ssl-settings.asciidoc

{component} TLS/SSL Settings

You can configure the following TLS/SSL settings. If the settings are not configured, the {ref}/security-settings.html#ssl-tls-settings[Default TLS/SSL Settings] are used.

{ssl-prefix}.ssl.supported_protocols

Supported protocols with versions. Valid protocols: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2. Defaults to TLSv1.2, TLSv1.1, TLSv1. Defaults to the value of xpack.ssl.supported_protocols.

{ssl-prefix}.ssl.cipher_suites

Supported cipher suites can be found in Oracle’s Java Cryptography Architecture documentation. Defaults to the value of xpack.ssl.cipher_suites.

{component} TLS/SSL Key and Trusted Certificate Settings

The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. A private key and certificate are optional and would be used if the server requires client authentication for PKI authentication. If none of the settings below are specified, the {ref}/security-settings.html#ssl-tls-settings[Default TLS/SSL Settings] are used.

PEM Encoded Files

When using PEM encoded files, use the following settings:

{ssl-prefix}.ssl.key

Path to a PEM encoded file containing the private key.

{ssl-prefix}.ssl.key_passphrase

The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.

{ssl-prefix}.ssl.secure_key_passphrase (Secure)

The passphrase that is used to decrypt the private key. This value is optional as the key might not be encrypted.

{ssl-prefix}.ssl.certificate

Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented when requested.

{ssl-prefix}.ssl.certificate_authorities

List of paths to the PEM encoded certificate files that should be trusted.

Java Keystore Files

When using Java keystore files (JKS), which contain the private key, certificate and certificates that should be trusted, use the following settings:

{ssl-prefix}.ssl.keystore.path

Path to the keystore that holds the private key and certificate.

{ssl-prefix}.ssl.keystore.password

Password to the keystore.

{ssl-prefix}.ssl.keystore.secure_password (Secure)

Password to the keystore.

{ssl-prefix}.ssl.keystore.key_password

Password for the private key in the keystore. Defaults to the same value as {ssl-prefix}.ssl.keystore.password.

{ssl-prefix}.ssl.keystore.secure_key_password (Secure)

Password for the private key in the keystore.

{ssl-prefix}.ssl.truststore.path

Path to the truststore file.

{ssl-prefix}.ssl.truststore.password

Password to the truststore.

{ssl-prefix}.ssl.truststore.secure_password (Secure)

Password to the truststore.

PKCS#12 Files

{security} can be configured to use PKCS#12 container files (.p12 or .pfx files) that contain the private key, certificate and certificates that should be trusted.

PKCS#12 files are configured in the same way as Java Keystore Files:

{ssl-prefix}.ssl.keystore.path

Path to the PKCS#12 file that holds the private key and certificate.

{ssl-prefix}.ssl.keystore.type

Set this to PKCS12 to indicate that the keystore is a PKCS#12 file.

{ssl-prefix}.ssl.keystore.password

Password to the PKCS#12 file.

{ssl-prefix}.ssl.keystore.secure_password (Secure)

Password to the PKCS#12 file.

{ssl-prefix}.ssl.keystore.key_password

Password for the private key stored in the PKCS#12 file. Defaults to the same value as {ssl-prefix}.ssl.keystore.password.

{ssl-prefix}.ssl.keystore.secure_key_password (Secure)

Password for the private key stored in the PKCS#12 file.

{ssl-prefix}.ssl.truststore.path

Path to the PKCS#12 file that holds the certificates to be trusted.

{ssl-prefix}.ssl.truststore.type

Set this to PKCS12 to indicate that the truststore is a PKCS#12 file.

{ssl-prefix}.ssl.truststore.password

Password to the PKCS#12 file.

{ssl-prefix}.ssl.truststore.secure_password (Secure)

Password to the PKCS#12 file.