1 创建证书
[root@server1 ~]# cd /usr/share/elasticsearch/
[root@server1 elasticsearch]# ls
bin jdk lib LICENSE.txt modules NOTICE.txt plugins README.asciidoc
[root@server1 elasticsearch]# bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: 回车
Enter password for elastic-stack-ca.p12 : 回车
[root@server1 elasticsearch]# ll
total 552
drwxr-xr-x 2 root root 4096 Apr 2 17:59 bin
-rw------- 1 root root 2527 Apr 3 01:59 elastic-stack-ca.p12
drwxr-xr-x 9 root root 107 Apr 2 17:59 jdk
drwxr-xr-x 3 root root 4096 Apr 2 17:59 lib
-rw-r--r-- 1 root root 13675 Feb 29 2020 LICENSE.txt
drwxr-xr-x 39 root root 4096 Apr 2 17:59 modules
-rw-rw-r-- 1 root root 523209 Feb 29 2020 NOTICE.txt
drwxr-xr-x 2 root root 6 Feb 29 2020 plugins
-rw-r--r-- 1 root root 8164 Feb 29 2020 README.asciidoc
- 生成证书:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[root@server1 elasticsearch]# ll
total 556
drwxr-xr-x 2 root root 4096 Apr 2 17:59 bin
-rw------- 1 root root 3451 Apr 3 01:59 elastic-certificates.p12
-rw------- 1 root root 2527 Apr 3 01:59 elastic-stack-ca.p12
drwxr-xr-x 9 root root 107 Apr 2 17:59 jdk
drwxr-xr-x 3 root root 4096 Apr 2 17:59 lib
-rw-r--r-- 1 root root 13675 Feb 29 2020 LICENSE.txt
drwxr-xr-x 39 root root 4096 Apr 2 17:59 modules
-rw-rw-r-- 1 root root 523209 Feb 29 2020 NOTICE.txt
drwxr-xr-x 2 root root 6 Feb 29 2020 plugins
-rw-r--r-- 1 root root 8164 Feb 29 2020 README.asciidoc
[root@server1 elasticsearch]# cp elastic-certificates.p12 elastic-stack-ca.p12 /etc/elasticsearch
[root@server1 elasticsearch]# cd /etc/elasticsearch
[root@server1 elasticsearch]# chown elasticsearch elastic-certificates.p12 elastic-stack-ca.p12
[root@server1 elasticsearch]# scp -r elastic-certificates.p12 elastic-stack-ca.p12 server2:/etc/elasticsearch
##(server2-server5)
2 配置所有的elasticsearch集群节点
- 编辑配置文件:
vim /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
- 重启服务:
systemctl restart elasticsearch.service
- 配置所有的elasticsearch集群节点:
vim /etc/elasticsearch/elasticsearch.yml
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
- 重启服务:
systemctl restart elasticsearch.service
3 设置用户密码
ES集群重启正常后,设置用户密码
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
在这里所有密码均设为elastic
测试:
(1)浏览器访问:http://172.25.12.1:9100/?auth_user=elastic&auth_password=elastic
(2)设置kibana连接ES的用户密码
- 编辑文件:
/etc/logstash/conf.d/test1.conf
input {
file {
path => "/var/log/httpd/access_log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{HTTPD_COMBINEDLOG}" }
}
}
output {
stdout {}
elasticsearch {
hosts => ["172.25.12.1:9200"]
index => "apache-%{+yyyy.MM.dd}"
user => "elastic"
password => "elastic"
}
}
- 执行:
logstash -f /etc/logstash/conf.d/test1.conf
4 设置kibana连接es的密码
(1)编辑配置文件:
vim /etc/kibana/kibana.yml
(2)重启服务:
systemctl restart kibana.service
(3)测试:
- 账号:elastic
- 密码:elastic