Elasticsearch 6.8.0配置TLS/SSL

配置步骤：

1.安装x-pack

2.执行命令，生成elastic-stack-ca.p12文件，密码使用123456

./bin/elasticsearch-certutil ca

3.执行命令，生成elastic-certificates.p12文件，密码使用123456

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

4.将elastic-stack-ca.p12和elastic-certificates.p12拷贝到config/certs

5.在elasticsearch.yml文件中添加配置

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: 123456
xpack.security.transport.ssl.truststore.password: 123456
xpack.security.http.ssl.keystore.password: 123456
xpack.security.http.ssl.truststore.password: 123456

6.logstash连接ES

output {
    
    
    elasticsearch {
    
    
    hosts => ["https://MY_IP:9201"]
    index => "bos-dev-log"
    user => "elastic"
    password => "123456"
    ssl => true
    ssl_certificate_verification=>false
    truststore=>"/XXX/XXX/elastic-certificates.p12"
    truststore_password=>"123456"
    }
  stdout {
    
     codec => rubydebug }
}

7.java client验证

public static void testHttps() throws Exception {
    
    
		CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
		credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("elastic", "123456"));
		KeyStore truststore = KeyStore.getInstance("jks");
		try (InputStream is = new FileInputStream("./src/main/resources/elastic-certificates.p12")) {
    
    
			truststore.load(is, "123456".toCharArray());
		}
		SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(truststore, null).build();
		SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);

		Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
				.register("https", sslsf).register("http", new PlainConnectionSocketFactory()).build();

		BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(
				socketFactoryRegistry);
		CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(sslsf)
				.setDefaultCredentialsProvider(credentialsProvider).setConnectionManager(connectionManager).build();
		HttpGet getMethod = new HttpGet("https://MY_IP:9200");
		HttpResponse response = client.execute(getMethod);
		System.out.println(IOUtils.toString(response.getEntity().getContent()));
	}

8 curl命令验证

 curl -k -u elastic:123456 -X GET https://MY_IP:9200

参考链接