more

Author: shainaraskas

deploy-manage/deploy/self-managed/_snippets/ca-cert.md

@@ -0,0 +1,7 @@
+If your library doesn’t support a method of validating the fingerprint, the auto-generated CA certificate is created in the following directory on each {{es}} node:
+
+```sh
+{{es-conf}}{{slash}}certs{{slash}}http_ca.crt
+```
+
+Copy the `http_ca.crt` file to your machine and configure your client to use this certificate to establish trust when it connects to {{es}}.

deploy-manage/deploy/self-managed/_snippets/ca-fingerprint.md

@@ -0,0 +1,14 @@
+Copy the fingerprint value that’s output to your terminal when {{es}} starts, and configure your client to use this fingerprint to establish trust when it connects to {{es}}.
+
+If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate by running the following command. The path is to the auto-generated CA certificate for the HTTP layer.
+
+```sh
+openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
+```
+
+The command returns the security certificate, including the fingerprint. The `issuer` should be `{{es}} security auto-configuration HTTP CA`.
+
+```sh
+issuer= /CN={{es}} security auto-configuration HTTP CA
+SHA256 Fingerprint=<fingerprint>
+```

deploy-manage/deploy/self-managed/_snippets/check-es-running.md

@@ -1,9 +1,7 @@
-## Check that {{es}} is running [_check_that_elasticsearch_is_running_2]
-
 You can test that your {{es}} node is running by sending an HTTPS request to port `9200` on `localhost`:
 
 ```sh
-curl --cacert %ES_HOME%\config\certs\http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200 <1>
+curl --cacert {{es-conf}}{{slash}}certs{{slash}}http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200 <1>
 ```
 
 1. Ensure that you use `https` in your call, or the request will fail.`--cacert`

deploy-manage/deploy/self-managed/_snippets/connect-clients.md

@@ -1,5 +1,3 @@
-## Connect clients to {{es}} [_connect_clients_to_es_2]
-
 % This file is reused in each of the installation pages. Ensure that any changes
 % you make to this file are applicable across all installation environments.
 
@@ -11,33 +9,4 @@ When you start {{es}} for the first time, TLS is configured automatically for th
 
 The hex-encoded SHA-256 fingerprint of this certificate is also output to the terminal. Any clients that connect to {{es}}, such as the [{{es}} Clients](https://www.elastic.co/guide/en/elasticsearch/client/index.html), {{beats}}, standalone {{agent}}s, and {{ls}} must validate that they trust the certificate that {{es}} uses for HTTPS. {{fleet-server}} and {{fleet}}-managed {{agent}}s are automatically configured to trust the CA certificate. Other clients can establish trust by using either the fingerprint of the CA certificate or the CA certificate itself.
 
-If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate. You can also copy the CA certificate to your machine and configure your client to use it.
-
-
-### Use the CA fingerprint [_use_the_ca_fingerprint_2]
-
-Copy the fingerprint value that’s output to your terminal when {{es}} starts, and configure your client to use this fingerprint to establish trust when it connects to {{es}}.
-
-If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate by running the following command. The path is to the auto-generated CA certificate for the HTTP layer.
-
-```sh
-openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
-```
-
-The command returns the security certificate, including the fingerprint. The `issuer` should be `Elasticsearch security auto-configuration HTTP CA`.
-
-```sh
-issuer= /CN=Elasticsearch security auto-configuration HTTP CA
-SHA256 Fingerprint=<fingerprint>
-```
-
-
-### Use the CA certificate [_use_the_ca_certificate_2]
-
-If your library doesn’t support a method of validating the fingerprint, the auto-generated CA certificate is created in the following directory on each {{es}} node:
-
-```sh
-{{es-conf}}{{slash}}certs{{slash}}http_ca.crt
-```
-
-Copy the `http_ca.crt` file to your machine and configure your client to use this certificate to establish trust when it connects to {{es}}.
+If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate. You can also copy the CA certificate to your machine and configure your client to use it.

deploy-manage/deploy/self-managed/_snippets/enroll-nodes.md

@@ -0,0 +1,29 @@
+When {{es}} starts for the first time, the security auto-configuration process binds the HTTP layer to `0.0.0.0`, but only binds the transport layer to localhost. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration.
+
+Before enrolling a new node, additional actions such as binding to an address other than `localhost` or satisfying bootstrap checks are typically necessary in production clusters. During that time, an auto-generated enrollment token could expire, which is why enrollment tokens aren’t generated automatically.
+
+Additionally, only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need to set `transport.host` to a [supported value](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/configuration-reference/networking-settings.md#network-interface-values) (such as uncommenting the suggested value of `0.0.0.0`), or an IP address that’s bound to an interface where other hosts can reach it. Refer to [transport settings](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/configuration-reference/networking-settings.md#transport-settings) for more information.
+
+To enroll new nodes in your cluster, create an enrollment token with the `elasticsearch-create-enrollment-token` tool on any existing node in your cluster. You can then start a new node with the `--enrollment-token` parameter so that it joins an existing cluster.
+
+1. In a separate terminal from where {{es}} is running, navigate to the directory where you installed {{es}} and run the [`elasticsearch-create-enrollment-token`](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/command-line-tools/create-enrollment-token.md) tool to generate an enrollment token for your new nodes.
+
+    ```sh
+    bin{{slash}}elasticsearch-create-enrollment-token -s node
+    ```
+
+    Copy the enrollment token, which you’ll use to enroll new nodes with your {{es}} cluster.
+
+2. From the installation directory of your new node, start {{es}} and pass the enrollment token with the `--enrollment-token` parameter.
+
+    ```sh
+    bin{{slash}}elasticsearch --enrollment-token <enrollment-token>
+    ```
+
+    {{es}} automatically generates certificates and keys in the following directory:
+
+    ```sh
+    config{{slash}}certs
+    ```
+
+3. Repeat the previous step for any new nodes that you want to enroll.

deploy-manage/deploy/self-managed/_snippets/etc-elasticsearch.md

@@ -0,0 +1,23 @@
+The `/etc/elasticsearch` directory contains the default runtime configuration for {{es}}. The ownership of this directory and all contained files are set to `root:elasticsearch` on package installations.
+
+The `setgid` flag applies group permissions on the `/etc/elasticsearch` directory to ensure that {{es}} can read any contained files and subdirectories. All files and subdirectories inherit the `root:elasticsearch` ownership. Running commands from this directory or any subdirectories, such as the [elasticsearch-keystore tool](../../security/secure-settings.md), requires `root:elasticsearch` permissions.
+
+{{es}} loads its configuration from the `/etc/elasticsearch/elasticsearch.yml` file by default. The format of this config file is explained in [*Configuring {{es}}*](configure-elasticsearch.md).
+
+The {{distro}} package also has a system configuration file (`/etc/sysconfig/elasticsearch`), which allows you to set the following parameters:
+
+`ES_JAVA_HOME`
+:   Set a custom Java path to be used.
+
+`ES_PATH_CONF`
+:   Configuration file directory (which needs to include `elasticsearch.yml`, `jvm.options`, and `log4j2.properties` files); defaults to `/etc/elasticsearch`.
+
+`ES_JAVA_OPTS`
+:   Any additional JVM system properties you may want to apply.
+
+`RESTART_ON_UPGRADE`
+:   Configure restart on package upgrade, defaults to `false`. This means you will have to restart your {{es}} instance after installing a package manually. The reason for this is to ensure, that upgrades in a cluster do not result in a continuous shard reallocation resulting in high network traffic and reducing the response times of your cluster.
+
+::::{note}
+Distributions that use `systemd` require that system resource limits be configured via `systemd` rather than via the `/etc/sysconfig/elasticsearch` file. See [Systemd configuration](setting-system-settings.md#systemd) for more information.
+::::

deploy-manage/deploy/self-managed/_snippets/install-next-steps.md

@@ -1,5 +1,3 @@
-## Next steps [_next_steps_2]
-
 You now have a test {{es}} environment set up. Before you start serious development or go into production with {{es}}, you must do some additional setup:
 
 * Learn how to [configure {{es}}](configure-elasticsearch.md).

deploy-manage/deploy/self-managed/_snippets/join-existing-cluster.md

@@ -0,0 +1,18 @@
+When you install {{es}}, the installation process configures a single-node cluster by default. If you want a node to join an existing cluster instead, generate an enrollment token on an existing node *before* you start the new node for the first time.
+
+1. On any node in your existing cluster, generate a node enrollment token:
+
+    ```sh
+    /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
+    ```
+
+2. Copy the enrollment token, which is output to your terminal.
+3. On your new {{es}} node, pass the enrollment token as a parameter to the `elasticsearch-reconfigure-node` tool:
+
+    ```sh
+    /usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <enrollment-token>
+    ```
+
+    {{es}} is now configured to join the existing cluster.
+
+4. [Start your new node using `systemd`](#running-systemd).

deploy-manage/deploy/self-managed/_snippets/other-versions.md

@@ -0,0 +1 @@
+The latest stable version of {{es}} can be found on the [Download {{es}}](https://elastic.co/downloads/elasticsearch) page. Other versions can be found on the [Past Releases page](https://elastic.co/downloads/past-releases).

deploy-manage/deploy/self-managed/_snippets/pgp-key.md

@@ -0,0 +1,6 @@
+We sign all of our packages with the {{es}} signing key (PGP key [D88E42B4](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD27D666CD88E42B4), available from [https://pgp.mit.edu](https://pgp.mit.edu)) with fingerprint:
+
+```
+4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
+```
+Download and install the public signing key: