--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/surZWa04Cc0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f16055b7-0b8a-4dcc-816e-34724c5e4751%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
hi Jochen, thanks for the reply.Any idea is there anything similar to IPFiltering which is available in shield ? If no, what can we do to blacklist/whitelist certain ipaddresses using Search Guard
On Sun, Dec 18, 2016 at 1:25 AM, Jochen Kressin <jkre...@floragunn.com> wrote:
A node can only join a cluster if- the node has a TLS certificate installed- this certificate is trusted by the other nodes (via their truststore)Which basically means that all certificates must be signed by a common root and intermediate ca.A server (non-client) node also needs a special OID value set as SAN in the certificate:Additional security:- enforce_hostname_verification: If this is set to true, a node receiving a request will validate that the hostname in the certificate matches the hostname of the caller- resolve_hostname: If you set this to true (enforce_hostname_verification must also be true), the hostname is validated against your DNS in addition
Am Donnerstag, 15. Dezember 2016 16:26:40 UTC+1 schrieb Lin Dwell:what is the use of enforce_hostname_verification ? what are the consequences if it is not set ?What can be done to prevent an anonymous node join the cluster ? Is there something similar to IP Filtering in shield ?
--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/surZWa04Cc0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.