[DOCS] More edits

lcawl · lcawl · commit cf495a22e332 · 2019-11-18T15:45:48.000-08:00
diff --git a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc
@@ -2,9 +2,12 @@
 ==== PKI authentication for clients connecting directly to {es}
 
 To use PKI in {es}, you configure a PKI realm, enable client authentication on
-the desired network layers (transport or http), and map the Distinguished Name
-(DN) from the Subject field in the user certificate to roles by using the
-<<security-api-role-mapping,role-mapping API>> or the role-mapping file.
+the desired network layers (transport or http), and map the Distinguished Names
+(DNs) from the Subject field in the user certificates to roles. You create the mappings in a role mapping file or use the role mappings API.
+
+If you want the same users to also be authenticated using certificates when they connect to {kib}, you must configure the {es} PKI realm to
+<<pki-realm-for-proxied-clients,allow delegation>> and to
+{kibana-ref}/kibana-authentication.html#pki-authentication[enable PKI authentication in {kib}].
 
 You can also use a combination of PKI and username/password authentication. For
 example, you can enable SSL/TLS on the transport layer and define a PKI realm to
diff --git a/x-pack/docs/en/security/authentication/pki-realm.asciidoc b/x-pack/docs/en/security/authentication/pki-realm.asciidoc
@@ -6,22 +6,12 @@ You can configure {es} to use Public Key Infrastructure (PKI) certificates to
 authenticate users. This requires clients connecting directly to {es} to
 present X.509 certificates. The certificates must first be accepted for
 authentication on the SSL/TLS layer on {es}. Only then they are optionally
-further validated by a PKI realm.
+further validated by a PKI realm. See <<pki-realm-for-direct-clients>>.
 
 You can also use PKI certificates to authenticate to {kib}, however this
-requires some <<pki-realm-for-proxied-clients,additional configuration>>. On
-{es}, this configuration enables {kib} to act as a proxy for SSL/TLS
-authentication and to submit the client certificates to {es} for further
-validation by a PKI realm.
-
-To use PKI in {es}, you configure a PKI realm, enable client authentication on
-the desired network layers (transport or http), and map the Distinguished Names
-(DNs) from the user certificates to roles. You create the mappings in a
-<<pki-role-mapping, role mapping file>> or use the
-<<security-api-put-role-mapping,create role mappings API>>. If you want the same
-users to also be authenticated using certificates when they connect to {kib},
-you must configure the {es} PKI realm to
-<<pki-realm-for-proxied-clients,allow delegation>> and to
-{kibana-ref}/kibana-authentication.html#pki-authentication[enable PKI authentication in {kib}].
+requires some additional configuration. On {es}, this configuration enables {kib} 
+to act as a proxy for SSL/TLS authentication and to submit the client
+certificates to {es} for further validation by a PKI realm. See
+<<pki-realm-for-proxied-clients>>.
 
 include::configuring-pki-realm.asciidoc[]
