Add test for HTTP and Transport TLS on basic license

This adds a new security/qa test for TLS on a basic license. It starts a 2 node cluster with a basic license, and TLS enabled on both HTTP and Transport, and verifies the license type, x-pack SSL usage and SSL certificates API. It also upgrades the cluster to a trial license and performs that same set of checks (to ensure that clusters with basic license and TLS enabled can be upgraded to a higher feature license) Backport of: elastic#40714
tvernum · May 23, 2019 · 90b8843 · 90b8843
1 parent 7317e5e
commit 90b8843
Show file tree

Hide file tree

Showing 12 changed files with 400 additions and 0 deletions.
diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle
@@ -305,3 +305,13 @@ unitTest {
 // installing them as individual plugins for integ tests doesn't make sense,
 // so we disable integ tests
 integTest.enabled = false
+
+// add all sub-projects of the qa sub-project
+gradle.projectsEvaluated {
+    project.subprojects
+            .find { it.path == project.path + ":qa" }
+            .subprojects
+            .findAll { it.path.startsWith(project.path + ":qa") }
+            .each { check.dependsOn it.check }
+}
+
diff --git a/x-pack/plugin/security/qa/build.gradle b/x-pack/plugin/security/qa/build.gradle
@@ -0,0 +1,18 @@
+import org.elasticsearch.gradle.test.RestIntegTestTask
+
+apply plugin: 'elasticsearch.build'
+unitTest.enabled = false
+
+dependencies {
+    compile project(':test:framework')
+}
+
+subprojects {
+    project.tasks.withType(RestIntegTestTask) {
+        final File xPackResources = new File(xpackProject('plugin').projectDir, 'src/test/resources')
+        project.copyRestSpec.from(xPackResources) {
+            include 'rest-api-spec/api/**'
+        }
+    }
+}
+
diff --git a/x-pack/plugin/security/qa/tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle
@@ -0,0 +1,48 @@
+import org.elasticsearch.gradle.http.WaitForHttpResource
+
+apply plugin: 'elasticsearch.standalone-rest-test'
+apply plugin: 'elasticsearch.rest-test'
+
+dependencies {
+  // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
+  testCompile project(path: xpackModule('core'), configuration: 'default')
+  testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
+  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+}
+
+forbiddenPatterns {
+    exclude '**/*.key'
+    exclude '**/*.p12'
+}
+
+File caFile = project.file('src/test/resources/ssl/ca.crt')
+
+integTestCluster {
+  numNodes=2
+
+  extraConfigFile 'http.key', project.projectDir.toPath().resolve('src/test/resources/ssl/http.key')
+  extraConfigFile 'http.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/http.crt')
+  extraConfigFile 'transport.key', project.projectDir.toPath().resolve('src/test/resources/ssl/transport.key')
+  extraConfigFile 'transport.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/transport.crt')
+  extraConfigFile 'ca.crt', caFile
+
+  setting 'xpack.ilm.enabled', 'false'
+  setting 'xpack.ml.enabled', 'false'
+  setting 'xpack.license.self_generated.type', 'basic'
+  setting 'xpack.security.http.ssl.enabled', 'true'
+  setting 'xpack.security.http.ssl.certificate', 'http.crt'
+  setting 'xpack.security.http.ssl.key', 'http.key'
+  setting 'xpack.security.http.ssl.key_passphrase', 'http-password'
+  setting 'xpack.security.transport.ssl.enabled', 'true'
+  setting 'xpack.security.transport.ssl.certificate', 'transport.crt'
+  setting 'xpack.security.transport.ssl.key', 'transport.key'
+  setting 'xpack.security.transport.ssl.key_passphrase', 'transport-password'
+  setting 'xpack.security.transport.ssl.certificate_authorities', 'ca.crt'
+
+  waitCondition = { node, ant ->
+    WaitForHttpResource http = new WaitForHttpResource("https", node.httpUri(), numNodes)
+    http.setCertificateAuthorities(caFile)
+    return http.wait(5000)
+  }
+}
+
diff --git a/...ty/qa/tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java b/...ty/qa/tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java
@@ -0,0 +1,122 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.security;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.common.io.PathUtils;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.test.rest.ESRestTestCase;
+import org.elasticsearch.test.rest.yaml.ObjectPath;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.URL;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.iterableWithSize;
+import static org.hamcrest.Matchers.notNullValue;
+
+public class TlsWithBasicLicenseIT extends ESRestTestCase {
+    private static Path httpTrustStore;
+
+    @BeforeClass
+    public static void findTrustStore() throws Exception {
+        final URL resource = TlsWithBasicLicenseIT.class.getResource("/ssl/ca.p12");
+        if (resource == null) {
+            throw new FileNotFoundException("Cannot find classpath resource /ssl/ca.p12");
+        }
+        httpTrustStore = PathUtils.get(resource.toURI());
+    }
+
+    @AfterClass
+    public static void cleanupStatics() {
+        httpTrustStore = null;
+    }
+
+    @Override
+    protected String getProtocol() {
+        return "https";
+    }
+
+    @Override
+    protected Settings restClientSettings() {
+        return Settings.builder()
+            .put(TRUSTSTORE_PATH, httpTrustStore)
+            .put(TRUSTSTORE_PASSWORD, "password")
+            .build();
+    }
+
+    public void testWithBasicLicense() throws Exception {
+        checkLicenseType("basic");
+        checkSSLEnabled();
+        checkCertificateAPI();
+    }
+
+    public void testWithTrialLicense() throws Exception {
+        startTrial();
+        try {
+            checkLicenseType("trial");
+            checkSSLEnabled();
+            checkCertificateAPI();
+        } finally {
+            revertTrial();
+        }
+    }
+
+    private void startTrial() throws IOException {
+        Response response = client().performRequest(new Request("POST", "/_license/start_trial?acknowledge=true"));
+        assertOK(response);
+    }
+
+    private void revertTrial() throws IOException {
+        client().performRequest(new Request("POST", "/_license/start_basic?acknowledge=true"));
+    }
+
+    private void checkLicenseType(String type) throws IOException {
+        Map<String, Object> license = getAsMap("/_license");
+        assertThat(license, notNullValue());
+        assertThat(ObjectPath.evaluate(license, "license.type"), equalTo(type));
+    }
+
+    private void checkSSLEnabled() throws IOException {
+        Map<String, Object> usage = getAsMap("/_xpack/usage");
+        assertThat(usage, notNullValue());
+        assertThat(ObjectPath.evaluate(usage, "security.ssl.http.enabled"), equalTo(true));
+        assertThat(ObjectPath.evaluate(usage, "security.ssl.transport.enabled"), equalTo(true));
+    }
+
+    private void checkCertificateAPI() throws IOException {
+        Response response = client().performRequest(new Request("GET", "/_ssl/certificates"));
+        ObjectPath path = ObjectPath.createFromResponse(response);
+        final Object body = path.evaluate("");
+        assertThat(body, instanceOf(List.class));
+        final List<?> certs = (List<?>) body;
+        assertThat(certs, iterableWithSize(3));
+        final List<Map<String, Object>> certInfo = new ArrayList<>();
+        for (int i = 0; i < certs.size(); i++) {
+            final Object element = certs.get(i);
+            assertThat(element, instanceOf(Map.class));
+            final Map<String, Object> map = (Map<String, Object>) element;
+            certInfo.add(map);
+            assertThat(map.get("format"), equalTo("PEM"));
+        }
+        List<String> paths = certInfo.stream().map(m -> String.valueOf(m.get("path"))).collect(Collectors.toList());
+        assertThat(paths, containsInAnyOrder("http.crt", "transport.crt", "ca.crt"));
+    }
+
+
+}
+
diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/README.asciidoc b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/README.asciidoc
@@ -0,0 +1,48 @@
+= Keystore Details
+This document details the steps used to create the certificate and keystore files in this directory.
+
+== Instructions on generating certificates
+The certificates in this directory have been generated using elasticsearch-certutil (7.0.0 SNAPSHOT)
+
+[source,shell]
+-----------------------------------------------------------------------------------------------------------
+elasticsearch-certutil ca --pem --out=ca.zip --pass="ca-password" --days=3500
+unzip ca.zip
+mv ca/ca.* ./
+
+rm ca.zip
+rmdir ca
+-----------------------------------------------------------------------------------------------------------
+
+[source,shell]
+-----------------------------------------------------------------------------------------------------------
+elasticsearch-certutil cert --pem --name=http --out=http.zip --pass="http-password" --days=3500 \
+    --ca-cert=ca.crt --ca-key=ca.key --ca-pass="ca-password" \
+    --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \
+    --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1
+
+unzip http.zip
+mv http/http.* ./
+
+rm http.zip
+rmdir http
+-----------------------------------------------------------------------------------------------------------
+
+[source,shell]
+-----------------------------------------------------------------------------------------------------------
+elasticsearch-certutil cert --pem --name=transport --out=transport.zip --pass="transport-password" --days=3500 \
+    --ca-cert=ca.crt --ca-key=ca.key --ca-pass="ca-password" \
+    --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \
+    --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1
+
+unzip transport.zip
+mv transport/transport.* ./
+
+rm transport.zip
+rmdir transport
+-----------------------------------------------------------------------------------------------------------
+
+[source,shell]
+-----------------------------------------------------------------------------------------------------------
+keytool -importcert -file ca.crt -keystore ca.p12 -storetype PKCS12 -storepass "password" -alias ca
+-----------------------------------------------------------------------------------------------------------
diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.crt b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUNsCMQBpQB3zJAC1iERdc7yADVw0wDQYJKoZIhvcNAQEL
+BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
+cmF0ZWQgQ0EwHhcNMTkwMzI5MDUxMjEyWhcNMjgxMDI3MDUxMjEyWjA0MTIwMAYD
+VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJL4SrJJsQpKFuHsNnWwzM9
+2Cnmsc7WzGEskV0ncSUloMxUZaZ8CJ2iuubN6KPe75ke8SS9vlNG3MEWRBVSPY4H
+EJNcyiiI1w9c/yom6Kfvep1RvvRHlp+k/bDPzzuj4B8Dyg66TVYKRm+9uRWAUvZr
+djhFB3cawbM1jD9ZaBLM4Qbdg0AlMqXWpkLPVtkD8lREPkAIhYxKx7TYqB1SbMg5
+ejfoRGF5qfl4luegWRlQKkOBCcJPZamcccNjDq9eXQm3vrp0/QEp0ODG14wU3B9R
+G+2/yhh5KP3WWK/uksAmEv8YzG7UaCLNJRk/FuPz8uoSGLPM1e+2HWXsR9OnlF8C
+AwEAAaNTMFEwHQYDVR0OBBYEFL+GbWzP3nPfx+OqvW5CYCqHN8ZlMB8GA1UdIwQY
+MBaAFL+GbWzP3nPfx+OqvW5CYCqHN8ZlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHZeLZ7yCvqQOJbQ3yoixYLVR33dSx/T/W5WQQGYcQ7TUZ4N
+gXkV9kGD+9I/8NWgkttx4TTieWctyNPrhAqqWGuGvhCQ+WL8m67EPRiVdw7EY+61
+qlUbAdK39adDqbDeUI07dzd+wKlhwnHtd2dTcJEGluwLaU4ftuLA8DQNwzWxZVAW
+EWzfTUgdc1SYTysE5C0d1Q9CbI+o0Na+CaW4DRqGh1OGyH7Fyck9WQp1nOAEQhD9
+sn4FOC4w+T92t/Ekpfcm5HHkYjGWK1EsCkRCj1m8QtyqBgByeXHCidH2pfKIuVdl
+ZnaOfIkCQx49gLARjzzGp/OC/UfKVCWzpLHn7dY=
+-----END CERTIFICATE-----
diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.key b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,67376A5606FB27E9
+
+v4OAjurrB7Tc2mVswSeaaYAiFomvSQmre8DlC5VNvavzT6Hlx5hIyEVIttcNeTeD
+Hj4d+JOp5OO5Ew5cWgo0jtR2QIjGbrQe8t8oedJwhEiYC0IfX0rItJv1iaz4WO+8
+hz4J1lwAI9wFabmXIeHx0q3ZqqIfSOoAepO8W2SqIj0KSz3tKRoYaX7AzZ27muLN
+K2Mej1EX/ftgZZNgfU62gJzGGsdQecLc+UZBDVTPZL3PLZmQV0r1sBXaq56Qk78t
+DsUyYwA4zvPBIPkfydTxobylt1pSeZ7Yyni+iQk4X7T4jj3Q6wKrwjPNJ6p8Xcwn
+4BN37DIYPPBEp56EUCbxl+iMkfRoCjZdaqhycw4LjKB0wloY2Zko6FaYTd0qPZ/m
+2GM8MvIQ9bc4t9Bef2VAXhb8IUXJ+ro+sB7vlQRSLQ1JwHPAPiIFyRmilezAaupA
+2DNLBIlmgMzh5Lh6vIcyHQVxsCoJesmVQCyyBy4lFPU9afcYLWjzgnBhW2SikTpW
+/lC3VDloUjIYfC3qYhbHIomsUMCGk3xHIwLw1cNFnf7c/RX1q5bBZrJ8q6GVh/Rb
+ulHcuCm5g/Jvt8TM8c2WIE5mzwkoFIe/XVY33Lyk237qCsPlVWwFpxa0UtWVpDnk
+uuubgI0cb+zehN2f5sgHtdbphNNTflZyW+Uk0lCbYGNakXBILePFmURsThW3gQ44
+g+zPaiGkbB1qwE/TS3Vz17j8DkgWRsEJP7IBsZ/ljaUcs3zujH6EKN9YtwyIeoHo
+VHBuF4RGew2Ps0NoLGYanpvu01ZUUr2C0ZbDjXLBy8ajOc5zgyMCBead19T+piFw
+iGvA8D7eILz1xzbAcX7dry06Mc9o/CbFcRMIis3LVvdSuZDoRk/cv0mKo6rq/1MS
+VeYgPjJ8QWuhulIYkmNipTRdzMsXEafEdsp+GruKnNri0u/lirfhYAXDGp2GAttJ
+zKnbPkHSJRt1xWgtimU+CnnpEOp+qd2yFNgT/Nn2yjrsPqLqTkEdzbh2DoCYGPHe
+HoAcs+MePKfqBh+W2MEJ/ZdDVz93lKoDTuk2cjaVVe+7YBdHW0gQzfW5ArscadUV
++mSzhUm9AIhM/Gk6t7rgVoWyO6PvkTgENKFmUUQkHnJWaaDIzji2xFR114Huw5rN
+gHPn8HOKPIhVu1UV2N/MFLrjjvn8bft/vLkSxZ3c7AgYkPr8Mmd0b8ufTOlk5a+W
+hkR4D7WZ7Hgkj1NIvRbjxCXTHFbHZqKJHeTTNCpCUygIH5g8h7RGVPS0XKylpbr1
+2kZU/AwlPcAPba+UcTKXOvy02NmiV5Bg6qYc8rcxv6aXKPOrxeW3Iop/ZesF7Nnu
+ccR+rI78cQIGD1gAo3xLJ10/p0Rb9R/pWfHUY499Oymc926qWaj3mEl+xOJXxWOr
+3Uf4yMg8mrfcm3JW7clWy3l+/++CSWBS/zqUpXKy5CbVdR8XQNS5Pg0fDgwkrcbv
+7TviQ+vYD7aEI0w6mviljPkYVTXNpnRHyF7VfaEYff8032GxW99D3zeK7dd6yP4k
+W/oN5IwXCvnfrteNtqSOIPOWw9gAp4x4EzmCin77s8SgMHOGsPcEhA==
+-----END RSA PRIVATE KEY-----
diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.p12 b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.p12
diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.crt b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIVAJX8GTm+AWIicokE5npzZ2B3qad3MA0GCSqGSIb3DQEB
+CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
+ZXJhdGVkIENBMB4XDTE5MDMyOTA1MTIyNVoXDTI4MTAyNzA1MTIyNVowDzENMAsG
+A1UEAxMEaHR0cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvsPmg
+4lKfd1ie6TZQLdCxfXy6MooLHac1wUxyvHcUxlbuSchj+A2gVPBk6VaCV8OO4X7T
+MslTJKw5877m28Xzw+CmUgDsXAJJy2IvM8X0IP/xktkJQ3uSUReSW2650TFj9Zcm
+Z3AtMblo+cNnZMNWJBW1G1QMHHKMY5kukaB7Ia6CBec60k2HrkS6xmsMgwQPBa/k
+VlbHkI7RzbmxohVJFHL34EFhifEL0qkYU5MnZ8PjH8U749VoZOYcY1MKb2sw9iYn
+JTOv1gIFhd4Sw37occxDVaqZU/1X90ijZyvB/AugxRfmpLb83ZRMdVeQTiiXqMkg
+1g94h7hgPpLA9AkCAwEAAaOB4DCB3TAdBgNVHQ4EFgQUc/bPDUIvgLwg9xwf9CxP
+ec84o1YwHwYDVR0jBBgwFoAUv4ZtbM/ec9/H46q9bkJgKoc3xmUwgY8GA1UdEQSB
+hzCBhIIJbG9jYWxob3N0ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocEfwAAAYcQ
+AAAAAAAAAAAAAAAAAAAAAYIKbG9jYWxob3N0NIIKbG9jYWxob3N0NoIVbG9jYWxo
+b3N0LmxvY2FsZG9tYWlughdsb2NhbGhvc3Q0LmxvY2FsZG9tYWluNDAJBgNVHRME
+AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAJW7WWQkuNjDlQQ5H6bhMr2LhbC9TZWgFK
+zWsIWuhd1QxiWbTp/Yegcbqs3hZ9MQtxU4egml/sMAdZSF3Kg3NeYtrHDj//oKYo
+VSfTPNjQLG1/ckCM0RDfFYOV+Sb3ktau5QZGL+5ZDfcfPLSHCSHeP0tft2R03Hp4
+pOX8/xAVmv0hxE74X5qodQyNFdDa6rtRZESLzY1b+oaEhKM49MZCNZL9TvvNUkWC
+hXdaVehqBVJkrlsnli6oqPBjpKNP2YkRG3eqy/Qd/sg6rwJqu/B0KBI8QBDkokSY
+YORRviEmSe0+hmcBCTYZWN8WX3BrEPuGdBJXWi5G8GPGFg4rrOUE
+-----END CERTIFICATE-----
diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.key b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,A46C453D20DC86A7
+
+eFBKmjJUmailcnfc1+a6lwR8G7sk4ff1De5hIYY8iNkpP6XVxZ/LrXttVF1x1SWy
+YaUJL35Optzy4W+LglJgAdNo9XGaCsHuSi3z7aqYNdihSldKxDw3iIJEEuB63Lv7
+eu4pEYdOlRElEs71cmjMCSmg1pfeDRruShB9RUKy3Iw8tM6tV+t+vIaiVftb3i9O
+AaTEUgAJqQjcISWy5JAxRwEwVDAhHe23vbVomxXlJKuTroezPFt5SxXQmdfNmP7B
+D8iZR/Uf+7XdCFKC/7n6enYZfg5/IoaOO9sPG4bueFKmLAdXpmN1hKvJwIG1qKQT
+Fz7x8FGi0S11BHDZMs5kJHBaiuXmq02mozb5XOFllQYl8+fsa4lscIFeQ/YbAjVo
+g5nEVbqRUCSLy6F6JSX6SJB4ng/JMHzKLfhAUSpvotBxZbJ4IpNu06oCKjggiIoR
+9z2YE6gR1pBJSyCDS8fJXtyLWN/WBdbvf1fw3t7utPFT606TYFOvt2KrSndcrTwb
+EByWHJufxv8J+anrnnNM11RMTqhpi4MeXsaaA7jUCzh5QzxnT8imOyNDF8OVxEKk
+Y9W9ToUchHojIJZGJhB2I1ndCUQaJF+OhLrjy2Zk/Imx3wBf3huyWAA8GNVQ04DD
+mhDxWdZ30lJgxJH4xgk4l3nWBNAQ+X04lIyRi83tD/E9plX3EX2sWzBBHCSybh0C
+bNHAQVMVaxEMTcCumk/USiuRcm4BL0495o4/debn9EExs95dw6pAhJoHZ8kc71GP
+YOYNuQvz0Ljbu4ZO1/OgmNDtFuNV83GlDa6yUme/Di0SqmLzxUwPJIZ9I2dNtgLf
+2emoUA9PSUl02Hcm5WN7AtmL/Pxz1joR/gKeNAII97PS9WFdqRS0ypwiiwp15mBU
+LilEGB4V3laVJFw6sLFwPjWUYZCEhzSdAMnHfxrIZuhpfSi2W39w8Frqwx0JOUoX
+HmogsyM/xqn9VelVNbWUP06IwJkcocWM1rzv3nkZOsKb5EhGOk1qrA/BKyajcazX
+49x4wpIpJoz4tgStrlgxGZ0DeMT8PIrZGbZDhQ78MxnQe376CiXIOKtrZVOp6uoo
+uDtYg9OiZZ2GDoSIgjAStpYbF4rkJI+3kyhR4oD8KfsC/rTG16hNCRnTIIiUECyU
+1jWBLmqYWuMTiekb4asB6cWlQYwUUtSBt6ySB+zU+Cl0Wi3u+kXrsMthFnJE0GWB
+EOCmHsvMqD+u0uArpJHpE0o9L3ePEkiDssU2MJdOLpb0AKW/uqAA/14a4JAr/y9Z
+v+pUPDbjeoIXRNqzXkWEdHKZOnEGAE5QBLzScJqWU0YY7WP1+xpyoYapM37v9V/J
+viNJW+gxvW9yZdxKzGm9P/UIjtndx2QnAa7mPgXOej/AMqpl+IkIJmvi13IEQTH2
+NuBghACrRp7YuffEroEs3P7fgCoiMHvabCiXkLhWoZqgVuiy72GuSwKEPK8bF30U
+8u7lencUvnIRU9jL0kDaQL0kESw0f3dgE+ltQbgew5/rmqMgKpmDDoouLJf95wi2
+rvPGRb4QXpBO8V4/8VMPPJKT55ZDygjN45z1gwCZ2tbYtnKUOH82drx1TB2bvrso
+-----END RSA PRIVATE KEY-----
diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/transport.crt b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/transport.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIUe2Oa37SVQ5G1SpWiRS+abpjuNPMwDQYJKoZIhvcNAQEL
+BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
+cmF0ZWQgQ0EwHhcNMTkwMzI5MDUxMjM1WhcNMjgxMDI3MDUxMjM1WjAUMRIwEAYD
+VQQDEwl0cmFuc3BvcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN
+v6vW4Bwj0eku+Ivm6d+HQwzfLqAdnM8tHAgC4qMDk7a/X5ckTesTk2VOmX775zkT
+SJex5uGuEuyTgZVEXQhkpZUXURGhnQ8/exxg2m3cwTin+o1XN5xCo6FUfU2IqQrf
+1Xd7RKfXv/YCUlS2xzQVnFRYAYpMMzTtUloc37PWz7TYA/ei7p06BCKLGR785ipF
+MWq0S+QVmldOlp1vhZrD+KpgxFdo0Gd+e0loLO6321sXBEksy4K/5FaknDT9Fc/f
+NUVmLaiRPi2nW6nIBjYyoVhIPztkVdxfj7jNdJCvshnEY29Hhd7ra9njLbyxzK2d
+ACpyf54TCNU0j5qRcqe7AgMBAAGjgeAwgd0wHQYDVR0OBBYEFDSaYLY3KEm7L3jF
+iW7CwCdoqcZjMB8GA1UdIwQYMBaAFL+GbWzP3nPfx+OqvW5CYCqHN8ZlMIGPBgNV
+HREEgYcwgYSCCWxvY2FsaG9zdIIXbG9jYWxob3N0Ni5sb2NhbGRvbWFpbjaHBH8A
+AAGHEAAAAAAAAAAAAAAAAAAAAAGCCmxvY2FsaG9zdDSCCmxvY2FsaG9zdDaCFWxv
+Y2FsaG9zdC5sb2NhbGRvbWFpboIXbG9jYWxob3N0NC5sb2NhbGRvbWFpbjQwCQYD
+VR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAa3T5oaPucZRx5JFxqkSTaIpcptvw
+iiZLpaEooX0QVMy+PkmnzNh/xaN5qWWzKFV4ihSURtgH7gbPjBF7/pTqqO8Ekshp
+36I6WTuhvps4nR4iCKaMFfyCBDKBvtTIySxE2kZJlyvgAqdB3bww79FfZt+ftxEt
+E1m5nFDWCxaATY0foYpRUAJTPfmnFWDZfP4ZglSWmNSfQAdsQfwMlu09jXWXw7Yx
+Cd39f9KW1aQT4RstHNWuQwgskv0vuTo2r0r+1YWTNCFQVuA8OD620CmJs85zGOnj
+5L0YyLK1KvvuARfjr/skpze7F1Leir9+NiaJjXA+xfnkoGniJ2AUvPC8xg==
+-----END CERTIFICATE-----