hey there,
following this doc page I was trying to use Transport Client. ES cluster is already configured to use SSL and Basic Auth and it works properly.
I would like to give an answer to my doubt, following step #4, if I specify only
You client has 3 settings with prefix xpack.security.transport.ssl.. That is sufficient for TLS server authentication only. If you want TLS client authentication, your client is missing 2 more settings. TLS mutual authentication (mTLS) happens when you enable authentication both ways.
Transport mTLS settings:
enabled: enable or disable TLS
certificate_authorities & verification_mode: client settings for TLS server authentication
key & certificate: client settings for TLS client authentication
The certificate setting is the client cert to sent to the server, so the server can check if it came from a trusted CA. The key setting is for the client to prove it has the private key which matches the cert public key. For example, the server can send a signature challenge to the client; the client signs with the private key, and the server verifies with the cert public key.
For a complete config example of transport mTLS, it might be helpful to look at the Docker Compose example in Elasticsearch 8.0 documentation. It shows 3 nodes with these 5 settings, so they can talk over mTLS to each other.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.