[ES-5.6.12] x-pack ssl

最新推荐文章于 2024-02-20 09:37:42 发布

weixin_34252090

最新推荐文章于 2024-02-20 09:37:42 发布

阅读量215

点赞数

文章标签：大数据 python 运维

原文链接：https://my.oschina.net/u/204498/blog/3012344

版权

2019独角兽企业重金招聘Python工程师标准>>>

一、ES-5.6.12 安装

https://www.elastic.co/guide/en/elasticsearch/reference/5.6/setup.html

/etc/elasticsearch/elasticsearch.yml

cluster.name: harry_es
node.name: harry001

node.master: true
node.data: true
node.ingest: false

# chmod 755 -R /data
# chown elasticsearch:elasticsearch -R /data/data/es
# chown elasticsearch:elasticsearch -R /data/logs/es

path.data: /data/data/es
path.logs: /data/logs/es
#bootstrap.memory_lock: true
#
network.host: harry001
discovery.zen.ping.unicast.hosts: ["harry001"]
discovery.zen.minimum_master_nodes: 1

二、X-Pack-5.6.12安装

https://www.elastic.co/guide/en/elasticsearch/reference/5.6/installing-xpack-es.html

/usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack

#/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///...../x-pack-5.6.12.zip

三、SSL Key/Crt生成

https://www.elastic.co/guide/en/elasticsearch/reference/5.6/certgen.html

1. 编写instances.yml

/etc/elasticsearch/instances.yml

instances:
  - name: "harry001"
    ip:
      - "192.168.10.1"
    dns:
      - "harry001"
  - name: "harry002"
    ip:
      - "192.168.10.2"
    dns:
      - "harry002"

2. 生成key/crt

/usr/share/elasticsearch/bin/x-pack/certgen --in /etc/elasticsearch/instances.yml --out /etc/elasticsearch/certificate-bundle.zip

harry001 $ /usr/share/elasticsearch/bin/x-pack/certgen --in /etc/elasticsearch/instances.yml --out /etc/elasticsearch/certificate-bundle.zip

harry001 $ pwd
/etc/elasticsearch

harry001 $ unzip certificate-bundle.zip
Archive:  certificate-bundle.zip
   creating: ca/
  inflating: ca/ca.crt
  inflating: ca/ca.key
   creating: harry001/
  inflating: harry001/harry001.crt
  inflating: harry001/harry001.key
   creating: harry002/
  inflating: harry002/harry002.crt
  inflating: harry002/harry002.key

#以下操作在harry001上。重命名是为了配置一致化

harry001 $ mv ca/ca.crt x-pack/es_pack_ca.crt
harry001 $ mv harry001/harry001.key x-pack/es_pack.key
harry001 $ mv harry001/harry001.crt x-pack/es_pack.crt

#以下操作在harry002上。重命名是为了配置一致化. 需要复制harry001上的certificate-bundle.zip。

harry002 $ mv ca/ca.crt x-pack/es_pack_ca.crt
harry002 $ mv harry002/harry002.key x-pack/es_pack.key
harry002 $ mv harry002/harry002.crt x-pack/es_pack.crt

3. 进行ssl配置

cluster.name: harry_es
node.name: harry001
node.master: true
node.data: true
node.ingest: false

# chmod 755 -R /data
# chown elasticsearch:elasticsearch -R /data/data/es
# chown elasticsearch:elasticsearch -R /data/logs/es

path.data: /data/data/es
path.logs: /data/logs/es
#bootstrap.memory_lock: true
#
network.host: harry001
discovery.zen.ping.unicast.hosts: ["harry001"]
discovery.zen.minimum_master_nodes: 1

xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true

xpack.ssl.key: "/etc/elasticsearch/x-pack/es_xpack.key"
xpack.ssl.certificate: "/etc/elasticsearch/x-pack/es_xpack.crt"
xpack.ssl.certificate_authorities: ["/etc/elasticsearch/x-pack/es_xpack_ca.crt"]

# xpack.monitoring
xpack.monitoring.enabled: false

# xpack.watcher
xpack.watcher.enabled: false

# xpack.ml
xpack.ml.enabled: false
node.ml: false

elastic:changeme

转载于:https://my.oschina.net/u/204498/blog/3012344