1.
--创建CA认证私钥
cd /esdb/esapp/esapp9201/config
/esdb/esapp/esapp9201/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA''s private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: enter
Enter password for elastic-stack-ca.p12 : esadmin --输入密码。
--生成文件。
/esdb/esapp/esapp9201/elastic-stack-ca.p12
2.为认证节点颁发证书。
cd /esdb/esapp/esapp9201/config
/esdb/esapp/esapp9201/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : esadmin
Please enter the desired output file [elastic-certificates.p12]: elastic-certificates.p12
Enter password for elastic-certificates.p12 : esadmin
-rw------- 1 esadmin esadmin 3596 Jun 29 16:28 elastic-certificates.p12
-rw------- 1 esadmin esadmin 2656 Jun 29 16:26 elastic-stack-ca.p12
--证书和私钥放入配置文件中。
--3.配置密钥。
/esdb/esapp/esapp9201/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/esdb/esapp/esapp9201/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
--4.拷贝其他节点
--停止节点后才能拷贝到目标位置。
cd /esdb/esapp/esapp9201/config
cp elastic-certificates.p12 elasticsearch.keystore elastic-stack-ca.p12 /esdb/esapp/esapp9202/config/
cp elastic-certificates.p12 elasticsearch.keystore elastic-stack-ca.p12 /esdb/esapp/esapp9203/config/
5.配置通信证书(每个节点)
cat >> /esdb/esapp/esapp9201/config/elasticsearch.yml << EOF
EOF
cat >> /esdb/esapp/esapp9202/config/elasticsearch.yml << EOF
EOF
cat >> /esdb/esapp/esapp9203/config/elasticsearch.yml << EOF
EOF
6.重启所有的ES节点
ps -ef|grep java|grep esapp|awk '{print $2}'|xargs kill -9
/esdb/esapp/esapp9201/bin/elasticsearch &
/esdb/esapp/esapp9202/bin/elasticsearch &
/esdb/esapp/esapp9203/bin/elasticsearch &
--7.验证
访问es;
[esadmin@oracle1 ~]$ curl http://192.168.1.7:9201/_cat/nodes?v
curl: (7) Failed connect to 192.168.1.7:9201; Connection refused
8.重置密码。
elastic用户和其他一些系统内置用户的密码设置。
在主节点上面重新设置密码。
需要为7个用户分别设置密码:elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user
[esadmin@oracle1 bin]$ /esdb/esapp/esapp9203/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]: esadmin
Reenter password for [elastic]: esadmin
Enter password for [apm_system]: esadmin
Reenter password for [apm_system]: esadmin
Enter password for [kibana_system]: esadmin
Reenter password for [kibana_system]: esadmin
Enter password for [logstash_system]: esadmin
Reenter password for [logstash_system]: esadmin
Enter password for [beats_system]: esadmin
Reenter password for [beats_system]: esadmin
Enter password for [remote_monitoring_user]: esadmin
Reenter password for [remote_monitoring_user]: esadmin
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
9.验证。
现在kibana 通过:elastic/esadmin 可以登陆访问。
--现在只能通过哦主节点连接
curl -u elastic:esadmin 'http://192.168.1.7:9203/_cat/nodes?v'
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.1.7 75 64 2 0.05 0.21 0.44 dilmt * esdb-node-3
192.168.1.7 51 64 2 0.05 0.21 0.44 dilmt - esdb-node-2
[esadmin@oracle1 config]$ curl -u elastic http://192.168.1.7:9203/_cat/nodes?v
Enter host password for user 'elastic': esadmin
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.1.7 57 64 7 0.10 0.24 0.46 dilmt * esdb-node-3
192.168.1.7 74 64 10 0.10 0.24 0.46 dilmt - esdb-node-2