【笔记】Elasticsearch集群加密证书

最新推荐文章于 2024-08-14 12:16:30 发布
最新推荐文章于 2024-08-14 12:16:30 发布
阅读量841 收藏 1
点赞数
分类专栏: linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Sxiaokun/article/details/112752037
版权

es证书

集群创建好:配置文件:

node1:

[root@localhost elasticsearch]# grep -v ^# elasticsearch.yml |grep -v ^$
cluster.name: songcluster
node.name: node-50
node.master: true
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.50
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["192.168.1.50", "192.168.1.55", "192.168.1.56"]
cluster.initial_master_nodes: ["192.168.1.50"]
discovery.zen.minimum_master_nodes: 2
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: "Authorization"
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
http.max_initial_line_length: 100k
http.max_header_size: 50k
http.max_content_length: 50mb
cluster.routing.allocation.total_shards_per_node: 5000
xpack.license.self_generated.type: basic

node2:

[root@songES02 elasticsearch]# grep -v ^# elasticsearch.yml |grep -v ^$
cluster.name: songcluster
node.master: true
node.data: true
node.name: node-55
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.55
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["192.168.1.50", "192.168.1.55", "192.168.1.56"]
cluster.initial_master_nodes: ["192.168.1.50", "192.168.1.55", "192.168.1.56"]
discovery.zen.minimum_master_nodes: 2
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: "Authorization"
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
http.max_initial_line_length: 100k
http.max_header_size: 50k
http.max_content_length: 50mb
cluster.routing.allocation.total_shards_per_node: 5000
xpack.license.self_generated.type: basic

node3:

[root@songEs03 elasticsearch]# grep -v ^# elasticsearch.yml |grep -v ^$
cluster.name: songcluster
node.master: true
node.data: true
node.name: node-56
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.56
transport.tcp.port: 9300
http.port: 9200
discovery.seed_hosts: ["192.168.1.50", "192.168.1.55", "192.168.1.56"]
cluster.initial_master_nodes: ["192.168.1.50", "192.168.1.55", "192.168.1.56"]
discovery.zen.minimum_master_nodes: 2
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: "Authorization"
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
http.max_initial_line_length: 100k
http.max_header_size: 50k
http.max_content_length: 50mb
cluster.routing.allocation.total_shards_per_node: 5000
xpack.license.self_generated.type: basic

创建证书

[root@localhost elasticsearch]# pwd
/usr/share/elasticsearch
[root@localhost elasticsearch]# ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]:    #指定证书文件名直接回车为默认
Enter password for elastic-stack-ca.p12 : #输入证书密码

#创建证书私钥

[root@localhost elasticsearch]# bin/elasticsearch-certutil  cert --ca elastic-stack-ca.p12 
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA).
    * The tool can automatically generate a new CA for you, or you can provide your own with the
         -ca or -ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) : #上边设置ca的密码
Please enter the desired output file [elastic-certificates.p12]: #私钥的文件名,回车默认
Enter password for elastic-certificates.p12 : #私钥密码

Certificates written to /usr/share/elasticsearch/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

截图:
在这里插入图片描述

在这里插入图片描述

创建成功后在/usr/share/elasticsearch下会有这两个文件。
在这里插入图片描述

传证书和私钥到其他节点

[root@localhost elasticsearch]# scp elastic-* root@192.168.1.55:/etc/elasticsearch/
root@192.168.1.55's password: 
elastic-certificates.p12                                                                                          100% 3443    49.0KB/s   00:00    
elastic-stack-ca.p12                                                                                              100% 2527    87.6KB/s   00:00    
[root@localhost elasticsearch]# scp elastic-* root@192.168.1.56:/etc/elasticsearch/
root@192.168.1.56's password: 
elastic-certificates.p12                                                                                          100% 3443   119.7KB/s   00:00    
elastic-stack-ca.p12                                                                                              100% 2527    75.7KB/s   00:00    
本地复制,换位置,换不换都行,配置文件要写这个位置
[root@localhost elasticsearch]# cp elastic-* /etc/elasticsearch/
[root@localhost elasticsearch]# cd /etc/elasticsearch/
[root@localhost elasticsearch]# ls
elastic-certificates.p12  elasticsearch.yml          elastic-stack-ca.p12  jvm.options.d      role_mapping.yml  users
elasticsearch.keystore    elasticsearch.yml.cluster  jvm.options           log4j2.properties  roles.yml         users_roles
[root@localhost elasticsearch]#

修改配置文件

打开或添加xpack功能

xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

[root@localhost elasticsearch]# grep -v ^# elasticsearch.yml |grep -v ^$
cluster.name: songcluster
node.name: node-50
node.master: true
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.50
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["192.168.1.50", "192.168.1.55", "192.168.1.56"]
cluster.initial_master_nodes: ["192.168.1.50"]
discovery.zen.minimum_master_nodes: 2
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: "Authorization"
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
http.max_initial_line_length: 100k
http.max_header_size: 50k
http.max_content_length: 50mb
cluster.routing.allocation.total_shards_per_node: 5000
xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

各个节点为 xpack.security.transport 添加密码,每个节点都执行这两个命令

[root@localhost elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
Enter value for xpack.security.transport.ssl.keystore.secure_password: 
[root@localhost elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter value for xpack.security.transport.ssl.truststore.secure_password:

证书文件该权限

所有节点都改

[root@localhost elasticsearch]# chmod 660 elastic-*
[root@localhost elasticsearch]# ll
æ€»ç”¨é‡ 52
-rw-rw----. 1 root elasticsearch  3443 1月  13 17:16 elastic-certificates.p12
-rw-rw----. 1 root elasticsearch   331 1月  14 11:47 elasticsearch.keystore
-rw-rw----. 1 root elasticsearch  3733 1月  14 09:40 elasticsearch.yml
-rw-r-----. 1 root elasticsearch  3498 1月  13 16:20 elasticsearch.yml.cluster
-rw-rw----. 1 root elasticsearch  2527 1月  13 17:16 elastic-stack-ca.p12
-rw-rw----. 1 root elasticsearch  2373 7月  22 00:46 jvm.options
drwxr-s---. 2 root elasticsearch     6 7月  22 00:49 jvm.options.d
-rw-rw----. 1 root elasticsearch 17419 7月  22 00:46 log4j2.properties
-rw-rw----. 1 root elasticsearch   473 7月  22 00:46 role_mapping.yml
-rw-rw----. 1 root elasticsearch   197 7月  22 00:46 roles.yml
-rw-rw----. 1 root elasticsearch     0 7月  22 00:46 users
-rw-rw----. 1 root elasticsearch     0 7月  22 00:46 users_roles

重启服务

systemctl restart elasticsearch

设置加密密码

一个节点里加密就行

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
[root@localhost elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
123123Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
[root@localhost elasticsearch]#
宋晓坤
关注
专栏目录
Elasticsearch学习笔记 - 05: 配置安全选项
u011682283的博客
12-28 3788
ElasticSearch 提供了安全功能,可以使用密码保护你的数据,或者更高级的安全措施,如加密通信,基于角色的访问控制,IP过滤和审计。 1.确认使用了带有安全功能的许可证 2.安全功能提供三十天免费试用,之后想要继续使用需要购买许可证。 3.需要在同一集群中的每个节点上设置安全选项,默认为false,开启是true 4.为节点间通信配置传输层安全性(TLS / SSL) ·为每个...
千锋ElasticSearch6教程的资料
12-18
**Elasticsearch 6 教程详解** Elasticsearch 是一个开源的全文搜索引擎,以其分布式、实时、可扩展性以及强大的数据分析能力而受到广大开发者和企业的青睐。在Elasticsearch 6版本中,它继续优化了性能,提升了...
ElasticSearch 7.10.2 搭建集群时配置证书
m0_67392182的博客
04-18 1079
进入 ElasticSearch 根目录 为集群创建认证机构,同一集群的认证机构需要相同 bin/elasticsearch-certutil ca # 执行命令后会有两次输入,第一次为CA文件名,第二次为密码(密码1) # 建议依次输入回车(文件使用默认名,不设置密码) # 执行完会在ES根目录生成 elastic-stack-ca.p12 文件(默认文件名) 为节点颁发证书 bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 ..
Elasticsearch7搭建集群并配置节点证书
大叶子不小的博客
06-29 2375
单机版比较简单,试下集群版的,资源有限,本文例子:一台主机以不同端口启动搭建集群。准备搭建3个节点。
ElasticSearch集群搭建与安全认证
最新发布
qq_44027353的博客
08-14 1379
参考文档:https://www.elastic.co/guide/en/elasticsearch/reference/7.17/configuring-stack-security.html。每个节点上都保存了集群的状态,只有Master节点才能修改集群的状态信息,其中包括:所有节点信息、所有索引信息以及相关的Mappings和Setting信息、分片的路由信息。ElasticSearch集群内部的数据是通过9300进行传输的,如果不对数据加密,可能会造成数据被抓包,敏感信息泄露。
单机多节点 elasticsearch 集群安全认证
干就完了!!!
06-12 2469
es 集群安全认证
安全与加密ElasticSearch的安全与加密功能
程序员光剑
01-21 1418
1.背景介绍 在本文中,我们将深入探讨ElasticSearch的安全与加密功能。首先,我们将介绍ElasticSearch的背景和核心概念。然后,我们将详细讲解其加密算法原理和具体操作步骤,并提供数学模型公式的解释。接着,我们将通过具体的代码实例和详细解释来展示最佳实践。最后,我们将讨论实际应用场景、工具和资源推荐,并总结未来发展趋势与挑战。 1. 背景介绍 ElasticSearch是一...
Elasticsearch入门学习笔记
06-28
这篇入门学习笔记将引导初学者了解如何安装、配置以及使用Elasticsearch。 首先,让我们从安装开始。要安装Elasticsearch,你可以访问官方网站(https://www.elastic.co/cn/downloads/elasticsearch)下载最新版本...
Elasticsearch 数据库集群配置方式参考.docx
07-08
### Elasticsearch 数据库集群配置详解 #### 一、概述 Elasticsearch 是一款基于 Lucene 的分布式搜索和分析引擎,适用于全文检索、结构化检索以及数据分析等场景。由于其高性能、可扩展性和易于集成的特点,...
【中华石杉】Elasticsearch顶尖高手系列-核心知识篇 + 高手进阶篇
05-06
2. **集群和节点**:学习如何搭建和管理Elasticsearch集群,理解节点间的通信机制,以及如何配置和优化节点性能。 3. **搜索与查询**:深入理解Elasticsearch的全文搜索原理,包括TF-IDF、BM25等算法,以及如何构建...
Elasticsearch集群部署以及认证配置
xjxy52o的博客
05-23 1333
在其中一台机器上执行,我这里在 192.168.95.174 node-01节点机器操作,我这里密码全部设置为(123456)去到cd /path/elasticsearch-7.10.1/bin。配置systemd服务启动es
对Elastic集群配置TLS加密通信及身份验证
weixin_30381793的博客
08-29 528
1、介绍 官方宣布从6.8和7.1开始,免费提供多项安全功能。其中包括tls加密通信,基于角色访问控制等功能。 可以使用企业CA证书来完成这一步骤,但是一般情况下,我们可以通过elasticsearch自带的elasticsearch-certutil的命令生成证书。然后各节点通过该证书可以进行安全通信。 2. 步骤 2.1 生成证书 搭建好了es集群,先拿第一个节点来操作,进入elas...
ELasticsearch(ES,es)单机,集群加密(x-pack),非加密部署(超详细版)
m0_47188356的博客
10-18 2976
ELasticsearch(ES,es)单机,集群加密(x-pack),非加密部署(超详细版),另外还有head插件访问,启动
【Docker】Docker Elasticsearch7 加装安全认证插件
Kida 的技术小屋(CSDN 版)
02-19 1722
之前文章中我们已经完成了Docker版本的Elasticsearch部署,为了增强安全性在此为Elasticsearch安装安全认证插件(2018年全球大规模的Elasticsearch攻击历历在目)。由于之前部署的Elasticsearch是Docker版本,本次也基于Docker版本进行说明。 为了简化操作步骤,这边将配合使用Docker Desktop(以下简称“DD”)来进行Docker操作(对应回脚本操作也是非常方便的,有空将重新整理出来)。首先打开DD的Dashbroad界面。在界面上选择对应的
Elasticsearch SSL认证/证书制作
fj56355113的专栏
10-23 2946
制作目的 在上一篇《elasticsearch7.X x-pack破解》中,我们启用了x-pack模块,elasticsearch集群中,如果使用了x-pack,那么集群中的各节点之间通讯就必须安全认证。为了解决节点间通讯的认证问,我们需要制作证书。 内容简介 本文的主要内容是指导SSL制作过程。 步骤 生成证书 一、cd到es安装目录下,如:cd /data/platform/elasticsearch/elasticsearch-7.0.0 然后执行:bin/elasticsearch-c
Elasticsearch:如何创建 Elasticsearch PEM 和/或 P12 证书
Elastic 中国社区官方博客
08-08 4968
你是否希望使用 SSL/TLS 证书来保护你的 Elasticsearch 部署?在本文中,我们将指导你完成为 Elasticsearch 创建 PEM 和 P12 证书的过程。这些证书在建立安全连接和确保 Elasticsearch 集群的完整性方面发挥着至关重要的作用。友情提示:你可以选择其中一种方法来在你的环境中创建和使用证书
ES开启安全认证
w2909526的博客
11-23 1228
elasticsearch开启安全认证步骤。2.根据生成的证书创建秘钥。4.启动es并创建密码。至此ES开启认证完成。
es用户认证与鉴权入门配置
epitomizelu的专栏
05-29 6716
https://www.jianshu.com/p/d021661c9b6a https://blog.csdn.net/fxtxz2/article/details/105707317/ https://www.mcabana.com/archives/2107.html xpack.security.enabled: true 一,在elasticsearch.yml文件中配置 xpack.security.enabled: true xpack.security.transport.ssl.enabl
Elasticsearch集群搭建指南
"本文档详细介绍了如何搭建和配置Elasticsearch集群,强调了满足其基本需求的重要性,包括合适的操作系统和JVM版本。文档适用于Elasticsearch的新手和那些希望优化现有集群的管理员。" 在深入探讨Elasticsearch集群...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值