热门标签 | HotTags
当前位置:  开发笔记 > 编程语言 > 正文

elasticsearch7.16.2集群+https+xpack认证

目录:软件及环境准备JDK安装配置ElasticSearch安装及配置生成证书BasicSecurityPlusHttpsElastic设置用户密码logstash配置httpsk

目录:

  • 软件及环境准备
  • JDK安装配置
  • ElasticSearch安装及配置
  • 生成证书
  • Basic Security Plus Https
  • Elastic 设置用户密码
  • logstash配置https
  • kibana配置https

 

 

一、软件及环境准备

服务器环境

CentOS6.9_64位一台

es:192.168.1.11

注意:内存允许的情况下,稍微给大一点内存,否则启动会失败,本地测试可以使用1.5-2G内存,

ES软件

最新版ElasticSearch7.16.2

下载地址:https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.16.2-linux-x86_64.tar.gz

es包括一个节点:elasticesearch-node1,elasticesearch-node2,elasticesearch-node3

修改服务器主机名称,方便后续操作

(1)服务器上操作:

 
1
2
3
4
5
6
[root@localhost ~]# hostname es
[root@localhost ~]# vim /etc/sysconfig/network
#修改以下内容:
HOSTNAME=es
#退出重新登录
[root@localhost ~]# logout
 

(2)为了后续操作方便,关闭服务器的防火墙

 
1
[root@es ~]# service iptables stop

注意:生产环境不能直接关防火墙,可以添加防火墙规则,使得ES的tcp端口对远程指定主机开放。

二、JDK安装配置及系统优化

  系统优化可以参照内核优化脚本来执行:https://www.cnblogs.com/zhangan/p/10956138.html#x3

特别提醒:

Elasticsearch-7版本最低支持jdk版本为JDK1.11

Elasticsearch-7.16.2该版本内置了JDK,而内置的JDK是当前推荐的JDK版本。当然如果你本地配置了JAVA_HOME那么ES就是优先使用配置的JDK启动ES。(言外之意,你不安装JDK一样可以启动,我试了可以的。)
ES推荐使用LTS版本的JDK(这里只是推荐,JDK8就不支持),如果你使用了一些不支持的JDK版本,ES会拒绝启动。

由于我们日常的代码开发都是使用的JDK1.8,而且可能JAVA_HOME配置成JDK1.8,那么解决方法我们只需更改Elasticsearch的启动文件,使它指向Elasticsearch-7.16.2该版本内置了JDK,或者也可以参照jdk安装文档升级jdk高版本

修改启动配置文件
[root@localhost bin]# pwd
/data/elasticsearch/bin
[root@localhost bin]# vi elasticsearch

#配置es自带的jdk路径 新增如下代码:
export JAVA_HOME=/data/elasticsearch-node1/jdk
export PATH=$JAVA_HOME/bin:$PATH

#添加jdk判断
if [ -x "$JAVA_HOME/bin/java" ]; then
        JAVA="/data/elasticsearch1/jdk/bin/java"
else
        JAVA=`which java`
fi

 

三、ElasticSearch安装及配置

注意:由于elasticsearch启动的时候不能直接用root用户启动,所以需要创建普通用户

下载及解压ElasticSearch7.16.2

 
1
2
3
4
5
6
7
[elasticsearch@es ~]# cd /home/software/
[elasticsearch@es ~]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.16.2-linux-x86_64.tar.gz
[elasticsearch@es software]# tar xf elasticsearch-7.16.2.tar.gz -C /opt/
[elasticsearch@es opt]# cp -r elasticsearch-7.16.2 elasticsearch-node1/
[elasticsearch@es opt]# cp -r elasticsearch-7.16.2 elasticsearch-node2/
[elasticsearch@es opt]# cp -r elasticsearch-7.16.2 elasticsearch-node3/
[elasticsearch@es opt]# rm -rf elasticsearch-7.16.2

创建elasticsearch节点的数据目录和日志目录

 
1
2
3
[elasticsearch@es opt]# mkdir -pv /data/elasticsearch-node1/{data,logs}
[elasticsearch@es opt]# mkdir -pv /data/elasticsearch-node2/{data,logs}
[elasticsearch@es opt]# mkdir -pv /data/elasticsearch-node3/{data,logs}
 

修改操作系统的内核配置文件sysctl.conf 

[root@es local]# vim /etc/sysctl.conf
#在配置文件最后面添加如下内容
vm.zone_reclaim_mode=0
vm.max_map_count=262144
vm.swappiness=0

解释:max_map_count文件包含限制一个进程可以拥有的VMA(虚拟内存区域)的数量。虚拟内存区域是一个连续的虚拟地址空间区域。在进程的生命周期中,每当程序尝试在内存中映射文件,链接到共享内存段,或者分配堆空间的时候,这些区域将被创建。当进程达到了VMA上线但又只能释放少量的内存给其他的内核进程使用时,操作系统会抛出内存不足的错误。

swappiness,Linux内核参数,控制换出运行时内存的相对权重。swappiness参数值可设置范围在0到100之间。 低参数值会让内核尽量少用交换,更高参数值会使内核更多的去使用交换空间。默认值为60,对于大多数操作系统,设置为100可能会影响整体性能,而设置为更低值(甚至为0)则可能减少响应延迟。

vm.swappiness=1;进行最少量的交换,而不禁用交换。如果设置为 0 的话,则等同于禁用 swap

 
1
2
#使修改之后的配置文件生效
[elasticsearch@es local]# sysctl -p

修改elasticsearch-node1节点的配置文件jvm.options

 
1
2
[elasticsearch@es opt]# cd elasticsearch-node1/config/
[elasticsearch@es opt]# vim jvm.options

修改如下两个选项:

  • -Xms512m  #elasticsearch启动时jvm所分配的初始堆内存大小
  • -Xmx512m  #elasticsearch启动之后允许jvm分配的最大堆内存大小,生产环境中可能需要调大

注意:如果内存足够大,可以不用修改,默认为1G,最好不要超过内存的50%

修改elasticsearch-node1节点的配置文件elasticsearch.yml

[elasticsearch@es opt]# vim elasticsearch-node1/config/elasticsearch.yml
#修改以下项
#表示集群标识,同一个集群中的多个节点使用相同的标识
cluster.name: elasticsearch
#节点名称
node.name: "es-node1"
#数据存储目录
path.data: /data/elasticsearch-node1/data
#日志目录
path.logs: /data/elasticsearch-node1/logs
#节点所绑定的IP地址,并且该节点会被通知到集群中的其他节点
network.host: 192.168.1.11
#绑定监听的网络接口,监听传入的请求,可以设置为IP地址或者主机名
network.bind_host: 192.168.1.11
#发布地址,用于通知集群中的其他节点,和其他节点通讯,不设置的话默认可以自动设置。必须是一个存在的IP地址
network.publish_host: 192.168.1.11
#es7.x 之后新增的配置,初始化一个新的集群时需要此配置来选举master
cluster.initial_master_nodes: ["192.168.1.11:9301"]
#集群通信端口
transport.tcp.port: 9301
#对外提供服务的http端口,默认为9200
http.port: 9201
#集群中主节点的初始列表,当主节点启动时会使用这个列表进行非主节点的监测
discovery.seed_hosts: ["192.168.1.11:9301","192.168.1.11:9302","192.168.1.11:9303"]
discovery.cluster_formation_warning_timeout: 30s
cluster.join.timeout: 30s
cluster.publish.timeout: 60s
#cache缓存大小,10%(默认),可设置成百分比,也可设置成具体值,如256mb。
indices.queries.cache.size: 30%
#索引期间的内存缓存,有利于索引吞吐量的增加。
indices.memory.index_buffer_size: 30%
#开启了内存地址锁定,为了避免内存交换提高性能。但是Centos6不支持SecComp功能,启动会报错,所以需要将其设置为false
bootstrap.memory_lock: true
bootstrap.system_call_filter: false
#设置该节点是否具有成为主节点的资格以及是否存储数据。
node.master: true
node.data: true
#ElasticSearch 更改search线程池,search 线程设置过小导致程序崩溃
thread_pool.search.queue_size: 1000
#queue_size允许控制没有线程执行它们的挂起请求队列的初始大小。
thread_pool.search.size: 200
#size参数控制线程数,默认为核心数乘以5。
thread_pool.search.min_queue_size: 10
#min_queue_size设置控制queue_size可以调整到的最小量。
thread_pool.search.max_queue_size: 1000
#max_queue_size设置控制queue_size可以调整到的最大量。
thread_pool.search.auto_queue_frame_size: 2000
#auto_queue_frame_size设置控制在调整队列之前进行测量的操作数。它应该足够大,以便单个操作不会过度偏向计算。
thread_pool.search.target_response_time: 6s
#target_response_time是时间值设置,指示线程池队列中任务的目标平均响应时间。如果任务通常超过此时间,则将调低线程池队列以拒绝任务。
cluster.max_shards_per_node: 900000  #允许集群分片数量大小
#x-pack认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
#开启https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
允许远程索引迁移的客户端
reindex.remote.whitelist: "otherhost:9200, another:9200, 172.31.21.*:9200, localhost:*"

修改elasticsearch-node2节点的配置文件elasticsearch.yml

[elasticsearch@es opt]# vim elasticsearch-node2/config/elasticsearch.yml
#修改以下项
#表示集群标识,同一个集群中的多个节点使用相同的标识
cluster.name: elasticsearch
#节点名称
node.name: "es-node2"
#数据存储目录
path.data: /data/elasticsearch-node2/data
#日志目录
path.logs: /data/elasticsearch-node2/logs
#节点所绑定的IP地址,并且该节点会被通知到集群中的其他节点
network.host: 192.168.1.11
#绑定监听的网络接口,监听传入的请求,可以设置为IP地址或者主机名
network.bind_host: 192.168.1.11
#发布地址,用于通知集群中的其他节点,和其他节点通讯,不设置的话默认可以自动设置。必须是一个存在的IP地址
network.publish_host: 192.168.1.11
#es7.x 之后新增的配置,初始化一个新的集群时需要此配置来选举master
cluster.initial_master_nodes: ["192.168.1.11:9301"]
#集群通信端口
transport.tcp.port: 9302
#对外提供服务的http端口,默认为9200
http.port: 9202
#集群中主节点的初始列表,当主节点启动时会使用这个列表进行非主节点的监测
discovery.seed_hosts: ["192.168.1.11:9301","192.168.1.11:9302","192.168.1.11:9303"]
discovery.cluster_formation_warning_timeout: 30s
cluster.join.timeout: 30s
cluster.publish.timeout: 60s
#cache缓存大小,10%(默认),可设置成百分比,也可设置成具体值,如256mb。
indices.queries.cache.size: 30%
#索引期间的内存缓存,有利于索引吞吐量的增加。
indices.memory.index_buffer_size: 30%
#开启了内存地址锁定,为了避免内存交换提高性能。但是Centos6不支持SecComp功能,启动会报错,所以需要将其设置为false
bootstrap.memory_lock: true
bootstrap.system_call_filter: false
#设置该节点是否具有成为主节点的资格以及是否存储数据。
node.master: true
node.data: true
#ElasticSearch 更改search线程池,search 线程设置过小导致程序崩溃
thread_pool.search.queue_size: 1000
#queue_size允许控制没有线程执行它们的挂起请求队列的初始大小。
thread_pool.search.size: 200
#size参数控制线程数,默认为核心数乘以5。
thread_pool.search.min_queue_size: 10
#min_queue_size设置控制queue_size可以调整到的最小量。
thread_pool.search.max_queue_size: 1000
#max_queue_size设置控制queue_size可以调整到的最大量。
thread_pool.search.auto_queue_frame_size: 2000
#auto_queue_frame_size设置控制在调整队列之前进行测量的操作数。它应该足够大,以便单个操作不会过度偏向计算。
thread_pool.search.target_response_time: 6s
#target_response_time是时间值设置,指示线程池队列中任务的目标平均响应时间。如果任务通常超过此时间,则将调低线程池队列以拒绝任务。
cluster.max_shards_per_node: 900000  #允许集群分片数量大小
#x-pack认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
#开启https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
允许远程索引迁移的客户端
reindex.remote.whitelist: "otherhost:9200, another:9200, 172.31.21.*:9200, localhost:*"

修改elasticsearch-node3节点的配置文件elasticsearch.yml

[elasticsearch@es opt]# vim elasticsearch-node3/config/elasticsearch.yml
#修改以下项
#表示集群标识,同一个集群中的多个节点使用相同的标识
cluster.name: elasticsearch
#节点名称
node.name: "es-node3"
#数据存储目录
path.data: /data/elasticsearch-node3/data
#日志目录
path.logs: /data/elasticsearch-node3/logs
#节点所绑定的IP地址,并且该节点会被通知到集群中的其他节点
network.host: 192.168.1.11
#绑定监听的网络接口,监听传入的请求,可以设置为IP地址或者主机名
network.bind_host: 192.168.1.11
#发布地址,用于通知集群中的其他节点,和其他节点通讯,不设置的话默认可以自动设置。必须是一个存在的IP地址
network.publish_host: 192.168.1.11
#es7.x 之后新增的配置,初始化一个新的集群时需要此配置来选举master
cluster.initial_master_nodes: ["192.168.1.11:9301"]
#集群通信端口
transport.tcp.port: 9303
#对外提供服务的http端口,默认为9200
http.port: 9203
#集群中主节点的初始列表,当主节点启动时会使用这个列表进行非主节点的监测
discovery.seed_hosts: ["192.168.1.11:9301","192.168.1.11:9302","192.168.1.11:9303"]
discovery.cluster_formation_warning_timeout: 30s
cluster.join.timeout: 30s
cluster.publish.timeout: 60s
#cache缓存大小,10%(默认),可设置成百分比,也可设置成具体值,如256mb。
indices.queries.cache.size: 30%
#索引期间的内存缓存,有利于索引吞吐量的增加。
indices.memory.index_buffer_size: 30%
#开启了内存地址锁定,为了避免内存交换提高性能。但是Centos6不支持SecComp功能,启动会报错,所以需要将其设置为false
bootstrap.memory_lock: true
bootstrap.system_call_filter: false
#设置该节点是否具有成为主节点的资格以及是否存储数据。
node.master: true
node.data: true
#ElasticSearch 更改search线程池,search 线程设置过小导致程序崩溃
thread_pool.search.queue_size: 1000
#queue_size允许控制没有线程执行它们的挂起请求队列的初始大小。
thread_pool.search.size: 200
#size参数控制线程数,默认为核心数乘以5。
thread_pool.search.min_queue_size: 10
#min_queue_size设置控制queue_size可以调整到的最小量。
thread_pool.search.max_queue_size: 1000
#max_queue_size设置控制queue_size可以调整到的最大量。
thread_pool.search.auto_queue_frame_size: 2000
#auto_queue_frame_size设置控制在调整队列之前进行测量的操作数。它应该足够大,以便单个操作不会过度偏向计算。
thread_pool.search.target_response_time: 6s
#target_response_time是时间值设置,指示线程池队列中任务的目标平均响应时间。如果任务通常超过此时间,则将调低线程池队列以拒绝任务。
cluster.max_shards_per_node: 900000  #允许集群分片数量大小
#x-pack认证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
#开启https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
允许远程索引迁移的客户端
reindex.remote.whitelist: "otherhost:9200, another:9200, 172.31.21.*:9200, localhost:*"

至此各个elasticsearch节点配置 

四. 生成证书

1.创建证书授权
执行命令创建ca 执行:
[elasticsearch@es bin]$ cd /usr/local/services/elasticsearch7/bin
[elasticsearch@es bin]$ ./elasticsearch-certutil ca
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_291/jre] does not meet this requirement. Consider switching to a distribution of Elasticsearch with a bundled JDK. If you are already using a distribution with a bundled JDK, ensure the JAVA_HOME environment variable is not set.
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]:      ##直接回车
Enter password for elastic-stack-ca.p12 :   ##直接回车,这个时候会生成elastic-stack-ca.p12文件

然后按照提示输入Please enter the desired output file [elastic-stack-ca.p12] 此时提示输入文件名默认为:elastic-stack-ca.p12,输入完敲回车,或者直接回车默认。
接下来会提示输入Enter password for elastic-stack-ca.p12 :密码可以为空 直接回车 此时ca 创建OK 文件会在执行目录的根目录


2.根据elastic-stack-ca.p12文件 生成elastic-certificates.p12
执行命令为:elasticsearch-certutil cert --ca elastic-stack-ca.p12

[elasticsearch@es bin]$./elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 :

接下来会提示 输入Enter password for CA (elastic-stack-ca.p12) :上一个ca 文件的密码 如果没有则直接回车即可,
接下来会提示Please enter the desired output file [elastic-certificates.p12]:给当前生成的文件取名默认为elastic-certificates.p12
接下来会提示给当前文件设置密码Enter password for elastic-certificates.p12 : 密码可以为空 直接回车。
至此我们有了elastic-stack-ca.p12和elastic-certificates.p12两个文件

3.把elastic-certificates.p12 copy到每个ES节点的config目录下

4.添加如下配置到ES yml里:

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.client_authentication: required

xpack.security.transport.ssl.keystore.path: elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

五.Basic Security Plus Https

如果我们想进一步给ES添加HTTPS认证,我们可以做如下步骤:

1. 生成HTTP证书

./bin/elasticsearch-certutil http

Generate a CSR? [y/N]n

## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]y

## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /opt/ericsson/csp/tools/tsc/elasticsearch-node1/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press at the prompt
Password for elastic-stack-ca.p12:

## How long should your certificates be valid?

Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.

Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 10y

## Do you wish to generate one certificate per node?

If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.

Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.

If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]n

## Which hostnames will be used to connect to your nodes?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press once more to move on to the next step. #输入用于连接到第一个节点的所有主机名(es集群)。这些主机名将作为DNS名称添加到证书中的Subject Alternative Name (SAN)字段中。

ip-192-168-15-72.cn-north-1.compute.internal

You entered the following hostnames.

- ip-192-168-15-72.cn-north-1.compute.internal

Is this correct [Y/n]y

## Which IP addresses will be used to connect to your nodes?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press once more to move on to the next step. #输入es集群所有的客户端可以用来连接到节点的IP地址

192.168.15.72

You entered the following IP addresses.

- 192.168.15.72

Is this correct [Y/n]y

## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: ip-192-168-15-72.cn-north-1.compute.internal
Subject DN: CN=ip-192-168-15-72, DC=cn-north-1, DC=compute, DC=internal
Key Size: 2048

Do you wish to change any of these options? [y/N]n

## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press at the prompt below.
Provide a password for the "http.p12" file: [ for none]

## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [/opt/ericsson/csp/tools/tsc/elasticsearch-node1/elasticsearch-ssl-http.zip]

Zip file written to /opt/ericsson/csp/tools/tsc/elasticsearch-node1/elasticsearch-ssl-http.zip

2. 添加 ssl http 配置

第一步会生成 elasticsearch-ssl-http.zip文件在ES目录下,其包含elasticsearch和kibana两个文件夹。

1. 解压 elasticsearch-ssl-http.zip,将elasticsearch下的 http.p12 文件 copy到各个节点的config目录下

2.如果给每个节点生成证书时设置了密码需要添加到keystore,没有设置密码无需做这一步

    ./bin/elasticsearch-keystoreaddxpack.security.http.ssl.keystore.secure_password

3. 添加如下配置到es yml文件:

    xpack.security.http.ssl.enabled: true

    xpack.security.http.ssl.keystore.path: "http.p12"

六、Elastic 设置用户密码

1   elasticsearch.yml 中增加xpack.security.enabled: true

2  启动elastic集群 ./bin/elasticsearch -d

3  主节点执行 ./bin/elasticsearch-setup-passwords auto

4   也可以使用手动设置密码命令./bin/elasticsearch-setup-passwords interactive

5  请妥善保存以上步骤生成的用户名密码

6   curl -k --user  elastic_username:elastic_password -XGET https:// network.host: http.port/_cat/health,使用正确的用户名密码测试是否设置成功

七、logstash配置https

1.将elasticsearch-ssl-http.zip中kibana目录中的elasticsearch-ca.pem copy到logstash/config目录

2.添加配置到logstash.conf  

output {

  elasticsearch {
  hosts => ["172.31.1.11:9201","172.31.1.11:9202","172.31.1.11:9203"]
  index => "logstash-%{type}-%{+YYYY.MM.dd}"
  user => "elastic"
  password => "**********"
  ssl => true
  cacert =>"config/elasticsearch-ca.pem"

}

 3. 重启logstash

 

、kibana配置https

1.将elasticsearch-ssl-http.zip中kibana目录中的elasticsearch-ca.pem copy到kibana/config目录

2.添加配置到kibana.yml

        elasticsearch.hosts: ["https:172.31.1.11:9201","https:172.31.1.11:9202","https:172.31.1.11:9203"]

        elasticsearch.ssl.verificationMode: none //因为es那边设置了host ip之类的认证,所以设置为none,不然kibana无法访问es,es log中会报如下错误:http client did not trust this server's certificate

        elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]

 3. 重启kibana

 


推荐阅读
author-avatar
美丽空间wo
这个家伙很懒,什么也没留下!
PHP1.CN | 中国最专业的PHP中文社区 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具
Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved | 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有