elastic · eedugon · Apr 2, 2025 · Mar 26, 2025 · Mar 26, 2025 · Mar 26, 2025
@@ -22,7 +22,7 @@ This section explains how to access and customize the Kubernetes services and se
 
 For advanced use cases related to exposing and accessing orchestrated applications, see:
 
-* [](/deploy-manage/security/secure-http-communications.md): Configuration options for the HTTP SSL certificates, including integration with certificate management systems such as [cert-manager](https://cert-manager.io/).
+* [](/deploy-manage/security/secure-cluster-communications.md): Configuration options for the HTTP SSL certificates, including integration with certificate management systems such as [cert-manager](https://cert-manager.io/).
 * [](./service-meshes.md): Connect ECK and your managed deployments to service mesh implementations such as [Istio](https://istio.io) and [Linkerd](https://linkerd.io).
 * [](./requests-routing-to-elasticsearch-nodes.md): Create custom services to expose different node types.
 * [Use Ingress to expose {{es}} or {{kib}}](./managing-deployments-using-helm-chart.md#k8s-eck-stack-ingress): Helm based installation also facilitates the creation of Ingress resources.

@@ -169,6 +169,6 @@ Now that you know how to use the APM keystore and customize the server configura
 
 By default the operator manages a private CA and generates a self-signed certificate used to secure the communication between APM agents and the server.
 
-This behavior and the relevant configuration is identical to what is done for Elasticsearch and Kibana. Check [Setting up your own certificate](/deploy-manage/security/secure-http-communications.md) for more information on how to use your own certificate to configure the TLS endpoint of the APM Server.
+This behavior and the relevant configuration is identical to what is done for Elasticsearch and Kibana. Check [Setting up your own certificate](/deploy-manage/security/secure-cluster-communications.md) for more information on how to use your own certificate to configure the TLS endpoint of the APM Server.
 
 For more details on how to configure the APM agents to work with custom certificates, check the [APM agents documentation](https://www.elastic.co/guide/en/apm/agent/index.html).
@@ -224,7 +224,7 @@ To deploy {{agent}} in clusters with the Pod Security Policy admission controlle
 
 ## Customize {{fleet-server}} Service [k8s-elastic-agent-fleet-configuration-customize-fleet-server-service]
 
-By default, ECK creates a Service for {{fleet-server}} that {{agents}} can connect through. You can customize it using the `http` configuration element. Check more information on how to [make changes](accessing-services.md) to the Service and [customize](/deploy-manage/security/secure-http-communications.md) the TLS configuration.
+By default, ECK creates a Service for {{fleet-server}} that {{agents}} can connect through. You can customize it using the `http` configuration element. Check more information on how to [make changes](accessing-services.md) to the Service and [customize](/deploy-manage/security/secure-cluster-communications.md) the TLS configuration.
 
 
 ## Control {{fleet}} policy selection [k8s-elastic-agent-control-fleet-policy-selection]

@@ -38,7 +38,7 @@ Before deploying and running ECK in production, review the basic and advanced se
 
 ## TLS/SSL Certificates
 
-* [Secure HTTP communications](/deploy-manage/security/secure-http-communications.md): Customize the service and TLS certificates used for transport traffic.
+* [Secure HTTP communications](/deploy-manage/security/secure-cluster-communications.md): Customize the service and TLS certificates used for transport traffic.
 * [Transport settings](../../security/k8s-transport-settings.md): Customize the service and TLS certificates used for transport traffic.
 
 ## Traffic handling

@@ -118,7 +118,7 @@
     PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')
     ```
 
-2. Request the [{{es}} root API](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-info). You can do so from inside the Kubernetes cluster or from your local workstation. For demonstration purposes, certificate verification is disabled using the `-k` curl flag; however, this is not recommended outside of testing purposes. Refer to [Setup your own certificate](/deploy-manage/security/secure-http-communications.md#k8s-setting-up-your-own-certificate) for more information.
+2. Request the [{{es}} root API](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-info). You can do so from inside the Kubernetes cluster or from your local workstation. For demonstration purposes, certificate verification is disabled using the `-k` curl flag; however, this is not recommended outside of testing purposes. Refer to [Setup your own certificate](/deploy-manage/security/secure-cluster-communications.md#k8s-setting-up-your-own-certificate) for more information.
 
     * From inside the Kubernetes cluster:
 

@@ -17,17 +17,17 @@
 
 By default a `ClusterIP` [service](https://kubernetes.io/docs/concepts/services-networking/service/) is created and associated with the Elastic Maps Server deployment. If you want to expose maps externally with a [load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer), it is recommended to include a custom DNS name or IP in the self-generated certificate.
 
-Refer to [Reserve static IP and custom domain](/deploy-manage/security/secure-http-communications.md#k8s-static-ip-custom-domain) for more details.
+Refer to [Reserve static IP and custom domain](/deploy-manage/security/secure-cluster-communications.md#k8s-static-ip-custom-domain) for more details.
 
 
 ## Provide your own certificate [k8s-maps-http-custom-tls]
 
-If you want to use your own certificate, the required configuration is identical to Elasticsearch. Check [Custom HTTP certificate](../../security/secure-http-communications.md).
+If you want to use your own certificate, the required configuration is identical to Elasticsearch. Check [Custom HTTP certificate](../../security/secure-cluster-communications.md).
 
 
 ## Disable TLS [k8s-maps-http-disable-tls]
 
-You can disable the generation of the self-signed certificate and hence disable TLS. Check [Disable TLS](/deploy-manage/security/secure-http-communications.md#k8s-disable-tls).
+You can disable the generation of the self-signed certificate and hence disable TLS. Check [Disable TLS](/deploy-manage/security/secure-cluster-communications.md#k8s-disable-tls).
 
 ### Ingress and Kibana configuration [k8s-maps-ingress]
 

@@ -12,7 +12,7 @@
 
 * [Customize the Pod configuration](#k8s-kibana-pod-configuration)
 * [Customize the product configuration](#k8s-kibana-configuration)
-* [Manage HTTP settings](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration)
+* [Manage HTTP settings](/deploy-manage/security/secure-cluster-communications.md#k8s-kibana-http-configuration)
 * [Use secure settings](../../security/k8s-secure-settings.md)
 * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 

@@ -22,11 +22,11 @@
     * [Scaling out a {{kib}} deployment](k8s-kibana-advanced-configuration.md#k8s-kibana-scaling)
 
 * [Secure settings](../../security/k8s-secure-settings.md#k8s-kibana-secure-settings)
-* [HTTP Configuration](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration)
+* [HTTP Configuration](/deploy-manage/security/secure-cluster-communications.md#k8s-kibana-http-configuration)
 
-    * [Load balancer settings and TLS SANs](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-publish)
-    * [Provide your own certificate](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-custom-tls)
-    * [Disable TLS](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-disable-tls)
+    * [Load balancer settings and TLS SANs](/deploy-manage/security/secure-cluster-communications.md#k8s-kibana-http-publish)
+    * [Provide your own certificate](/deploy-manage/security/secure-cluster-communications.md#k8s-kibana-http-custom-tls)
+    * [Disable TLS](/deploy-manage/security/secure-cluster-communications.md#k8s-kibana-http-disable-tls)
     * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 
 * [Autoscaling stateless applications](../../autoscaling/autoscaling-in-eck.md#k8s-stateless-autoscaling): Use [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) for {{kib}} or other stateless applications.

@@ -57,7 +57,7 @@
     kubectl port-forward service/quickstart-kb-http 5601
     ```
 
-    Open `https://localhost:5601` in your browser. Your browser will show a warning because the self-signed certificate configured by default is not verified by a known certificate authority and not trusted by your browser. You can temporarily acknowledge the warning for the purposes of this quick start but it is highly recommended that you [configure valid certificates](/deploy-manage/security/secure-http-communications.md#k8s-setting-up-your-own-certificate) for any production deployments.
+    Open `https://localhost:5601` in your browser. Your browser will show a warning because the self-signed certificate configured by default is not verified by a known certificate authority and not trusted by your browser. You can temporarily acknowledge the warning for the purposes of this quick start but it is highly recommended that you [configure valid certificates](/deploy-manage/security/secure-cluster-communications.md#k8s-setting-up-your-own-certificate) for any production deployments.
 
     Login as the `elastic` user. The password can be obtained with the following command:
 

@@ -75,7 +75,7 @@ spec:
 
 ## Provide your own certificate [k8s-logstash-http-custom-tls]
 
-If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in `api` Service. Check [Custom HTTP certificate](../../security/secure-http-communications.md).
+If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in `api` Service. Check [Custom HTTP certificate](../../security/secure-cluster-communications.md).
 
 ```yaml
 apiVersion: logstash.k8s.elastic.co/v1alpha1

@@ -1,12 +1,12 @@
 When you start {{es}} for the first time, the following security configuration occurs automatically:
 
-* [Certificates and keys](/deploy-manage/security/security-certificates-keys.md#stack-security-certificates) for TLS are generated for the transport and HTTP layers.
+* [Certificates and keys](/deploy-manage/security/self-auto-setup.md#stack-security-certificates) for TLS are generated for the transport and HTTP layers.
 * The TLS configuration settings are written to `elasticsearch.yml`.
 * A password is generated for the `elastic` user.
 * An enrollment token is generated for {{kib}}, which is valid for 30 minutes.
 
 You can then start {{kib}} and enter the enrollment token. This token automatically applies the security settings from your {{es}} cluster, authenticates to {{es}} with the built-in `kibana` service account, and writes the security configuration to `kibana.yml`.
 
 ::::{note}
-There are [some cases](/deploy-manage/security/security-certificates-keys.md#stack-skip-auto-configuration) where security can’t be configured automatically because the node startup process detects that the node is already part of a cluster, or that security is already configured or explicitly disabled.
+There are [some cases](/deploy-manage/security/self-auto-setup.md#stack-skip-auto-configuration) where security can’t be configured automatically because the node startup process detects that the node is already part of a cluster, or that security is already configured or explicitly disabled.
 ::::
@@ -15,7 +15,7 @@
     To remotely connect to {{kib}}, set [`server.host`](kibana://reference/configuration-reference/general-settings.md#server-host) to a non-loopback address.
 
     :::{note}
-    For production deployments, you should always [secure {{kib}} with a certificate](/deploy-manage/security/secure-http-communications.md#encrypt-kibana-http) and access it over HTTPS.
+    For production deployments, you should always [secure {{kib}} with a certificate](/deploy-manage/security/secure-cluster-communications.md#encrypt-kibana-http) and access it over HTTPS.
     :::
 
 2. Log on to your account.

@@ -215,7 +215,7 @@ $$$bootstrap-checks-tls$$$
 If you enable {{es}} {{security-features}}, unless you have a trial license, you must configure SSL/TLS for internode-communication.
 
 :::{note}
-Single-node clusters that use a loopback interface do not have this requirement. For more information, see [*Start the {{stack}} with security enabled automatically*](/deploy-manage/security/security-certificates-keys.md).
+Single-node clusters that use a loopback interface do not have this requirement. For more information, see [*Start the {{stack}} with security enabled automatically*](/deploy-manage/security/self-auto-setup.md).
 :::
 
 To pass this bootstrap check, you must [set up SSL/TLS in your cluster](/deploy-manage/security/set-up-basic-security.md#encrypt-internode-communication).

@@ -34,7 +34,7 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
 
 ## Establish trust with a remote cluster [remote-clusters-security-cert]
 
-To use {{ccr}} or {{ccs}} safely with remote clusters, enable security on all connected clusters and configure Transport Layer Security (TLS) on every node. Configuring TLS security on the transport interface is minimally required for remote clusters. For additional security, configure TLS on the [HTTP interface](../security/secure-http-communications.md) as well.
+To use {{ccr}} or {{ccs}} safely with remote clusters, enable security on all connected clusters and configure Transport Layer Security (TLS) on every node. Configuring TLS security on the transport interface is minimally required for remote clusters. For additional security, configure TLS on the [HTTP interface](../security/secure-cluster-communications.md) as well.
 
 All connected clusters must trust one another and be mutually authenticated with TLS on the transport interface. This means that the local cluster trusts the certificate  authority (CA) of the remote cluster, and the remote cluster trusts the CA of the local cluster. When establishing a connection, all nodes will verify certificates from nodes on the other side. This mutual trust is required to securely connect a remote cluster, because all connected nodes effectively form a single security domain.
 

@@ -77,6 +77,15 @@ deployment:
 
 You can configure the following aspects of your Elastic cluster or deployment to maintain and enhance security:
 
+### Enable and set up security
+```{applies_to}
+deployment:
+  self: all
+```
+
+:::{include} /deploy-manage/security/_snippets/enable-security.md
+:::
+
 ### Communication and network security
 
 :::{include} /deploy-manage/security/_snippets/cluster-communication-network.md

@@ -1,7 +1,7 @@
 * [Manage TLS certificates](/deploy-manage/security/secure-cluster-communications.md): TLS certificates apply security controls to network communications. Elastic uses TLS certificates to secure communications in two places:
   * **The HTTP layer**: Used for communication between your cluster or deployment and the internet.
   * **The transport layer**: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
-  * In self-managed {{es}} clusters, you can also [Configure Kibana and Elasticsearch to use mutual TLS](/deploy-manage/security/secure-http-communications.md#elasticsearch-mutual-tls).
+  * In self-managed {{es}} clusters, you can also [Configure Kibana and Elasticsearch to use mutual TLS](/deploy-manage/security/kibana-es-mutual-tls.md).
 * [Enable cipher suites for stronger encryption](/deploy-manage/security/enabling-cipher-suites-for-stronger-encryption.md): The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
 * [Restrict connections using traffic filtering](/deploy-manage/security/traffic-filtering.md): Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
 * [Allow or deny {{ech}} IP ranges](/deploy-manage/security/elastic-cloud-static-ips.md): {{ecloud}} publishes a list of IP addresses used by its {{ech}} services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to {{ech}} services.
@@ -0,0 +1,7 @@
+{{es}} security unlocks key capabilities such as [Authentication and authorization](/deploy-manage/users-roles.md), TLS encryption, and other security-related functionality described in this section. The first step in securing your deployment is to ensure that the {{es}} security feature is enabled and properly configured.
+
+::::{note}
+Deployments managed by {{eck}}, {{ece}}, {{ech}}, and {{serverless-short}} automatically configure security by default. This includes setting the `elastic` user password, generating TLS certificates, and configuring {{kib}} to connect to {{es}} securely. Disabling security is not supported in these deployment types.
+::::
+
+For self-managed deployments, [Learn how to set up security](/deploy-manage/security/self-setup.md) using Elastic’s automatic configuration or by following the manual process.
@@ -0,0 +1,30 @@
+When you ran the `elasticsearch-certutil` tool with the `http` option to create the {{es}} certificates, it created a `/kibana` directory containing an `elasticsearch-ca.pem` file. You use this file to configure {{kib}} to trust the {{es}} CA for the HTTP layer.
+
+::::{note}
+If you obtained the {{es}} certificates using a different method, you must provide {{kib}} with the appropriate CA certificates to establish trust. This may include the root CA and one or more intermediate CAs, depending on how the certificates were issued.
+::::
+
+1. Copy the `elasticsearch-ca.pem` file to the {{kib}} configuration directory, as defined by the `$KBN_PATH_CONF` path.
+2. Open `kibana.yml` and add the following line to specify the location of the security certificate for the HTTP layer.
+
+    ```yaml
+    elasticsearch.ssl.certificateAuthorities: $KBN_PATH_CONF/elasticsearch-ca.pem
+    ```
+
+3. Add the following line to specify the HTTPS URL for your {{es}} cluster.
+
+    ```yaml
+    elasticsearch.hosts: https://<your_elasticsearch_host>:9200
+    ```
+
+4. Restart {{kib}}.
+
+:::::{admonition} Connect to a secure monitoring cluster
+If the Elastic monitoring features are enabled and you configured a separate {{es}} monitoring cluster, you can also configure {{kib}} to connect to the monitoring cluster through HTTPS. The steps are the same, but each setting is prefixed by `monitoring.ui`. For example, `monitoring.ui.elasticsearch.hosts` and `monitoring.ui.elasticsearch.ssl.certificateAuthorities`.
+
+::::{note}
+If the monitoring cluster uses certificates signed by a different CA than the main cluster, you must provide a separate `elasticsearch-ca.pem` file that corresponds to the monitoring cluster's CA.
+::::
+
+:::::
+