Configuring the Transport Client to work with a Secured Cluster

hey there,
following this doc page I was trying to use Transport Client. ES cluster is already configured to use SSL and Basic Auth and it works properly.
I would like to give an answer to my doubt, following step #4, if I specify only

import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("", "myClusterName")
        .put("", "transport_client_user:x-pack-test-password")
        .put("", true)
        .put("", "/path/to/ca.crt")

so, what will happen if my client will provide only certificate_authorities key?

You client has 3 settings with prefix That is sufficient for TLS server authentication only. If you want TLS client authentication, your client is missing 2 more settings. TLS mutual authentication (mTLS) happens when you enable authentication both ways.

Transport mTLS settings:

  • enabled: enable or disable TLS
  • certificate_authorities & verification_mode: client settings for TLS server authentication
  • key & certificate: client settings for TLS client authentication

The certificate setting is the client cert to sent to the server, so the server can check if it came from a trusted CA. The key setting is for the client to prove it has the private key which matches the cert public key. For example, the server can send a signature challenge to the client; the client signs with the private key, and the server verifies with the cert public key.

For a complete config example of transport mTLS, it might be helpful to look at the Docker Compose example in Elasticsearch 8.0 documentation. It shows 3 nodes with these 5 settings, so they can talk over mTLS to each other.


If it helps, here is a link to the Docker Compose example in Elasticsearch 8.0 documentation:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.