maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Clarify the section on TLS for "Securing the reporting endpoints" (#54741)

Browse source
This commit is contained in:
Joe Portner 2020-01-14 11:38:14 -05:00 committed by GitHub
parent 569b1f6606
commit ea82503f49
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
docs/user/security/reporting.asciidoc
View file

@ -125,23 +125,33 @@ the {reporting} endpoints to authorized users. This requires that you:
. Enable {security} on your {es} cluster. For more information,
see {ref}/security-getting-started.html[Getting Started with Security].
. Configure an SSL certificate for Kibana. For more information, see
<<using-kibana-with-security>>.
. Configure {watcher} to trust the Kibana server's certificate by adding it to
the {watcher} truststore on each node:
.. Import the {kib} server certificate into the {watcher} truststore using
Java Keytool:
. Configure TLS/SSL encryption for the {kib} server. For more information, see
<<configuring-tls>>.
. Specify the {kib} server's CA certificate chain in `elasticsearch.yml`:
+
[source,shell]
---------------------------------------------------------
keytool -importcert -keystore watcher-truststore.jks -file server.crt
---------------------------------------------------------
+
NOTE: If the truststore doesn't already exist, it is created.
--
If you are using your own CA to sign the {kib} server certificate, then you need
to specify the CA certificate chain in {es} to properly establish trust in TLS
connections between {watcher} and {kib}. If your CA certificate chain is
contained in a PKCS #12 trust store, specify it like so:
[source,yaml]
--------------------------------------------------------------------------------
xpack.http.ssl.truststore.path: "/path/to/your/truststore.p12"
xpack.http.ssl.truststore.type: "PKCS12"
xpack.http.ssl.truststore.password: "optional decryption password"
--------------------------------------------------------------------------------
Otherwise, if your CA certificate chain is in PEM format, specify it like so:
[source,yaml]
--------------------------------------------------------------------------------
xpack.http.ssl.certificate_authorities: ["/path/to/your/cacert1.pem", "/path/to/your/cacert2.pem"]
--------------------------------------------------------------------------------
For more information, see {ref}/notification-settings.html#ssl-notification-settings[the {watcher} HTTP TLS/SSL Settings].
--
.. Make sure the `xpack.http.ssl.truststore.path` setting in
`elasticsearch.yml` specifies the location of the {watcher}
truststore.
. Add one or more users who have the permissions
necessary to use {kib} and {reporting}. For more information, see
<<secure-reporting>>.