Item | Description |
TRANSPORT ( 2-Way authentication is enabled by default) | |
searchguard.ssl.transport.keystore_type | Type of keystore Possible values: JKS, PKCS12 Default value: JKS |
searchguard.ssl.transport.keystore_filepath | Location where the keystore is stored. |
searchguard.ssl.transport.keystore_alias | Keystore entry name if there are more than one entries. |
searchguard.ssl.transport.keystore_password | Password to access keystore. |
searchguard.ssl.transport.truststore_type | Type of truststore Possible values: JKS, PKCS12 Default value: JKS |
searchguard.ssl.transport.truststore_filepath | Location where the truststore is stored. |
searchguard.ssl.transport.truststore_alias | Truststore entry name if there are more than one entries. |
searchguard.ssl.transport.truststore_password | Password to access truststore. |
searchguard.ssl.transport.enforce_hostname_verification | Specifies whether to verify host names specified in the certificate Possible values: true, false false. The hostname specified in the certificate is not validated. This is the default setting and is used for any general purpose self-signed certificate. true. The hostname specified in the certificate is validated. Default value: false |
searchguard.ssl.transport.resolve_hostname | Applicable only if above property is true. If true, the hostname is resolved against the DNS server. Set this to false if it is general purpose self-signed certificate Possible values: true, false Default value: true |
searchguard.ssl.transport.enable_openssl_if_available | Use if OpenSSL is available instead of JDK SSL Possible values: true, false Default value: true |
HTTP | |
searchguard.ssl.http.enabled | Set this to true to enable the SSL for REST interface ( HTTP) Possible values: true, false Default value: true |
searchguard.ssl.http.keystore_type | Type of keystore Possible values: JKS, PKCS12 Default value: JKS |
searchguard.ssl.http.keystore_filepath | Location where the keystore is stored. |
searchguard.ssl.http.keystore_alias | Keystore entry name if there are more than one entries. |
searchguard.ssl.http.keystore_password | Password to access keystore. |
searchguard.ssl.http.truststore_type | Type of truststore Possible values: JKS, PKCS12 Default value: JKS |
searchguard.ssl.http.truststore_filepath | Location where the truststore is stored. |
searchguard.ssl.http.truststore_alias | Truststore entry name if there are more than one entries. |
searchguard.ssl.http.truststore_password | Password to access truststore. |
searchguard.ssl.http.clientauth_mode | Option to enable 2-way authentication. REQUIRE: Client requires the client certificate. OPTIONAL: Client may require the client certificate. NONE: Ignores client certificate even if it is available. Possible values: REQUIRE, OPTIONAL, NONE. Default value: OPTIONAL. |
Search Guard Admin | |
searchguard.authcz.admin_dn | Search Guard maintains all the data in an index called searchguard. This is accessible only to users ( client certificate is passed in sdadmin command) configured here. |
Miscellaneous | |
searchguard.cert.oid | All certificates used by the nodes on transport level should have the oid field set to a specific value. This oid value is checked by Search Guard to identify if an incoming request comes from a trusted node in the cluster. If yes, all actions are allowed. If no, privilege checks apply. Also, the oid is checked whenever a node wants to join the cluster. '1.2.3.4.5.5' |
Item | Description |
searchguard.ssl.transport.enabled | Indicates whether the client should use secure transport Possible values: true, false Default value: true |
Item | Description |
elasticsearch.username | Username to be used if basic authentication is enabled. |
elasticsearch.ssl.verify | Disable all SSL checks including the hostname and certificate validation. Set this to true if it is general purpose self signed certificates Possible values: true, false Default value: true |
elasticsearch.ssl.cert | Path of client certificate to be sent to Elastisearch. This is required if 2-way authentication is enabled. |
elasticsearch.ssl.ca | If verify is true, this denotes the path to the CA certificate which is used to sign other certificates. |
elasticsearch.password | Password to be used if basic authentication is enabled. |