docs: Secure communication (elastic#10841)

* rest of secure docs

* per @simitt, remove addtl users and roles

* remove linux seccomp

docs/integrations-index.asciidoc

@@ -80,7 +80,7 @@ include::input-apm.asciidoc[]
 
 include::configure/index.asciidoc[leveloffset=+1]
 
-include::secure-agent-communication.asciidoc[]
+include::secure-comms.asciidoc[]
 
 include::monitor-apm-server.asciidoc[]
 
@@ -131,9 +131,6 @@ include::./legacy/overview.asciidoc[]
 
 include::./legacy/getting-started-apm-server.asciidoc[]
 
-:beat-specific-security: {docdir}/legacy/security.asciidoc
-include::{libbeat-dir}/shared-securing-beat.asciidoc[leveloffset=+1]
-
 // include::./legacy/breaking-changes.asciidoc[leveloffset=+1]
 
 include::./legacy/redirects.asciidoc[]

docs/legacy/api-keys.asciidoc

@@ -1,6 +1,6 @@
 [role="xpack"]
 [[beats-api-keys]]
-== Grant access using API keys
+=== Grant access using API keys
 
 Instead of using usernames and passwords, you can use API keys to grant
 access to {es} resources. You can set API keys to expire at a certain time,
@@ -16,7 +16,7 @@ You can create as many API keys per user as necessary.
 
 [float]
 [[beats-api-key-publish]]
-=== Create an API key for writing events
+==== Create an API key for writing events
 
 In {kib}, navigate to **{stack-manage-app}** > **API keys** and click **Create API key**.
 
@@ -63,7 +63,7 @@ output.elasticsearch:
 
 [float]
 [[beats-api-key-monitor]]
-=== Create an API key for monitoring
+==== Create an API key for monitoring
 
 In {kib}, navigate to **{stack-manage-app}** > **API keys** and click **Create API key**.
 
@@ -107,7 +107,7 @@ monitoring.elasticsearch:
 
 [float]
 [[beats-api-key-es]]
-=== Create an API key with {es} APIs
+==== Create an API key with {es} APIs
 
 You can also use {es}'s {ref}/security-api-create-api-key.html[Create API key API] to create a new API key.
 For example:
@@ -140,7 +140,7 @@ See the {ref}/security-api-create-api-key.html[Create API key] reference for mor
 
 [[learn-more-api-keys]]
 [float]
-=== Learn more about API keys
+==== Learn more about API keys
 
 See the {es} API key documentation for more information:
 

docs/legacy/feature-roles.asciidoc

@@ -1,6 +1,37 @@
-[role="xpack"]
+[[secure-comms-stack]]
+== Secure communication with the {stack}
+
+++++
+<titleabbrev>With the {stack}</titleabbrev>
+++++
+
+NOTE: This documentation only applies to the APM Server binary.
+
+Use role-based access control or API keys to grant APM Server users access to secured resources.
+
+* <<feature-roles>>
+* <<beats-api-keys>>.
+
+After privileged users have been created, use authentication to connect to a secured Elastic cluster.
+
+* <<securing-communication-elasticsearch>>
+* <<configuring-ssl-logstash>>
+
+For secure communication between APM Server and APM Agents, see <<secure-agent-communication>>.
+
+A reference of all available <<configuration-ssl-landing,SSL configuration settings>> is also available.
+
+[float]
+[[security-overview]]
+=== Security Overview
+
+APM Server exposes an HTTP endpoint, and as with anything that opens ports on your servers,
+you should be careful about who can connect to it.
+Firewall rules are recommended to ensure only authorized systems can connect.
+
+[float]
 [[feature-roles]]
-== Grant users access to secured resources
+=== Feature roles
 
 You can use role-based access control to grant users access to secured
 resources. The roles that you set up depend on your organization's security
@@ -322,31 +353,3 @@ See {kibana-ref}/apm-app-central-config-user.html[{apm-app} central configuratio
 // ++++
 
 // CONTENT
-
-////
-***********************************  ***********************************
-***********************************  ***********************************
-////
-
-[[more-security-roles]]
-=== Additional APM users and roles
-
-In addition to the {beatname_uc} users described in this documentation,
-you'll likely need to create users for other APM tasks:
-
-* An {kibana-ref}/apm-app-reader.html[APM reader], for {kib} users who need to view the {apm-app},
-or create and edit visualizations that access +{beat_default_index_prefix}-*+ data.
-* Various {kibana-ref}/apm-app-api-user.html[{apm-app} API users],
-for interacting with the APIs exposed by the {apm-app}.
-
-[float]
-[[learn-more-security]]
-=== Learn more about users and roles
-
-Want to learn more about creating users and roles? See
-{ref}/secure-cluster.html[Secure a cluster]. Also see:
-
-* {ref}/security-privileges.html[Security privileges] for a description of
-available privileges
-* {ref}/built-in-roles.html[Built-in roles] for a description of roles that
-you can assign to users

docs/secure-agent-communication.asciidoc

@@ -1,6 +1,10 @@
 [[secure-agent-communication]]
 == Secure communication with APM agents
 
+++++
+<titleabbrev>With APM agents</titleabbrev>
+++++
+
 Communication between APM agents and {agent} can be both encrypted and authenticated.
 It is strongly recommended to use both TLS encryption and authentication as secrets are sent as plain text.
 

docs/secure-comms.asciidoc

@@ -0,0 +1,22 @@
+[[securing-apm-server]]
+== Secure communication with the {stack}
+
+++++
+<titleabbrev>Secure communication</titleabbrev>
+++++
+
+The following topics provide information about securing the APM Server
+process and connecting securely to APM agents and the {stack}.
+
+* <<secure-agent-communication,Secure communication with APM agents>>
+* <<secure-comms-stack,Secure communication with the {stack}>>
+
+:leveloffset: +1
+include::secure-agent-communication.asciidoc[]
+
+// APM privileges
+include::{docdir}/legacy/feature-roles.asciidoc[]
+
+// APM API keys
+include::{docdir}/legacy/api-keys.asciidoc[]
+:leveloffset: -1