其他分享
首页 > 其他分享> > Elasticsearch集群外部的安全通信

Elasticsearch集群外部的安全通信

作者:互联网

Kibana或logstash或其他程序访问ES时,他们之间的数据传输都是走明文的,非常不安全,所以要配置https加密

配置Elasticsearch for Https

1.修改ES配置文件

#所有节点都需要做以下配置

cd /usr/local/elasticsearch-7.6.1/config/

vim elasticsearch.yml

#添加下列项
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

2.重启ES集群

su - es

#通过kill命令先杀掉es进程

cd /usr/local/elasticsearch-7.6.1/bin/

nohup ./elasticsearch &

3.验证

可以看到此时我们的ES是通过https进行访问的

配置kibana连接Elasticsearch for Https

ES开启了https访问后,Kibana自然也是需要配置才能正常访问我们ES的

1.给kibana生成pem

 #进入存放ES集群证书的目录

cd /usr/local/elasticsearch-7.6.1/config/

openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem

Enter Import Password:        #我这里之前没有设置密码,直接回车即可

2.将生成的证书移动到Kibana指定目录下

mv elastic-ca.pem /usr/local/kibana-7.6.1-linux-x86_64/config/

3.修改kibana配置文件

cd /usr/local/kibana-7.6.1-linux-x86_64/config/

vim kibana.yml

#将该项修改成hpps开头
elasticsearch.hosts: ["https://192.168.36.164:9200"]
#将以下两个注释取消并进行配置
elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana-7.6.1-linux-x86_64/config/elastic-ca.pem" ]
elasticsearch.ssl.verificationMode: certificate

4.重启Kibana

#先通过命令netstat -tunlp|grep 5601查看进程,然后kill掉

su - es

cd /usr/local/kibana-7.6.1-linux-x86_64/bin/

nohup ./kibana &

此时Kibana就可以正常访问Elasticsearch for Https了

配置Kibana for Https

1.为kibana服务端生成服务端证书

#使用ES的命令生成

cd /usr/local/elasticsearch-7.6.1/bin/

./elasticsearch-certutil ca --pem

future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_60/jre] does not meet this requirement
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.zip]: /usr/local/kibana-7.6.1-linux-x86_64/config/elastic-stack-ca.zip          #这里直接指定路径到Kibana的config目录下即可

2.解压证书

cd /usr/local/kibana-7.6.1-linux-x86_64/config/

unzip elastic-stack-ca.zip

#解压后的ca目录下会有两个文件

ls ca

ca.crt  ca.key

3.修改Kibana配置文件

cd /usr/local/kibana-7.6.1-linux-x86_64/config/

vim kibana.yml

#将以下注释去掉,并修改,配置到我们的ca路径
server.ssl.enabled: true
server.ssl.certificate: /usr/local/kibana-7.6.1-linux-x86_64/config/ca/ca.crt
server.ssl.key: /usr/local/kibana-7.6.1-linux-x86_64/config/ca/ca.key

4.重启Kibana

#先通过命令netstat -tunlp|grep 5601查看进程,然后kill掉

su - es

cd /usr/local/kibana-7.6.1-linux-x86_64/bin/

nohup ./kibana &

5.验证

可以看到此时我们的Kibana是通过https进行访问的

 

 

 

标签:外部,config,ca,kibana,集群,usr,Elasticsearch,local,7.6
来源: https://www.cnblogs.com/cjzzz/p/16135353.html