elastic · eedugon · Apr 2, 2025 · Mar 26, 2025 · Mar 26, 2025 · Mar 26, 2025
@@ -22,7 +22,7 @@ This section explains how to access and customize the Kubernetes services and se
 
 For advanced use cases related to exposing and accessing orchestrated applications, see:
 
-* [](/deploy-manage/security/secure-http-communications.md): Configuration options for the HTTP SSL certificates, including integration with certificate management systems such as [cert-manager](https://cert-manager.io/).
+* [](/deploy-manage/security/secure-cluster-communications.md): Configuration options for the HTTP SSL certificates, including integration with certificate management systems such as [cert-manager](https://cert-manager.io/).
 * [](./service-meshes.md): Connect ECK and your managed deployments to service mesh implementations such as [Istio](https://istio.io) and [Linkerd](https://linkerd.io).
 * [](./requests-routing-to-elasticsearch-nodes.md): Create custom services to expose different node types.
 * [Use Ingress to expose {{es}} or {{kib}}](./managing-deployments-using-helm-chart.md#k8s-eck-stack-ingress): Helm based installation also facilitates the creation of Ingress resources.

@@ -169,6 +169,6 @@ Now that you know how to use the APM keystore and customize the server configura
 
 By default the operator manages a private CA and generates a self-signed certificate used to secure the communication between APM agents and the server.
 
-This behavior and the relevant configuration is identical to what is done for Elasticsearch and Kibana. Check [Setting up your own certificate](/deploy-manage/security/secure-http-communications.md) for more information on how to use your own certificate to configure the TLS endpoint of the APM Server.
+This behavior and the relevant configuration is identical to what is done for Elasticsearch and Kibana. Check [Setting up your own certificate](/deploy-manage/security/secure-cluster-communications.md) for more information on how to use your own certificate to configure the TLS endpoint of the APM Server.
 
 For more details on how to configure the APM agents to work with custom certificates, check the [APM agents documentation](https://www.elastic.co/guide/en/apm/agent/index.html).
@@ -224,7 +224,7 @@ To deploy {{agent}} in clusters with the Pod Security Policy admission controlle
 
 ## Customize {{fleet-server}} Service [k8s-elastic-agent-fleet-configuration-customize-fleet-server-service]
 
-By default, ECK creates a Service for {{fleet-server}} that {{agents}} can connect through. You can customize it using the `http` configuration element. Check more information on how to [make changes](accessing-services.md) to the Service and [customize](/deploy-manage/security/secure-http-communications.md) the TLS configuration.
+By default, ECK creates a Service for {{fleet-server}} that {{agents}} can connect through. You can customize it using the `http` configuration element. Check more information on how to [make changes](accessing-services.md) to the Service and [customize](/deploy-manage/security/secure-cluster-communications.md) the TLS configuration.
 
 
 ## Control {{fleet}} policy selection [k8s-elastic-agent-control-fleet-policy-selection]

@@ -38,7 +38,7 @@ Before deploying and running ECK in production, review the basic and advanced se
 
 ## TLS/SSL Certificates
 
-* [Secure HTTP communications](/deploy-manage/security/secure-http-communications.md): Customize the service and TLS certificates used for transport traffic.
+* [Secure HTTP communications](/deploy-manage/security/secure-cluster-communications.md): Customize the service and TLS certificates used for transport traffic.
 * [Transport settings](../../security/k8s-transport-settings.md): Customize the service and TLS certificates used for transport traffic.
 
 ## Traffic handling

@@ -118,7 +118,7 @@ In order to make requests to the [{{es}} API](elasticsearch://reference/elastics
     PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')
     ```
 
-2. Request the [{{es}} root API](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-info). You can do so from inside the Kubernetes cluster or from your local workstation. For demonstration purposes, certificate verification is disabled using the `-k` curl flag; however, this is not recommended outside of testing purposes. Refer to [Setup your own certificate](/deploy-manage/security/secure-http-communications.md#k8s-setting-up-your-own-certificate) for more information.
+2. Request the [{{es}} root API](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-info). You can do so from inside the Kubernetes cluster or from your local workstation. For demonstration purposes, certificate verification is disabled using the `-k` curl flag; however, this is not recommended outside of testing purposes. Refer to [Setup your own certificate](/deploy-manage/security/k8s-https-settings.md#k8s-setting-up-your-own-certificate) for more information.
 
     * From inside the Kubernetes cluster:
 

@@ -6,7 +6,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-maps-http-configuration.html
 ---
 
-# HTTP configuration [k8s-maps-http-configuration]
+# Elastic Maps HTTP configuration [k8s-maps-http-configuration]
 
 ::::{warning}
 This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
@@ -17,17 +17,17 @@ This functionality is in technical preview and may be changed or removed in a fu
 
 By default a `ClusterIP` [service](https://kubernetes.io/docs/concepts/services-networking/service/) is created and associated with the Elastic Maps Server deployment. If you want to expose maps externally with a [load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer), it is recommended to include a custom DNS name or IP in the self-generated certificate.
 
-Refer to [Reserve static IP and custom domain](/deploy-manage/security/secure-http-communications.md#k8s-static-ip-custom-domain) for more details.
+Refer to [Reserve static IP and custom domain](/deploy-manage/security/k8s-https-settings.md#k8s-static-ip-custom-domain) for more details.
 
 
 ## Provide your own certificate [k8s-maps-http-custom-tls]
 
-If you want to use your own certificate, the required configuration is identical to Elasticsearch. Check [Custom HTTP certificate](../../security/secure-http-communications.md).
+If you want to use your own certificate, the required configuration is identical to Elasticsearch. Check [Custom HTTP certificate](/deploy-manage/security/k8s-https-settings.md#k8s-setting-up-your-own-certificate).
 
 
 ## Disable TLS [k8s-maps-http-disable-tls]
 
-You can disable the generation of the self-signed certificate and hence disable TLS. Check [Disable TLS](/deploy-manage/security/secure-http-communications.md#k8s-disable-tls).
+You can disable the generation of the self-signed certificate and hence disable TLS. Check [Disable TLS](/deploy-manage/security/k8s-https-settings.md#k8s-disable-tls).
 
 ### Ingress and Kibana configuration [k8s-maps-ingress]
 

@@ -12,7 +12,7 @@ If you already looked at the [Elasticsearch on ECK](elasticsearch-configuration.
 
 * [Customize the Pod configuration](#k8s-kibana-pod-configuration)
 * [Customize the product configuration](#k8s-kibana-configuration)
-* [Manage HTTP settings](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration)
+* [Manage HTTP settings](/deploy-manage/security/k8s-https-settings.md#k8s-kibana-http-configuration)
 * [Use secure settings](../../security/k8s-secure-settings.md)
 * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 

@@ -22,11 +22,11 @@ The following sections describe how to customize a {{kib}} deployment to suit yo
     * [Scaling out a {{kib}} deployment](k8s-kibana-advanced-configuration.md#k8s-kibana-scaling)
 
 * [Secure settings](../../security/k8s-secure-settings.md#k8s-kibana-secure-settings)
-* [HTTP Configuration](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration)
+* [HTTP Configuration](/deploy-manage/security/k8s-https-settings.md#k8s-kibana-http-configuration)
 
-    * [Load balancer settings and TLS SANs](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-publish)
-    * [Provide your own certificate](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-custom-tls)
-    * [Disable TLS](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-disable-tls)
+    * [Load balancer settings and TLS SANs](/deploy-manage/security/k8s-https-settings.md#k8s-kibana-http-publish)
+    * [Provide your own certificate](/deploy-manage/security/k8s-https-settings.md#k8s-kibana-http-custom-tls)
+    * [Disable TLS](/deploy-manage/security/k8s-https-settings.md#k8s-disable-tls)
     * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 
 * [Autoscaling stateless applications](../../autoscaling/autoscaling-in-eck.md#k8s-stateless-autoscaling): Use [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) for {{kib}} or other stateless applications.

@@ -57,7 +57,7 @@ To deploy a simple [{{kib}}](/get-started/the-stack.md#stack-components-kibana)
     kubectl port-forward service/quickstart-kb-http 5601
     ```
 
-    Open `https://localhost:5601` in your browser. Your browser will show a warning because the self-signed certificate configured by default is not verified by a known certificate authority and not trusted by your browser. You can temporarily acknowledge the warning for the purposes of this quick start but it is highly recommended that you [configure valid certificates](/deploy-manage/security/secure-http-communications.md#k8s-setting-up-your-own-certificate) for any production deployments.
+    Open `https://localhost:5601` in your browser. Your browser will show a warning because the self-signed certificate configured by default is not verified by a known certificate authority and not trusted by your browser. You can temporarily acknowledge the warning for the purposes of this quick start but it is highly recommended that you [configure valid certificates](/deploy-manage/security/k8s-https-settings.md#k8s-setting-up-your-own-certificate) for any production deployments.
 
     Login as the `elastic` user. The password can be obtained with the following command:
 

@@ -75,7 +75,7 @@ spec:
 
 ## Provide your own certificate [k8s-logstash-http-custom-tls]
 
-If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in `api` Service. Check [Custom HTTP certificate](../../security/secure-http-communications.md).
+If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in `api` Service. Check [Custom HTTP certificate](../../security/secure-cluster-communications.md).
 
 ```yaml
 apiVersion: logstash.k8s.elastic.co/v1alpha1

@@ -1,12 +1,12 @@
-When you start {{es}} for the first time, the following security configuration occurs automatically:
+When you start {{es}} for the first time, it automatically performs the following security setup:
 
-* [Certificates and keys](/deploy-manage/security/security-certificates-keys.md#stack-security-certificates) for TLS are generated for the transport and HTTP layers.
-* The TLS configuration settings are written to `elasticsearch.yml`.
-* A password is generated for the `elastic` user.
-* An enrollment token is generated for {{kib}}, which is valid for 30 minutes.
+* Generates [TLS certificates](#stack-security-certificates) for the [transport and HTTP layers](/deploy-manage/security/secure-cluster-communications.md#communication-channels)
+* Applies TLS configuration settings to `elasticsearch.yml`
+* Sets a password for the `elastic` superuser
+* Creates an enrollment token to securely connect {{kib}} to {{es}}
 
-You can then start {{kib}} and enter the enrollment token. This token automatically applies the security settings from your {{es}} cluster, authenticates to {{es}} with the built-in `kibana` service account, and writes the security configuration to `kibana.yml`.
+You can then start {{kib}} and enter the enrollment token, which is valid for 30 minutes. This token automatically applies the security settings from your {{es}} cluster, authenticates to {{es}} with the built-in `kibana` service account, and writes the security configuration to `kibana.yml`.
 
 ::::{note}
-There are [some cases](/deploy-manage/security/security-certificates-keys.md#stack-skip-auto-configuration) where security can’t be configured automatically because the node startup process detects that the node is already part of a cluster, or that security is already configured or explicitly disabled.
+There are [some cases](/deploy-manage/security/self-auto-setup.md#stack-skip-auto-configuration) where security can’t be configured automatically because the node startup process detects that the node is already part of a cluster, or that security is already configured or explicitly disabled.
 ::::
@@ -15,7 +15,7 @@ Access {{kib}} through the web application on port 5601.
     To remotely connect to {{kib}}, set [`server.host`](kibana://reference/configuration-reference/general-settings.md#server-host) to a non-loopback address.
 
     :::{note}
-    For production deployments, you should always [secure {{kib}} with a certificate](/deploy-manage/security/secure-http-communications.md#encrypt-kibana-http) and access it over HTTPS.
+    For production deployments, you should always [secure {{kib}} with a certificate](/deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-http) and access it over HTTPS.
     :::
 
 2. Log on to your account.

@@ -215,7 +215,7 @@ $$$bootstrap-checks-tls$$$
 If you enable {{es}} {{security-features}}, unless you have a trial license, you must configure SSL/TLS for internode-communication.
 
 :::{note}
-Single-node clusters that use a loopback interface do not have this requirement. For more information, see [*Start the {{stack}} with security enabled automatically*](/deploy-manage/security/security-certificates-keys.md).
+Single-node clusters that use a loopback interface do not have this requirement. For more information, see [*Start the {{stack}} with security enabled automatically*](/deploy-manage/security/self-auto-setup.md).
 :::
 
 To pass this bootstrap check, you must [set up SSL/TLS in your cluster](/deploy-manage/security/set-up-basic-security.md#encrypt-internode-communication).

@@ -158,7 +158,7 @@ This is convenient because you don’t have to create any directories to start u
 | plugins | Plugin files location. Each plugin will be contained in a subdirectory. | `$ES_HOME/plugins` |  |
 | repo | Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. | Not configured | [`path.repo`](/deploy-manage/tools/snapshot-and-restore/shared-file-system-repository.md) |
 
-### Security certificates and keys [security_certificates_and_keys]
+### Security certificates and keys [stack-security-certificates]
 
 :::{include} _snippets/security-files.md
 :::

@@ -183,7 +183,7 @@ The Debian package places config files, logs, and the data directory in the appr
 | plugins | Plugin files location. Each plugin will be contained in a subdirectory. | `/usr/share/elasticsearch/plugins` |  |
 | repo | Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. | Not configured | [`path.repo`](/deploy-manage/tools/snapshot-and-restore/shared-file-system-repository.md) |
 
-### Security certificates and keys [_security_certificates_and_keys]
+### Security certificates and keys [stack-security-certificates]
 
 :::{include} _snippets/security-files.md
 :::

@@ -174,7 +174,7 @@ The RPM places config files, logs, and the data directory in the appropriate loc
 | plugins | Plugin files location. Each plugin will be contained in a subdirectory. | `/usr/share/elasticsearch/plugins` |  |
 | repo | Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. | Not configured | [`path.repo`](/deploy-manage/tools/snapshot-and-restore/shared-file-system-repository.md) |
 
-### Security certificates and keys [_security_certificates_and_keys]
+### Security certificates and keys [stack-security-certificates]
 
 :::{include} _snippets/security-files.md
 :::

@@ -34,7 +34,7 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
 
 ## Establish trust with a remote cluster [remote-clusters-security-cert]
 
-To use {{ccr}} or {{ccs}} safely with remote clusters, enable security on all connected clusters and configure Transport Layer Security (TLS) on every node. Configuring TLS security on the transport interface is minimally required for remote clusters. For additional security, configure TLS on the [HTTP interface](../security/secure-http-communications.md) as well.
+To use {{ccr}} or {{ccs}} safely with remote clusters, enable security on all connected clusters and configure Transport Layer Security (TLS) on every node. Configuring TLS security on the transport interface is minimally required for remote clusters. For additional security, configure TLS on the [HTTP interface](../security/secure-cluster-communications.md) as well.
 
 All connected clusters must trust one another and be mutually authenticated with TLS on the transport interface. This means that the local cluster trusts the certificate  authority (CA) of the remote cluster, and the remote cluster trusts the CA of the local cluster. When establishing a connection, all nodes will verify certificates from nodes on the other side. This mutual trust is required to securely connect a remote cluster, because all connected nodes effectively form a single security domain.
 

@@ -77,6 +77,11 @@ deployment:
 
 You can configure the following aspects of your Elastic cluster or deployment to maintain and enhance security:
 
+### Initial security setup
+
+:::{include} /deploy-manage/security/_snippets/enable-security.md
+:::
+
 ### Communication and network security
 
 :::{include} /deploy-manage/security/_snippets/cluster-communication-network.md