What is the use of enabling PKI for elastic nodes when SSL is already enabled
There are 2 parts to what we refer to as "PKI authentication"
- Providing client certificates.
- Using those certificates for authentication.
Client side certificates (aka TLS mutual authentication) can be useful as a layer of security that prevents any connections from clients that do not have access to a trusted certificate. It operates at a fairly low level in the TLS stack, and some security configurations and assessments will benefit from being able to enforce that level of client trust at the connection layer.
Layering PKI authentication on top of TLS client auth, removes the need to provide a username and password, as all authentication is provided by the client certificate.
If you have a setup where you are already using client certificates, and have put systems and procedures in place to lock down & manage the keys for those certificates, then it can be helpful to avoid the need to also manage a password, and simply rely on the certificate for authentication purposes.
So, in short ES offers 3 broard options for SSL
- Just perform "normal SSL" (TLS), with server certificates, but not client certificates. Anyone can connect to the HTTP port, but they need to provide a username and password in order to be able to perform any ES requests on the REST interface.
- Use mutual authentication TLS with server and client certificates. Only authorized clients can connect to the HTTP port, but they also need to provide a username and password to authenticate their ES requests on the REST interface.
- Use mutual authentication TLS and PKI authentication. Only authorized clients can connect to the HTTP port, and their certificate provides the totality of their credentials, so they do not need to provide a username and password to authenticate their ES requests on the REST interface.
Thanks a lot for giving me clarity on "PKI authentication".
How do i enable PKI in elastic nodes and verify it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.