Trust management
editTrust management
editIn order to establish a remote connection between two remote clusters, they must both trust each other. Trust is bi-directional: If one of the clusters doesn’t trust the other, the remote connection won’t be established.
Mutual trust between two clusters is required to enable cross-cluster search and cross-cluster replication.
Trust can be configured individually for each deployment.
Default trust behavior in your environment
editBy default, any deployment that you or your users create trusts all other deployments in the same Elastic Cloud Enterprise environment. You can change this behavior in the Cloud UI under Platform > Trust Management, so that when a new deployment is created it does not trust any other deployment. You can choose one of the following options:
- Trust all my deployments - New deployments will by default trust any other deployment from your ECE environment (even deployments that don’t exist when the deployment is created).
- Trust no deployment - New deployments won’t trust any other deployment when they are created. (This can be changed later in the deployment trust settings)
Note the following behaviours with this trust setting:
- Changing the trust settings affects only deployments that you create in the future. The level of trust of existing deployments is not modified by this setting.
-
Deployments created before Elastic Cloud Enterprise version
2.9.0
trust only themselves. You need to update the trust setting for each deployment that you want to either use as a remote cluster or configure to work with a remote cluster.
Configuring trust with other remote environments
editIn order to configure remote clusters in other ECE environments, you will first need to establish a bi-directional trust relationship between both ECE environments:
- Download the certificate and copy the environment ID from your first ECE environment under Platform > Trust Management > Trust parameters
- Create a new trust relationship in the other ECE environment under Platform > Trust Management > Trusted environments using the certificate and environment ID from the previous step
- Download the certificate and copy the environment ID from your second ECE environment and create a new trust relationship with those in the first ECE environment
Now, deployments in those environments will be able to configure trust with deployments in the other environment. Trust must always be bi-directional (local cluster must trust remote cluster and viceversa) and it can be configured in each deployment page, under Security > Trust Management:
- Click Add trusted environment to configure trust with deployments in another ECE environment whose trust relationship has been created in the previous step.
- For each trusted ECE environment you can change the trust settings to trust all deployments, none, or just specific ones.
Update the trust settings of a deployment
editTo configure the trust settings for a deployment:
- Log into the Cloud UI.
-
On the deployments page, select your deployment.
Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
- From the Security menu, open the Trust Management page.
The page shows a list of all the deployments that this deployment trusts, grouped by environment. Initially only the Local Environment appears, which represents the current ECE environment, but you can trust deployments in other ECE environments after establishing trust relationships with those ECE environments.
Choose one of following options to configure the level of trust on each of your deployments for each environment:
- Trust all deployments - This deployment trusts all other deployments in this ECE environment, including new deployments when they are created.
- Trust no deployment - No deployment in this ECE environment is trusted.
-
Specific deployments. For your local environment, see the list of available deployments to trust. For remote ECE environments, you can introduce a list of Cluster Ids to trust from that ECE environment. The
Cluster ID
can be found in the deployment overview page under Applications.