPznkGftvj1dtgB35W/HxXNouArQQjCbLhqcsA
+hma1jSUCgYEA14H/6vtzM42INgphoj0lHFVL8N0DnuUquR77vQStTO2sDvMQrVTk
-jqaK0f+stYzSWZXGsKl9yQU9KA7u/wCHmLep70l7WsYYUKdkhWouK0HU5MeeLwB0
+BKpy5iYmokHPjY7qV7C37/tQVKdQpUz9Lr0ylwinHwX1KasJkYEJGv++Z59sKH+C
-N4ekQOQuQGqelqMo7IG2hQhTYD9PB4F3G0Sz1FgdObfuGPKfvNFVjckCgYEAsaAA
+CZX9lZjfTqPpuEonGgPruc8LOXaaM/+g3Nvs7M4S339gnjCZExNzpLsCgYEA2h8z
-IY/TpRBWeWZfyXrnkp3atOPzkdpjb6cfT8Kib9bIECXr7ULUxA5QANX05ofodhsW
+OhHJpOWOy004HHVjpkWHKTxgZ9xfMLCKjMi1m5sCJ2PCdkd4+wTtkY+u7+iFF1cp
-3+7iW5wicyZ1VNVEsPRL0aw7YUbNpBvob8faBUZ2KEdKQr42IfVOo7TQnvVXtumR
+5CVSvZC6fS0rk11ygXix1ZP7cDJj1y4mxvbzWOtPxvZc882Xv0RDXAQBLXgHW6YE
-UE+dNvWUL2PbL0wMxD1XbMSmOze/wF8X2CeyDc0CgYBQnLqol2xVBz1gaRJ1emgb
+RqvdMczfAx0mbUNke4Umwa5PngSWQAqCYkXNkFUCgYEAhEAY5wEsLyTZxCAWzlMr
-HoXzfVemrZeY6cadKdwnfkC3n6n4fJsTg6CCMiOe5vHkca4bVvJmeSK/Vr3cRG0g
+pPmLQuK+yBHmZ/hlkBeAqkboYbw0Lcp8q4hWPnqHFufAEST1Fp8yIaleILUUvnxC
-gl8kOaVzVrXQfE2oC3YZes9zMvqZOLivODcsZ77DXy82D4dhk2FeF/B3cR7tTIYk
+mx4sH5eFx3oGe22kz5AaIGF1XW3uF+Q3zt4m4lkQINhiI2AOIt7pF/vA7aCk/OgQ
-QDCoLP/l7H8QnrdAMza2mQKBgDODwuX475ncviehUEB/26+DBo4V2ms/mj0kjAk2
+tbiY6rGDz3gBuNIl/hjfzOUCgYEAy1rDO6RRxnZuhoPbiEy5Ns8jkAJGLw55gL9W
-2qNy+DzuspjyHADsYbmMU+WUHxA51Q2HG7ET/E3HJpo+7BgiEecye1pADZ391hCt
+rKKDDiuZ+nc7WWKRHBYgFtFKW0kArB4LZDSXyzwfYYy3T5CTrLmFsoVgqd2Qz5Cr
-Nob3I4eU/W2T+uEoYvFJnIOthg3veYyAOolY+ewwmr4B4WX8oGFUOx3Lklo5ehHf
+flvFzGS139zYFETc8OkHk8X4AxggZAWHfwvEESXb1N9ccAmgqLgexftpJv1HxzUF
-mV01AoGBAI/c6OoHdcqQsZxKlxDNLyB2bTbowAcccoZIOjkC5fkkbsmMDLfScBfW
+EfHaEHECgYEArtWvtUdvRQ20r/X/g+mNyUhbYOy15pAgswLK4gIi8rmQPxR08spl
-Q4YYJsmJBdrWNvo7jCl17Mcc4Is3RlmHDrItRkaZj+ehqAN3ejrnPLdgYeW/5XDK
+uJJ/cl4fGxG95dl/OV+lNdwl4UcvjATdreEMKvG4X4Cxd+42SUf40M6pGxXoyYz+
-e7yBj7oJd4oKZc59jVytdHvo5R8K0QohAv9gQEZ/tdypX+xWe+5E
+i4WujBaEqBBqjKmYNJVgY7EvqF+VYLBVFZYB1zQhdNPcoPgIH/97vvI=
 -----END RSA PRIVATE KEY-----

packages/kbn-es/src/cluster.js

@@ -257,9 +257,13 @@ exports.Cluster = class Cluster {
     // Add to esArgs if ssl is enabled
     if (this._ssl) {
       esArgs.push('xpack.security.http.ssl.enabled=true');
-      esArgs.push(`xpack.security.http.ssl.keystore.path=${ES_P12_PATH}`);
+
-      esArgs.push(`xpack.security.http.ssl.keystore.type=PKCS12`);
+      // Include default keystore settings only if keystore isn't configured.
-      esArgs.push(`xpack.security.http.ssl.keystore.password=${ES_P12_PASSWORD}`);
+      if (!esArgs.some((arg) => arg.startsWith('xpack.security.http.ssl.keystore'))) {
+        esArgs.push(`xpack.security.http.ssl.keystore.path=${ES_P12_PATH}`);
+        esArgs.push(`xpack.security.http.ssl.keystore.type=PKCS12`);
+        esArgs.push(`xpack.security.http.ssl.keystore.password=${ES_P12_PASSWORD}`);
+      }
     }
 
     const args = parseSettings(extractConfigFiles(esArgs, installPath, { log: this._log }), {

packages/kbn-es/src/utils/native_realm.js

@@ -13,15 +13,12 @@ const { log: defaultLog } = require('./log');
 
 exports.NativeRealm = class NativeRealm {
   constructor({ elasticPassword, port, log = defaultLog, ssl = false, caCert }) {
-    this._client = new Client({
+    const auth = { username: 'elastic', password: elasticPassword };
-      node: `${ssl ? 'https' : 'http'}://elastic:${elasticPassword}@localhost:${port}`,
+    this._client = new Client(
-      ssl: ssl
+      ssl
-        ? {
+        ? { node: `https://localhost:${port}`, ssl: { ca: caCert, rejectUnauthorized: true }, auth }
-            ca: caCert,
+        : { node: `http://localhost:${port}`, auth }
-            rejectUnauthorized: true,
+    );
-          }
-        : undefined,
-    });
     this._elasticPassword = elasticPassword;
     this._log = log;
   }

packages/kbn-test/src/functional_tests/tasks.ts

@@ -169,7 +169,7 @@ export async function startServers({ ...options }: StartServerOptions) {
         ...opts,
         extraKbnOpts: [
           ...options.extraKbnOpts,
-          ...(options.installDir ? [] : ['--dev', '--no-dev-config']),
+          ...(options.installDir ? [] : ['--dev', '--no-dev-config', '--no-dev-credentials']),
         ],
       },
     });

packages/kbn-test/src/kbn_client/kbn_client_plugins.ts

@@ -16,6 +16,7 @@ export class KbnClientPlugins {
   public async getEnabledIds() {
     const apiResp = await this.status.get();
 
-    return Object.keys(apiResp.status.plugins);
+    // Status may not be available at the `preboot` stage.
+    return Object.keys(apiResp.status?.plugins ?? {});
   }
 }

scripts/functional_tests.js

@@ -12,6 +12,11 @@ const alwaysImportedTests = [
   require.resolve('../test/plugin_functional/config.ts'),
   require.resolve('../test/ui_capabilities/newsfeed_err/config.ts'),
   require.resolve('../test/new_visualize_flow/config.ts'),
+  require.resolve('../test/interactive_setup_api_integration/enrollment_flow.config.ts'),
+  require.resolve('../test/interactive_setup_api_integration/manual_configuration_flow.config.ts'),
+  require.resolve(
+    '../test/interactive_setup_api_integration/manual_configuration_flow_without_tls.config.ts'
+  ),
 ];
 // eslint-disable-next-line no-restricted-syntax
 const onlyNotInCoverageTests = [

src/cli/serve/serve.js

@@ -67,7 +67,7 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) {
   delete extraCliOptions.env;
 
   if (opts.dev) {
-    if (!has('elasticsearch.serviceAccountToken')) {
+    if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) {
       if (!has('elasticsearch.username')) {
         set('elasticsearch.username', 'kibana_system');
       }
@@ -191,7 +191,11 @@ export default function (program) {
       .option('--no-watch', 'Prevents automatic restarts of the server in --dev mode')
       .option('--no-optimizer', 'Disable the kbn/optimizer completely')
       .option('--no-cache', 'Disable the kbn/optimizer cache')
-      .option('--no-dev-config', 'Prevents loading the kibana.dev.yml file in --dev mode');
+      .option('--no-dev-config', 'Prevents loading the kibana.dev.yml file in --dev mode')
+      .option(
+        '--no-dev-credentials',
+        'Prevents setting default values for `elasticsearch.username` and `elasticsearch.password` in --dev mode'
+      );
   }
 
   command.action(async function (opts) {

src/plugins/interactive_setup/server/plugin.ts

@@ -67,8 +67,13 @@ export class InteractiveSetupPlugin implements PrebootPlugin {
       core.elasticsearch.config.hosts.length === 1 &&
       DEFAULT_ELASTICSEARCH_HOSTS.includes(core.elasticsearch.config.hosts[0]);
     if (!shouldActiveSetupMode) {
+      const reason = core.elasticsearch.config.credentialsSpecified
+        ? 'Kibana system user credentials are specified'
+        : core.elasticsearch.config.hosts.length > 1
+        ? 'more than one Elasticsearch host is specified'
+        : 'non-default Elasticsearch host is used';
       this.#logger.debug(
-        'Interactive setup mode will not be activated since Elasticsearch connection is already configured.'
+        `Interactive setup mode will not be activated since Elasticsearch connection is already configured: ${reason}.`
       );
       return;
     }

test/interactive_setup_api_integration/enrollment_flow.config.ts

@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import fs from 'fs/promises';
+import { join, resolve } from 'path';
+
+import type { FtrConfigProviderContext } from '@kbn/test';
+import { getDataPath } from '@kbn/utils';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const manualConfigurationFlowTestsConfig = await readConfigFile(
+    require.resolve('./manual_configuration_flow.config.ts')
+  );
+
+  const tempKibanaYamlFile = join(getDataPath(), `interactive_setup_kibana_${Date.now()}.yml`);
+  await fs.writeFile(tempKibanaYamlFile, '');
+
+  const caPath = resolve(__dirname, './fixtures/elasticsearch.p12');
+
+  return {
+    ...manualConfigurationFlowTestsConfig.getAll(),
+
+    testFiles: [require.resolve('./tests/enrollment_flow')],
+
+    junit: {
+      reportName: 'Interactive Setup API Integration Tests (Enrollment flow)',
+    },
+
+    esTestCluster: {
+      ...manualConfigurationFlowTestsConfig.get('esTestCluster'),
+      serverArgs: [
+        ...manualConfigurationFlowTestsConfig.get('esTestCluster.serverArgs'),
+        'xpack.security.enrollment.enabled=true',
+        `xpack.security.http.ssl.keystore.path=${caPath}`,
+        'xpack.security.http.ssl.keystore.password=storepass',
+      ],
+    },
+
+    kbnTestServer: {
+      ...manualConfigurationFlowTestsConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...manualConfigurationFlowTestsConfig
+          .get('kbnTestServer.serverArgs')
+          .filter((arg: string) => !arg.startsWith('--config')),
+        `--config=${tempKibanaYamlFile}`,
+      ],
+    },
+  };
+}

test/interactive_setup_api_integration/fixtures/README.md

@@ -0,0 +1,32 @@
+## Certificate generation
+
+The Elasticsearch HTTP layer keystore is supposed to mimic the PKCS12 keystore that the elasticsearch startup script will auto-generate for a node. The keystore contains:
+
+- A PrivateKeyEntry for the node's key and certificate for the HTTP layer
+- A PrivateKeyEntry for the CA's key and certificate
+- A TrustedCertificateEntry for the CA's certificate
+
+```bash
+$ES_HOME/bin/elasticsearch-certutil cert \
+  --out $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
+  --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass "castorepass" --pass "storepass" \
+  --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 \
+  --dns=localhost6 --dns=localhost6.localdomain6 \
+  --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1
+```
+
+Change the alias of the TrustedCertificateEntry so that it won't clash with the CA PrivateKeyEntry
+```bash
+keytool -changealias -alias ca -destalias cacert -keystore \
+  $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
+  -deststorepass "storepass"
+```
+
+Import the CA PrivateKeyEntry
+```bash
+keytool -importkeystore \
+  -srckeystore $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 \
+  -srcstorepass "castorepass" \
+  -destkeystore $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
+  -deststorepass "storepass"
+```

test/interactive_setup_api_integration/fixtures/test_endpoints/kibana.json

@@ -0,0 +1,12 @@
+{
+  "id": "interactiveSetupTestEndpoints",
+  "owner": {
+    "name": "Platform Security",
+    "githubTeam": "kibana-security"
+  },
+  "version": "8.0.0",
+  "kibanaVersion": "kibana",
+  "type": "preboot",
+  "server": true,
+  "ui": false
+}

test/interactive_setup_api_integration/fixtures/test_endpoints/server/index.ts

@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+
+import type { PluginInitializer, PrebootPlugin } from 'kibana/server';
+
+export const plugin: PluginInitializer<void, never> = (initializerContext): PrebootPlugin => ({
+  setup: (core) => {
+    core.http.registerRoutes('', (router) => {
+      router.get(
+        {
+          path: '/test_endpoints/verification_code',
+          validate: false,
+          options: { authRequired: false },
+        },
+        async (context, request, response) => {
+          // [HACK]: On CI tests are run from the different directories than the built and running Kibana instance. That
+          // means Kibana from a Directory A is running with the test plugins from a Directory B. The problem is that
+          // the data path that interactive setup plugin uses to store verification code is determined by the
+          // `__dirname` that depends on the physical location of the file where it's used. This is the reason why we
+          // end up with different data paths in Kibana built-in and test plugins. To workaround that we use Kibana
+          // `process.cwd()` to construct data path manually.
+          const verificationCodePath = path.join(process.cwd(), 'data', 'verification_code');
+          initializerContext.logger.get().info(`Will read code from ${verificationCodePath}`);
+          return response.ok({
+            body: {
+              verificationCode: (await fs.readFile(verificationCodePath)).toString(),
+            },
+          });
+        }
+      );
+    });
+  },
+  stop: () => {},
+});

test/interactive_setup_api_integration/fixtures/test_endpoints/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "extends": "../../../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./target/types",
+    "emitDeclarationOnly": true,
+    "declaration": true,
+    "declarationMap": true
+  },
+  "include": [
+    "server/**/*.ts",
+  ],
+  "exclude": [],
+  "references": [
+    { "path": "../../../../src/core/tsconfig.json" },
+  ],
+}

test/interactive_setup_api_integration/fixtures/test_helpers.ts

@@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { delay } from 'bluebird';
+
+import expect from '@kbn/expect';
+
+import type { FtrProviderContext } from '../ftr_provider_context';
+
+export async function hasKibanaBooted(context: FtrProviderContext) {
+  const supertest = context.getService('supertest');
+  const log = context.getService('log');
+
+  // Run 30 consecutive requests with 1.5s delay to check if Kibana is up and running.
+  let kibanaHasBooted = false;
+  for (const counter of [...Array(30).keys()]) {
+    await delay(1500);
+
+    try {
+      expect((await supertest.get('/api/status').expect(200)).body).to.have.keys([
+        'version',
+        'status',
+      ]);
+
+      log.debug(`Kibana has booted after ${(counter + 1) * 1.5}s.`);
+      kibanaHasBooted = true;
+      break;
+    } catch (err) {
+      log.debug(`Kibana is still booting after ${(counter + 1) * 1.5}s due to: ${err.message}`);
+    }
+  }
+
+  return kibanaHasBooted;
+}

test/interactive_setup_api_integration/fixtures/tls_tools.ts

@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import tls from 'tls';
+
+export async function getElasticsearchCaCertificate(host: string, port: string) {
+  let peerCertificate = await new Promise<tls.DetailedPeerCertificate>((resolve, reject) => {
+    const socket = tls.connect({ host, port: Number(port), rejectUnauthorized: false });
+    socket.once('secureConnect', () => {
+      const cert = socket.getPeerCertificate(true);
+      socket.destroy();
+      resolve(cert);
+    });
+    socket.once('error', reject);
+  });
+
+  while (
+    peerCertificate.issuerCertificate &&
+    peerCertificate.fingerprint256 !== peerCertificate.issuerCertificate.fingerprint256
+  ) {
+    peerCertificate = peerCertificate.issuerCertificate;
+  }
+
+  return peerCertificate;
+}

test/interactive_setup_api_integration/ftr_provider_context.d.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import type { GenericFtrProviderContext } from '@kbn/test';
+
+import type { services } from './services';
+
+export type FtrProviderContext = GenericFtrProviderContext<typeof services, {}>;

test/interactive_setup_api_integration/manual_configuration_flow.config.ts

@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import fs from 'fs/promises';
+import { join } from 'path';
+
+import type { FtrConfigProviderContext } from '@kbn/test';
+import { getDataPath } from '@kbn/utils';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const manualConfigurationFlowWithoutTlsTestsConfig = await readConfigFile(
+    require.resolve('./manual_configuration_flow_without_tls.config.ts')
+  );
+
+  const tempKibanaYamlFile = join(getDataPath(), `interactive_setup_kibana_${Date.now()}.yml`);
+  await fs.writeFile(tempKibanaYamlFile, '');
+
+  return {
+    ...manualConfigurationFlowWithoutTlsTestsConfig.getAll(),
+
+    testFiles: [require.resolve('./tests/manual_configuration_flow')],
+
+    servers: {
+      ...manualConfigurationFlowWithoutTlsTestsConfig.get('servers'),
+      elasticsearch: {
+        ...manualConfigurationFlowWithoutTlsTestsConfig.get('servers.elasticsearch'),
+        protocol: 'https',
+      },
+    },
+
+    junit: {
+      reportName: 'Interactive Setup API Integration Tests (Manual configuration flow)',
+    },
+
+    esTestCluster: {
+      ...manualConfigurationFlowWithoutTlsTestsConfig.get('esTestCluster'),
+      ssl: true,
+    },
+
+    kbnTestServer: {
+      ...manualConfigurationFlowWithoutTlsTestsConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...manualConfigurationFlowWithoutTlsTestsConfig
+          .get('kbnTestServer.serverArgs')
+          .filter((arg: string) => !arg.startsWith('--config')),
+        `--config=${tempKibanaYamlFile}`,
+      ],
+    },
+  };
+}

test/interactive_setup_api_integration/manual_configuration_flow_without_tls.config.ts

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import fs from 'fs/promises';
+import { join, resolve } from 'path';
+
+import type { FtrConfigProviderContext } from '@kbn/test';
+import { getDataPath } from '@kbn/utils';
+
+import { services } from './services';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config'));
+
+  const testEndpointsPlugin = resolve(__dirname, './fixtures/test_endpoints');
+
+  const tempKibanaYamlFile = join(getDataPath(), `interactive_setup_kibana_${Date.now()}.yml`);
+  await fs.writeFile(tempKibanaYamlFile, '');
+
+  return {
+    testFiles: [require.resolve('./tests/manual_configuration_flow_without_tls')],
+    servers: xPackAPITestsConfig.get('servers'),
+    services,
+    junit: {
+      reportName: 'Interactive Setup API Integration Tests (Manual configuration flow without TLS)',
+    },
+
+    esTestCluster: {
+      ...xPackAPITestsConfig.get('esTestCluster'),
+      serverArgs: [
+        ...xPackAPITestsConfig.get('esTestCluster.serverArgs'),
+        'xpack.security.enabled=true',
+      ],
+    },
+
+    kbnTestServer: {
+      ...xPackAPITestsConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...xPackAPITestsConfig
+          .get('kbnTestServer.serverArgs')
+          .filter((arg: string) => !arg.startsWith('--elasticsearch.')),
+        `--plugin-path=${testEndpointsPlugin}`,
+        `--config=${tempKibanaYamlFile}`,
+        '--interactiveSetup.enabled=true',
+      ],
+      runOptions: {
+        ...xPackAPITestsConfig.get('kbnTestServer.runOptions'),
+        wait: /Kibana has not been configured/,
+      },
+    },
+  };
+}

test/interactive_setup_api_integration/services.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { services as apiIntegrationServices } from '../api_integration/services';
+
+export const services = {
+  ...apiIntegrationServices,
+};

test/interactive_setup_api_integration/tests/enrollment_flow.ts

@@ -0,0 +1,151 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import expect from '@kbn/expect';
+import { getUrl } from '@kbn/test';
+
+import { hasKibanaBooted } from '../fixtures/test_helpers';
+import { getElasticsearchCaCertificate } from '../fixtures/tls_tools';
+import type { FtrProviderContext } from '../ftr_provider_context';
+
+export default function (context: FtrProviderContext) {
+  const supertest = context.getService('supertest');
+  const es = context.getService('es');
+  const log = context.getService('log');
+  const config = context.getService('config');
+
+  describe('Interactive setup APIs - Enrollment flow', function () {
+    this.tags(['skipCloud', 'ciGroup2']);
+
+    let kibanaVerificationCode: string;
+    let elasticsearchCaFingerprint: string;
+    before(async () => {
+      const esServerConfig = config.get('servers.elasticsearch');
+      elasticsearchCaFingerprint = (
+        await getElasticsearchCaCertificate(esServerConfig.host, esServerConfig.port)
+      ).fingerprint256.replace(/:/g, '');
+
+      kibanaVerificationCode = (
+        await supertest.get('/test_endpoints/verification_code').expect(200)
+      ).body.verificationCode;
+    });
+
+    let enrollmentAPIKey: string;
+    beforeEach(async () => {
+      const apiResponse = await es.security.createApiKey({ body: { name: 'enrollment_api_key' } });
+      enrollmentAPIKey = Buffer.from(`${apiResponse.body.id}:${apiResponse.body.api_key}`).toString(
+        'base64'
+      );
+    });
+
+    afterEach(async () => {
+      await es.security.invalidateApiKey({ body: { name: 'enrollment_api_key' } });
+    });
+
+    it('fails to enroll with invalid authentication code', async () => {
+      const esHost = getUrl.baseUrl(config.get('servers.elasticsearch'));
+      const enrollPayload = {
+        apiKey: enrollmentAPIKey,
+        code: '000000',
+        caFingerprint: elasticsearchCaFingerprint,
+        hosts: [esHost],
+      };
+
+      log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/enroll')
+        .set('kbn-xsrf', 'xxx')
+        .send(enrollPayload)
+        .expect(403, { statusCode: 403, error: 'Forbidden', message: 'Forbidden' });
+    });
+
+    it('fails to enroll with invalid CA fingerprint', async () => {
+      const esHost = getUrl.baseUrl(config.get('servers.elasticsearch'));
+      const enrollPayload = {
+        apiKey: enrollmentAPIKey,
+        code: kibanaVerificationCode,
+        caFingerprint: '3FDAEE71A3604070E6AE6B01412D19772DE5AE129F69C413F0453B293D9BE65D',
+        hosts: [esHost],
+      };
+
+      log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/enroll')
+        .set('kbn-xsrf', 'xxx')
+        .send(enrollPayload)
+        .expect(500, {
+          statusCode: 500,
+          error: 'Internal Server Error',
+          message: 'Failed to enroll.',
+          attributes: { type: 'enroll_failure' },
+        });
+    });
+
+    it('fails to enroll with invalid api key', async function () {
+      const esServerConfig = config.get('servers.elasticsearch');
+      const enrollPayload = {
+        apiKey: enrollmentAPIKey,
+        code: kibanaVerificationCode,
+        caFingerprint: elasticsearchCaFingerprint,
+        hosts: [getUrl.baseUrl(esServerConfig)],
+      };
+
+      log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`);
+
+      // Invalidate API key.
+      await es.security.invalidateApiKey({ body: { name: 'enrollment_api_key' } });
+
+      await supertest
+        .post('/internal/interactive_setup/enroll')
+        .set('kbn-xsrf', 'xxx')
+        .send(enrollPayload)
+        .expect(500, {
+          statusCode: 500,
+          error: 'Internal Server Error',
+          message: 'Failed to enroll.',
+          attributes: { type: 'enroll_failure' },
+        });
+    });
+
+    it('should be able to enroll with valid authentication code', async function () {
+      this.timeout(60000);
+
+      const esServerConfig = config.get('servers.elasticsearch');
+      const enrollPayload = {
+        apiKey: enrollmentAPIKey,
+        code: kibanaVerificationCode,
+        caFingerprint: elasticsearchCaFingerprint,
+        hosts: [getUrl.baseUrl(esServerConfig)],
+      };
+
+      log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/enroll')
+        .set('kbn-xsrf', 'xxx')
+        .send(enrollPayload)
+        .expect(204, {});
+
+      // Enroll should no longer accept requests.
+      await supertest
+        .post('/internal/interactive_setup/enroll')
+        .set('kbn-xsrf', 'xxx')
+        .send(enrollPayload)
+        .expect(400, {
+          error: 'Bad Request',
+          message: 'Cannot process request outside of preboot stage.',
+          statusCode: 400,
+          attributes: { type: 'outside_preboot_stage' },
+        });
+
+      expect(await hasKibanaBooted(context)).to.be(true);
+    });
+  });
+}

test/interactive_setup_api_integration/tests/manual_configuration_flow.ts

@@ -0,0 +1,136 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import expect from '@kbn/expect';
+import { getUrl, kibanaServerTestUser } from '@kbn/test';
+
+import { hasKibanaBooted } from '../fixtures/test_helpers';
+import { getElasticsearchCaCertificate } from '../fixtures/tls_tools';
+import type { FtrProviderContext } from '../ftr_provider_context';
+
+export default function (context: FtrProviderContext) {
+  const supertest = context.getService('supertest');
+  const log = context.getService('log');
+  const config = context.getService('config');
+
+  describe('Interactive setup APIs - Manual configuration flow', function () {
+    this.tags(['skipCloud', 'ciGroup2']);
+
+    let kibanaVerificationCode: string;
+    let elasticsearchCaCertificate: string;
+    before(async () => {
+      const esServerConfig = config.get('servers.elasticsearch');
+      elasticsearchCaCertificate = (
+        await getElasticsearchCaCertificate(esServerConfig.host, esServerConfig.port)
+      ).raw.toString('base64');
+
+      kibanaVerificationCode = (
+        await supertest.get('/test_endpoints/verification_code').expect(200)
+      ).body.verificationCode;
+    });
+
+    it('fails to configure with invalid authentication code', async () => {
+      const esServerConfig = config.get('servers.elasticsearch');
+      const configurePayload = {
+        host: getUrl.baseUrl(esServerConfig),
+        code: '000000',
+        caCert: elasticsearchCaCertificate,
+        ...kibanaServerTestUser,
+      };
+
+      log.debug(`Configure payload ${JSON.stringify(configurePayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(403, { statusCode: 403, error: 'Forbidden', message: 'Forbidden' });
+    });
+
+    it('fails to configure with invalid CA certificate', async () => {
+      const esServerConfig = config.get('servers.elasticsearch');
+      const configurePayload = {
+        host: getUrl.baseUrl(esServerConfig),
+        code: kibanaVerificationCode,
+        caCert: elasticsearchCaCertificate.split('').reverse().join(''),
+        ...kibanaServerTestUser,
+      };
+
+      log.debug(`Configure payload ${JSON.stringify(configurePayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(500, {
+          statusCode: 500,
+          error: 'Internal Server Error',
+          message: 'Failed to configure.',
+          attributes: { type: 'configure_failure' },
+        });
+    });
+
+    it('fails to configure with invalid credentials', async function () {
+      const esServerConfig = config.get('servers.elasticsearch');
+      const configurePayload = {
+        host: getUrl.baseUrl(esServerConfig),
+        code: kibanaVerificationCode,
+        caCert: elasticsearchCaCertificate,
+        ...kibanaServerTestUser,
+        password: 'no-way',
+      };
+
+      log.debug(`Configure payload ${JSON.stringify(configurePayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(500, {
+          statusCode: 500,
+          error: 'Internal Server Error',
+          message: 'Failed to configure.',
+          attributes: { type: 'configure_failure' },
+        });
+    });
+
+    it('should be able to configure with valid authentication code', async function () {
+      this.timeout(60000);
+
+      const esServerConfig = config.get('servers.elasticsearch');
+      const configurePayload = {
+        host: getUrl.baseUrl(esServerConfig),
+        code: kibanaVerificationCode,
+        caCert: elasticsearchCaCertificate,
+        ...kibanaServerTestUser,
+      };
+
+      log.debug(`Configure payload ${JSON.stringify(configurePayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(204, {});
+
+      // Configure should no longer accept requests.
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(400, {
+          error: 'Bad Request',
+          message: 'Cannot process request outside of preboot stage.',
+          statusCode: 400,
+          attributes: { type: 'outside_preboot_stage' },
+        });
+
+      expect(await hasKibanaBooted(context)).to.be(true);
+    });
+  });
+}

test/interactive_setup_api_integration/tests/manual_configuration_flow_without_tls.ts

@@ -0,0 +1,103 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import expect from '@kbn/expect';
+import { getUrl, kibanaServerTestUser } from '@kbn/test';
+
+import { hasKibanaBooted } from '../fixtures/test_helpers';
+import type { FtrProviderContext } from '../ftr_provider_context';
+
+export default function (context: FtrProviderContext) {
+  const supertest = context.getService('supertest');
+  const log = context.getService('log');
+  const config = context.getService('config');
+
+  describe('Interactive setup APIs - Manual configuration flow without TLS', function () {
+    this.tags(['skipCloud', 'ciGroup2']);
+
+    let kibanaVerificationCode: string;
+    before(async () => {
+      kibanaVerificationCode = (
+        await supertest.get('/test_endpoints/verification_code').expect(200)
+      ).body.verificationCode;
+    });
+
+    it('fails to configure with invalid authentication code', async () => {
+      const esServerConfig = config.get('servers.elasticsearch');
+      const configurePayload = {
+        host: getUrl.baseUrl(esServerConfig),
+        code: '000000',
+        ...kibanaServerTestUser,
+      };
+
+      log.debug(`Configure payload ${JSON.stringify(configurePayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(403, { statusCode: 403, error: 'Forbidden', message: 'Forbidden' });
+    });
+
+    it('fails to configure with invalid credentials', async function () {
+      const esServerConfig = config.get('servers.elasticsearch');
+      const configurePayload = {
+        host: getUrl.baseUrl(esServerConfig),
+        code: kibanaVerificationCode,
+        ...kibanaServerTestUser,
+        password: 'no-way',
+      };
+
+      log.debug(`Configure payload ${JSON.stringify(configurePayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(500, {
+          statusCode: 500,
+          error: 'Internal Server Error',
+          message: 'Failed to configure.',
+          attributes: { type: 'configure_failure' },
+        });
+    });
+
+    it('should be able to configure with valid authentication code', async function () {
+      this.timeout(60000);
+
+      const esServerConfig = config.get('servers.elasticsearch');
+      const configurePayload = {
+        host: getUrl.baseUrl(esServerConfig),
+        code: kibanaVerificationCode,
+        ...kibanaServerTestUser,
+      };
+
+      log.debug(`Configure payload ${JSON.stringify(configurePayload)}`);
+
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(204, {});
+
+      // Configure should no longer accept requests.
+      await supertest
+        .post('/internal/interactive_setup/configure')
+        .set('kbn-xsrf', 'xxx')
+        .send(configurePayload)
+        .expect(400, {
+          error: 'Bad Request',
+          message: 'Cannot process request outside of preboot stage.',
+          statusCode: 400,
+          attributes: { type: 'outside_preboot_stage' },
+        });
+
+      expect(await hasKibanaBooted(context)).to.be(true);
+    });
+  });
+}

test/tsconfig.json

@@ -53,6 +53,7 @@
     { "path": "../src/plugins/usage_collection/tsconfig.json" },
     { "path": "../src/plugins/index_pattern_management/tsconfig.json" },
     { "path": "../src/plugins/visualize/tsconfig.json" },
+    { "path": "interactive_setup_api_integration/fixtures/test_endpoints/tsconfig.json" },
     { "path": "plugin_functional/plugins/core_app_status/tsconfig.json" },
     { "path": "plugin_functional/plugins/core_provider_plugin/tsconfig.json" },
     { "path": "server_integration/__fixtures__/plugins/status_plugin_a/tsconfig.json" },

x-pack/test/cloud_integration/fixtures/saml/saml_provider/metadata.xml

@@ -7,25 +7,24 @@
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
           <!-- This certificate is extracted from KBN_CERT_PATH in @kbn/dev-utils and should always be in sync with it -->
-          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB
+          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB
 CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w
+ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w
-DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ
+DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU
+nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY
-FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q
+KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N
-OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ
+mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW
-s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU
+LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY
-vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T
+6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i
-BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz
+u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp
-V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE
+yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/
+DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj
-z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv
+WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS
-+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX
+zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR
-TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy
+nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo
-b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk
+DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD
-cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O
+s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5
-eOUsdwn1yDKHRxDHyA==
+dzkzSBV7H6+/MD3Y8Q==</ds:X509Certificate>
-          </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </md:KeyDescriptor>

x-pack/test/security_api_integration/fixtures/pki/README.md

@@ -9,8 +9,8 @@ The `first_client.p12` and `second_client.p12` files were generated the same tim
 following commands:
 
 ```
-bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name first_client --pass ""
+bin/elasticsearch-certutil cert -days 18250 --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass castorepass --name first_client --pass ""
-bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name second_client --pass ""
+bin/elasticsearch-certutil cert -days 18250 --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass castorepass --name second_client --pass ""
 ```
 
 If that CA is ever changed, these two files must be regenerated.

x-pack/test/security_api_integration/fixtures/saml/idp_metadata.xml

@@ -7,25 +7,24 @@
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
           <!-- This certificate is extracted from KBN_CERT_PATH in @kbn/dev-utils and should always be in sync with it -->
-          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB
+          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB
 CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w
+ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w
-DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ
+DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU
+nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY
-FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q
+KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N
-OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ
+mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW
-s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU
+LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY
-vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T
+6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i
-BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz
+u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp
-V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE
+yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/
+DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj
-z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv
+WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS
-+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX
+zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR
-TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy
+nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo
-b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk
+DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD
-cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O
+s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5
-eOUsdwn1yDKHRxDHyA==
+dzkzSBV7H6+/MD3Y8Q==</ds:X509Certificate>
-          </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </md:KeyDescriptor>

x-pack/test/security_api_integration/fixtures/saml/idp_metadata_2.xml

@@ -7,25 +7,24 @@
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
           <!-- This certificate is extracted from KBN_CERT_PATH in @kbn/dev-utils and should always be in sync with it -->
-          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB
+          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB
 CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w
+ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w
-DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ
+DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU
+nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY
-FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q
+KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N
-OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ
+mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW
-s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU
+LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY
-vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T
+6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i
-BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz
+u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp
-V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE
+yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/
+DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj
-z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv
+WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS
-+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX
+zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR
-TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy
+nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo
-b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk
+DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD
-cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O
+s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5
-eOUsdwn1yDKHRxDHyA==
+dzkzSBV7H6+/MD3Y8Q==</ds:X509Certificate>
-          </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </md:KeyDescriptor>

x-pack/test/security_api_integration/fixtures/saml/idp_metadata_never_login.xml

@@ -7,25 +7,24 @@
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
           <!-- This certificate is extracted from KBN_CERT_PATH in @kbn/dev-utils and should always be in sync with it -->
-          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB
+          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB
 CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w
+ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w
-DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ
+DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU
+nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY
-FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q
+KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N
-OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ
+mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW
-s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU
+LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY
-vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T
+6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i
-BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz
+u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp
-V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE
+yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/
+DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj
-z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv
+WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS
-+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX
+zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR
-TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy
+nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo
-b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk
+DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD
-cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O
+s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5
-eOUsdwn1yDKHRxDHyA==
+dzkzSBV7H6+/MD3Y8Q==</ds:X509Certificate>
-          </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </md:KeyDescriptor>

x-pack/test/security_api_integration/fixtures/saml/saml_provider/metadata.xml

@@ -7,25 +7,24 @@
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
           <!-- This certificate is extracted from KBN_CERT_PATH in @kbn/dev-utils and should always be in sync with it -->
-          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB
+          <ds:X509Certificate>MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB
 CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
-ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w
+ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w
-DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ
+DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU
+nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY
-FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q
+KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N
-OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ
+mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW
-s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU
+LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY
-vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T
+6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i
-BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz
+u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp
-V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE
+yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/
+DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj
-z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv
+WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS
-+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX
+zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR
-TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy
+nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo
-b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk
+DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD
-cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O
+s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5
-eOUsdwn1yDKHRxDHyA==
+dzkzSBV7H6+/MD3Y8Q==</ds:X509Certificate>
-          </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </md:KeyDescriptor>