Based on TLS encrypted communication cluster achieved ElasticSearch
Author: "The coyotes made Britain" , welcome to reprint
table of Contents
▪ use
▪ ES node information
▪ Step1. Close services
▪ Step2. Create a CA certificate
▪ Step3. Creating CERT certificate
▪ Step4. Create a key store
▪ Step5. Delete CA certificate
▪ Step6 modify. Elasticsearch.yml configuration
▪ Step7. Start services
▪ attached reference documents
use
Recap:
▷ In the first "EFK Tutorial - Quick Start Guide", describes the installation and deployment of EFK, which ElasticSearch architecture for three-node, that master, ingest, data roles deployed on three servers.
▷ In the second "EFK Tutorial - ElasticSearch high-performance high-availability architecture," we explained the EFK of data / ingest / master role and the use of a three-node are deployed to ensure high availability while maximizing performance.
▷ In the third "EFK Tutorial (3) - ElasticSearch hot and cold data separation," we explained the ES multi-instance deployments, there will be different on different disks heat of data to achieve data separation of hot and cold, rational allocation of resources.
The first three articles, data exchange between ES cluster are expressly interaction, and in this context, to create CA ES cluster, CERT certificate, data encryption between ElasticSearch clusters interact via two-way TLS.
ES node information
Because this article is based on an article "EFK Tutorial (3) - ElasticSearch separation of hot and cold data" set forth for the Environment, and the node information on a consistent:
Step1. Close Service
首先,需要停止所有ElasticSearch、kibana、filebeat服务,待证书配置完成后再启动
Step2. 创建CA证书
1️⃣ 找任一一台ElasticSearch节点服务器操作即可
cd /opt/elasticsearch/
# --days: 表示有效期多久
sudo -u elasticsearch ./bin/elasticsearch-certutil ca --days 36602️⃣ 务必将生成的CA证书,传到安全地方永久存储,因为后期若需要新增ES节点,还会用到该证书
3️⃣ 请将elastic-stack-ca.p12证书传到所有ES实例服务器上
Step3. 创建CERT证书
按上面表格进入相对应的目录创建CERT证书
# 在ES目录中建立证书目录及给予elasticsearch权限
mkdir -p config/certs;chown elasticsearch.elasticsearch config/certs -R
# 每一个实例一个证书
# --ca CA证书的文件名,必选参数
# --dns 服务器名,多服务器名用逗号隔开,可选参数
# --ip 服务器IP,多IP用逗号隔开,可选参数
# --out 输出到哪里,可选参数
# --days 有效期多久,可选参数
sudo -u elasticsearch ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ip ${本机IP},127.0.0.1 --out config/certs/cert.p12 --days 3660
# 例如elasticsearch-master-1(192.168.1.31)执行命令:sudo -u elasticsearch ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ip 192.168.1.31,127.0.0.1 --out config/certs/cert.p12 --days 3660
如果想批量生成CERT证书,请自行查阅附录链接,不过批量生成有时会碰到生成的证书不可用,因此建议一台一台生成
Step4. 创建密钥库
按上面表格进入相对应的目录创建密钥库
# 每一个实例都要操作
# 创建密钥库
sudo -u elasticsearch ./bin/elasticsearch-keystore create
# PKCS#12文件的密码
sudo -u elasticsearch ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
# 信任库的密码
sudo -u elasticsearch ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
确认keystore、truststore已录入至密钥库
sudo -u elasticsearch ./bin/elasticsearch-keystore list
Step5. 删除CA证书
由于上面创建的elastic-stack-ca.p12含有私钥,因此为了安全,建议将该文件删除(请务必提前备份好,因为后期增加节点还会用到)
按上面表格进入相对应的目录删除CA证书
rm -f elastic-stack-ca.p12Step6. 修改elasticsearch.yml配置
按上面表格对应的实例配置conf目录下elasticsearch.yml
# 在所有实例上加上以下配置
# 开启transport.ssl认证
xpack.security.transport.ssl.enabled: true
# xpack认证方式 full为主机或IP认证及证书认证,certificates为证书认证,不对主机和IP认证,默认为full
xpack.security.transport.ssl.verification_mode: full
# xpack包含私钥和证书的PKCS#12文件的路径
xpack.security.transport.ssl.keystore.path: certs/cert.p12
# xpack包含要信任的证书的PKCS#12文件的路径
xpack.security.transport.ssl.truststore.path: certs/cert.p12Step7. 启动服务
# 开启所有ES实例
sudo -u elasticsearch ./bin/elasticsearch
# 开启filebeat
/opt/filebeat/filebeat -e -c /opt/filebeat/filebeat.yml -d "publish"
# 开启kibana
sudo -u kibana /opt/kibana/bin/kibana -c /opt/kibana/config/kibana.yml附. 参考文档
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.3/certutil.html