Curator with Shield: How to pass credentials securely?

I'm trying to run Curator 3.5 with Shield with SSL. I'm using the following options to curator:
--certificate (pem-encoded CA)
--client-cert (public key file)
--client-key (private key file)

and then the usual options to specify the host, indices to delete, age to delete, etc.

This command fails with:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}},"status":401}

I've seen this before -- it wants credentials. So I add the option:
--http_auth (username):(password), and now it works.

But the only way I can make it work is to enter the password in the command, which makes me all kinds of uneasy. Is there an alternative that I'm missing?


Curator should allow certificate based authentication, rather than requiring username and password. You may need to associate a certificate with a user for this to work.

Otherwise, the soon to be released Curator v4 uses configuration files, preventing the password from being on the command line.

Thanks. Please forgive the basic question, but how would I associate a certificate with a user?

This is the Shield documentation on user PKI authentication.