Add RCS Strong Verification Documentation #137822
Open
+74
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jfreden
added
>docs
elasticsearchmachine
added
Team:Docs
Collaborator
|
Pinging @elastic/es-security (Team:Security) |
Collaborator
|
Pinging @elastic/core-docs (Team:Docs) |
Contributor
🔍 Preview links for changed docs |
Contributor
ℹ️ Important: Docs version tagging👋 Thanks for updating the docs! Just a friendly reminder that our docs are now cumulative. This means all 9.x versions are documented on the same page and published off of the main branch, instead of creating separate pages for each minor version. We use applies_to tags to mark version-specific features and changes. Expand for a quick overviewWhen to use applies_to tags:✅ At the page level to indicate which products/deployments the content applies to (mandatory) What NOT to do:❌ Don't remove or replace information that applies to an older version 🤔 Need help?
|
Contributor
shainaraskas
left a comment
shainaraskas
left a comment
There was a problem hiding this comment.
a few questions and comments. overall, it would be good to understand whether these settings would apply to anything other than vanilla self-managed to vanilla self-managed connections.
cc-ing @eedugon because he's deep into this area and should probably also take a look
Comment on lines
+82
to
+84
| ::::{warning} | ||
| This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. | ||
| :::: |
Contributor
There was a problem hiding this comment.
this is the tagging I am assuming applies given where you added the instructions in docs-content. do these settings apply if one of the clusters is ECE, ECK, or hosted?
we need to indicate what version where the settings are introduced as well. usually we'd do this at the setting level but since you have a heading here we can use that instead
we've been skipping tech preview warning notes because the preview applies tag contains the warning. this way, all you need to do is add a new lifecycle state when the feature goes GA.
Suggested change
| ::::{warning} | |
| This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. | |
| :::: | |
| ```{applies_to} | |
| deployment: | |
| self: preview 9.3 | |
| ``` |
| This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. | ||
| :::: | ||
|
|
||
| The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/remote-clusters-api-key.md). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters. |
Contributor
There was a problem hiding this comment.
I think you might want this link instead / as well as the link to the tutorial
Suggested change
| The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/remote-clusters-api-key.md). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters. | |
| The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/security-models.md#api-key). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters. |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time. | ||
|
|
||
| `cluster.remote.signing.truststore.secure_password` | ||
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) Password for the truststore specified by `cluster.remote.signing.truststore.path`. |
Contributor
There was a problem hiding this comment.
Suggested change
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) Password for the truststore specified by `cluster.remote.signing.truststore.path`. | |
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`. |
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) Password for the truststore specified by `cluster.remote.signing.truststore.path`. | ||
|
|
||
| `cluster.remote.signing.truststore.algorithm` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to the default algorithm for the Java KeyManagerFactory. |
Contributor
There was a problem hiding this comment.
would people know where this is? what options does this setting accept?
| When using PEM encoded files for signing, use the following settings: | ||
|
|
||
| `cluster.remote.<cluster_alias>.signing.key` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time. |
Contributor
There was a problem hiding this comment.
Suggested change
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time. | |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time. |
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional. | ||
|
|
||
| `cluster.remote.<cluster_alias>.signing.certificate` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. |
Contributor
There was a problem hiding this comment.
Suggested change
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. | |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time. | ||
|
|
||
| `cluster.remote.<cluster_alias>.signing.key.secure_passphrase` | ||
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional. |
Contributor
There was a problem hiding this comment.
Suggested change
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional. | |
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional. |
| : ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional. | ||
|
|
||
| `cluster.remote.<cluster_alias>.signing.certificate` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. |
Contributor
There was a problem hiding this comment.
Suggested change
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. | |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set. |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`. | ||
|
|
||
| `cluster.remote.<cluster_alias>.signing.keystore.alias` | ||
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified. |
Contributor
There was a problem hiding this comment.
Suggested change
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified. | |
| : ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds documentation for the RCS Strong Verification feature added in #136299, #134137, #134893, #135674 and #134604.