elastic · lockewritesdocs · Nov 5, 2021 · Nov 4, 2021 · Nov 4, 2021 · Nov 5, 2021
diff --git a/docs/reference/setup/install/check-running.asciidoc b/docs/reference/setup/install/check-running.asciidoc
@@ -3,9 +3,9 @@
 You can test that your {es} node is running by sending an HTTPS request to port
 `9200` on `localhost`:
 
-[source,shell]
+["source","sh",subs="attributes"]
 ----
-curl --cacert /etc/elasticsearch/tls_auto_config_<timestamp>/http_ca.crt \
+curl --cacert {os-dir}/tls_auto_config_<timestamp>/http_ca.crt \
 -u elastic https://localhost:9200 <1>
 ----
 // NOTCONSOLE

diff --git a/docs/reference/setup/install/deb.asciidoc b/docs/reference/setup/install/deb.asciidoc
@@ -146,6 +146,9 @@ endif::include-xpack[]
 include::systemd.asciidoc[]
 
 [[deb-check-running]]
+
+:os-dir:       /etc/elasticsearch
+
 include::check-running.asciidoc[]
 
 [[deb-configuring]]
@@ -228,5 +231,7 @@ d|
 
 |=======================================================================
 
+:os-dir:       /etc/elasticsearch
+
 include::security-files-reference.asciidoc[]
 include::next-steps.asciidoc[]
diff --git a/docs/reference/setup/install/rpm.asciidoc b/docs/reference/setup/install/rpm.asciidoc
@@ -139,6 +139,9 @@ endif::include-xpack[]
 include::systemd.asciidoc[]
 
 [[rpm-check-running]]
+
+:os-dir:       /etc/elasticsearch
+
 include::check-running.asciidoc[]
 
 [[rpm-configuring]]

diff --git a/docs/reference/setup/install/security-files-reference.asciidoc b/docs/reference/setup/install/security-files-reference.asciidoc
@@ -2,9 +2,9 @@
 ===== Security certificates and keys
 
 When you install {es}, the following certificates and keys are
-generated in the `/etc/elasticsearch/tls_auto_config_<timestamp>` directory,
-which are used to connect a {kib} instance to your secured {es} cluster and
-to encrypt internode communication. The files are listed here for reference.
+generated in the {es} configuration directory, which are used to connect a {kib}
+instance to your secured {es} cluster and to encrypt internode communication.
+The files are listed here for reference.
 
 `http_ca.crt`::
 The CA certificate that is used to sign the certificates for the HTTP layer of

diff --git a/docs/reference/setup/install/targz-security.asciidoc b/docs/reference/setup/install/targz-security.asciidoc
@@ -0,0 +1,68 @@
+[role="exclude"]
+==== Start {es} with security enabled
+
+When starting {es} for the first time, security features are enabled and
+configured by default. The following security configuration occurs
+automatically: 
+
+* Authentication and authorization are enabled, and a password is generated for
+the `elastic` built-in superuser.
+* Certificates and keys for TLS are generated for the transport and HTTP layer,
+and TLS is enabled and configured with these keys and certificates.
+
+The password and certificate and keys are output to your terminal. For example:
+
+[source,sh]
+----
+The generated password for the elastic built-in superuser is:
+H16Wd=K4dcmgZVA-GE2I
+
+The enrollment token for Kibana instances, valid for the next 30 minutes:
+eyJ2ZXIiOiI4LjAuMCIsImFkciI6WyIxOTIuMTY4Ljg2LjEyMjo5MjAwIl0sImZnciI6ImU5MmVhYWM0ZWMzMGExY2EzMDA0MzM4NDgyM2I3Y2YwNTFkMWQ3OTdkNGJlNTQxYzE3ZWY4NGFiMzBjMjlmNGUiLCJrZXkiOiJFM05YNFh3QkVYOVV2SUs0QlU2YTphVEhESktYRVFEbTctUjlFYlBneGlnIn0=
+
+The hex-encoded SHA-256 fingerprint of the generated HTTPS CA DER-encoded certificate:
+e92eaac4ec30a1ca30043384823b7cf051d1d797d4be541c17ef84ab30c29f4e
+
+You can complete the following actions at any time:
+Reset the password of the elastic built-in superuser with
+'bin/elasticsearch-reset-password -u elastic'.
+
+Generate an enrollment token for Kibana instances with
+'bin/elasticsearch-create-enrollment-token -s kibana'.
+
+Generate an enrollment token for Elasticsearch nodes with
+'bin/elasticsearch-create-enrollment-token -s node'.
+----
+
+===== Reconfigure a node to join an existing cluster
+
+When you start {es} for the first time, the installation process configures a
+single-node cluster by default. If you want a node to join an existing cluster
+instead, generate an enrollment token on an existing node _before_ you start
+the new node for the first time.
+
+. On any node in your existing cluster, generate a node enrollment token:
++
+[source, sh]
+----
+bin/elasticsearch-create-enrollment-token -s node
+----
+
+. Copy the enrollment token, which is output to your terminal.
+
+. On your new {es} node, pass the enrollment token as a parameter to the 
+`elasticsearch-reconfigure-node` tool:
++
+[source, sh]
+----
+bin/elasticsearch-reconfigure-node --enrollment-token <enrollment-token>
+----
++
+{es} is now configured to join the existing cluster.
+
+. Start your new node.
++
+[source, sh]
+----
+bin/elasticsearch
+----
diff --git a/docs/reference/setup/install/targz.asciidoc b/docs/reference/setup/install/targz.asciidoc
@@ -1,16 +1,16 @@
 [[targz]]
-=== Install Elasticsearch from archive on Linux or MacOS
+=== Install {es} from archive on Linux or MacOS
 
-Elasticsearch is as a `.tar.gz` archive for Linux and MacOS.
+{es} is as a `.tar.gz` archive for Linux and MacOS.
 
 include::license.asciidoc[]
 
-The latest stable version of Elasticsearch can be found on the
-link:/downloads/elasticsearch[Download Elasticsearch] page.
+The latest stable version of {es} can be found on the
+link:/downloads/elasticsearch[Download {es}] page.
 Other versions can be found on the
 link:/downloads/past-releases[Past Releases page].
 
-NOTE: Elasticsearch includes a bundled version of https://openjdk.java.net[OpenJDK]
+NOTE: {es} includes a bundled version of https://openjdk.java.net[OpenJDK]
 from the JDK maintainers (GPLv2+CE). To use your own version of Java,
 see the <<jvm-version, JVM version requirements>>
 
@@ -19,13 +19,13 @@ see the <<jvm-version, JVM version requirements>>
 
 ifeval::["{release-state}"=="unreleased"]
 
-Version {version} of Elasticsearch has not yet been released.
+Version {version} of {es} has not yet been released.
 
 endif::[]
 
 ifeval::["{release-state}"!="unreleased"]
 
-The Linux archive for Elasticsearch v{version} can be downloaded and installed as follows:
+The Linux archive for {es} v{version} can be downloaded and installed as follows:
 
 ["source","sh",subs="attributes"]
 --------------------------------------------
@@ -46,13 +46,13 @@ endif::[]
 
 ifeval::["{release-state}"=="unreleased"]
 
-Version {version} of Elasticsearch has not yet been released.
+Version {version} of {es} has not yet been released.
 
 endif::[]
 
 ifeval::["{release-state}"!="unreleased"]
 
-The MacOS archive for Elasticsearch v{version} can be downloaded and installed as follows:
+The MacOS archive for {es} v{version} can be downloaded and installed as follows:
 
 ["source","sh",subs="attributes"]
 --------------------------------------------
@@ -80,6 +80,11 @@ endif::include-xpack[]
 [[targz-running]]
 include::targz-start.asciidoc[]
 
+[[targz-security]]
+include::targz-security.asciidoc[]
+
+:os-dir:       $ES_HOME
+
 include::check-running.asciidoc[]
 
 Log printing to `stdout` can be disabled using the `-q` or `--quiet`
@@ -89,9 +94,9 @@ option on the command line.
 include::targz-daemon.asciidoc[]
 
 [[targz-configuring]]
-==== Configuring Elasticsearch on the command line
+==== Configuring {es} on the command line
 
-Elasticsearch loads its configuration from the `$ES_HOME/config/elasticsearch.yml`
+{es} loads its configuration from the `$ES_HOME/config/elasticsearch.yml`
 file by default. The format of this config file is explained in
 <<settings>>.
 
@@ -115,7 +120,7 @@ directories are, by default, contained within `$ES_HOME` -- the directory
 created when unpacking the archive.
 
 This is very convenient because you don't have to create any directories to
-start using Elasticsearch, and uninstalling Elasticsearch is as easy as
+start using {es}, and uninstalling {es} is as easy as
 removing the `$ES_HOME` directory. However, it is advisable to change the
 default locations of the config directory, the data directory, and the logs
 directory so that you do not delete important data later on.
@@ -125,7 +130,7 @@ directory so that you do not delete important data later on.
 |=======================================================================
 | Type | Description | Default Location | Setting
 | home
-  | Elasticsearch home directory or `$ES_HOME`
+  | {es} home directory or `$ES_HOME`
  d| Directory created by unpacking the archive
   |
 
@@ -140,6 +145,11 @@ directory so that you do not delete important data later on.
   | $ES_HOME/config
   | <<config-files-location,ES_PATH_CONF>>
 
+| conf
+  | Generated TLS keys and certificates for the transport and HTTP layer.
+  | $ES_HOME/config/tls_auto_config_<timestamp>
+ d|
+
 | data
   | The location of the data files of each index / shard allocated
     on the node.
@@ -163,5 +173,7 @@ directory so that you do not delete important data later on.
 
 |=======================================================================
 
+:os-dir:       $ES_HOME
 
+include::security-files-reference.asciidoc[]
 include::next-steps.asciidoc[]
diff --git a/docs/reference/setup/install/windows.asciidoc b/docs/reference/setup/install/windows.asciidoc
@@ -368,6 +368,8 @@ TIP: Typically, any cluster-wide settings (like `cluster.name`) should be
 added to the `elasticsearch.yml` config file, while any node-specific settings
 such as `node.name` could be specified on the command line.
 
+:os-dir:       %ES_HOME%
+
 include::check-running.asciidoc[]
 
 [[msi-installer-windows-service]]

diff --git a/docs/reference/setup/install/zip-windows.asciidoc b/docs/reference/setup/install/zip-windows.asciidoc
@@ -85,6 +85,8 @@ TIP: Typically, any cluster-wide settings (like `cluster.name`) should be
 added to the `elasticsearch.yml` config file, while any node-specific settings
 such as `node.name` could be specified on the command line.
 
+:os-dir:       %ES_HOME%
+
 include::check-running.asciidoc[]
 
 [[windows-service]]