PKI security realm lisence

Elastic Stack Elasticsearch
1

In subscription page Subscriptions | Elastic Stack Products & Support | Elastic

Stated that Encrypted communications is under basic subscription.
However when I defined pki real for client authentication, it didn't work until I enabled trial version.
Looked again on page and found Custom authentication & authorization realms is under platinum subscription.

My question is
Whether encrypted communication includes two way (mutual) authentication or not? And how I can understand that, based on which doc?

2

PKI realm is Gold+ license (look for LDAP, PKI, Active Directory authentication on the subscription page.

If all you need is two way SSL, i.e. mutual TLS or mTLS, you don't need PKI realm. mTLS is available with basic.

There are quite a few other posts that are for this topic, e.g.:

3

Ok, let me elaborate more.

I want to work with ES without providing username and password (native realm). I want my external clients to connect to ES and mutually authenticated. Moreover, user that is part of CN on the certificate should have special roles assign to it.

Maybe there are two things - authentication and authorization. Authentication indeed covered by mTLS which is under basic license however authorization (association of roles to specific user defined in CN) requires pki realm.

This is what suggested by the ikakavas on page you mentioned (Mutual tls/ssl on elasticsearch - #3 by SukeshGupta)

Is my understanding correct?

4

Yes this bit will require PKI realm.

5

And this part need Platinum subscription ???

6

No. It's Gold subscription.

Screen Shot 2021-05-19 at 10.22.13 pm
Screen Shot 2021-05-19 at 10.22.13 pm2424×394 34.5 KB

7

FWIW you get Platinum level features on our Elasticsearch Service.

8

Unfortunately PKI is not currently available on Elastic Cloud.

9

Ahh damn.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.