Elasticsearch集群外部的安全通信
作者:互联网
Kibana或logstash或其他程序访问ES时,他们之间的数据传输都是走明文的,非常不安全,所以要配置https加密
配置Elasticsearch for Https
1.修改ES配置文件
#所有节点都需要做以下配置
cd /usr/local/elasticsearch-7.6.1/config/
vim elasticsearch.yml
#添加下列项 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: elastic-certificates.p12 xpack.security.http.ssl.truststore.path: elastic-certificates.p12
2.重启ES集群
su - es
#通过kill命令先杀掉es进程
cd /usr/local/elasticsearch-7.6.1/bin/
nohup ./elasticsearch &
3.验证
可以看到此时我们的ES是通过https进行访问的
配置kibana连接Elasticsearch for Https
ES开启了https访问后,Kibana自然也是需要配置才能正常访问我们ES的
1.给kibana生成pem
#进入存放ES集群证书的目录
cd /usr/local/elasticsearch-7.6.1/config/
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem
Enter Import Password: #我这里之前没有设置密码,直接回车即可
2.将生成的证书移动到Kibana指定目录下
mv elastic-ca.pem /usr/local/kibana-7.6.1-linux-x86_64/config/
3.修改kibana配置文件
cd /usr/local/kibana-7.6.1-linux-x86_64/config/
vim kibana.yml
#将该项修改成hpps开头 elasticsearch.hosts: ["https://192.168.36.164:9200"] #将以下两个注释取消并进行配置 elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana-7.6.1-linux-x86_64/config/elastic-ca.pem" ] elasticsearch.ssl.verificationMode: certificate
4.重启Kibana
#先通过命令netstat -tunlp|grep 5601查看进程,然后kill掉
su - es
cd /usr/local/kibana-7.6.1-linux-x86_64/bin/
nohup ./kibana &
此时Kibana就可以正常访问Elasticsearch for Https了
配置Kibana for Https
1.为kibana服务端生成服务端证书
#使用ES的命令生成
cd /usr/local/elasticsearch-7.6.1/bin/
./elasticsearch-certutil ca --pem
future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_60/jre] does not meet this requirement This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode. Use the 'ca-dn' option if you wish to configure the 'distinguished name' of the certificate authority By default the 'ca' mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA's private key If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the CA certificate and private key Please enter the desired output file [elastic-stack-ca.zip]: /usr/local/kibana-7.6.1-linux-x86_64/config/elastic-stack-ca.zip #这里直接指定路径到Kibana的config目录下即可
2.解压证书
cd /usr/local/kibana-7.6.1-linux-x86_64/config/
unzip elastic-stack-ca.zip
#解压后的ca目录下会有两个文件
ls ca
ca.crt ca.key
3.修改Kibana配置文件
cd /usr/local/kibana-7.6.1-linux-x86_64/config/
vim kibana.yml
#将以下注释去掉,并修改,配置到我们的ca路径 server.ssl.enabled: true server.ssl.certificate: /usr/local/kibana-7.6.1-linux-x86_64/config/ca/ca.crt server.ssl.key: /usr/local/kibana-7.6.1-linux-x86_64/config/ca/ca.key
4.重启Kibana
#先通过命令netstat -tunlp|grep 5601查看进程,然后kill掉
su - es
cd /usr/local/kibana-7.6.1-linux-x86_64/bin/
nohup ./kibana &
5.验证
可以看到此时我们的Kibana是通过https进行访问的
标签:外部,config,ca,kibana,集群,usr,Elasticsearch,local,7.6 来源: https://www.cnblogs.com/cjzzz/p/16135353.html