Secure communication between cluster authentication and user authentication, secure communication inside clusters, cluster and external

A host, ip: 192.168.80.10, run a es, a kibana

Achieve results

1. es inside the cluster open cluster certificate validation required to join
2. kibana and es trunking communication mode using https
3. Es cluster nodes to access using https mode
4. Use a browser to access kibana use https mode

Late consider logstash also joined in, an official at the following address:
https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
https://www.elastic.co/guide/en/logstash /current/logstash-centralized-pipeline-management.html

The default user roles

- ES操作

# 生成CA证书，一直回车
bin/elasticsearch-certutil ca (CA证书：elastic-stack-ca.p12)

# 生成节点使用的证书，一直回车
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12  (节点证书：elastic-certificates.p12)

# 设置默认的角色密码
bin/elasticsearch-setup-passwords interactive

# 创建证书保存目录，并移动到config文件下
mkdir -p config/certs
mv elastic-certificates.p12 config/certs

# 集群身份认证与用户鉴权
xpack.security.enabled: true

# 集群内部安全通信
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate # 证书验证级别
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 # 节点证书路径
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

# 集群与外部间的安全通信
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12

- kibana操作

# es上操作
# 从es节点拷贝节点证书到kibana根目录下
cp /usr/local/elasticsearch-7.5.0/config/certs/elastic-certificates.p12 /usr/local/kibana-7.5.0-linux-x86_64/

# kibana上操作
# 生成连接es的https的证书
# elastic-certificates.p12为上一步节点证书(注意这个证书权限),elastic-ca.pem为生成的供kibana使用的证书
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem

# 创建证书保存目录，并移动到config文件下
mkdir -p config/certs
mv elastic-certificates.p12 elastic-ca.pem config/certs

# kibana配置连接ES的https
elasticsearch.hosts: ["https://192.168.80.10:9200"]
elasticsearch.ssl.certificateAuthorities: ["/usr/local/kibana-7.5.0-linux-x86_64/config/certs/elastic-ca.pem"]
elasticsearch.ssl.verificationMode: certificate # 证书验证级别

# kibana配置连接ES,使用用户名和密码
elasticsearch.username: "kibana"
elasticsearch.password: "changeme"

# 使用https方式访问kibana
# es上操作
bin/elasticsearch-certutil ca --pem (elastic-stack-ca.zip)
unzip elastic-stack-ca.zip
# 得到ca.crt和ca.key
   creating: ca/
  inflating: ca/ca.crt
  inflating: ca/ca.key

# 从es节点拷贝上一步生成的证书到kibana证书目录下
cp /usr/local/elasticsearch-7.5.0/ca/* /usr/local/kibana-7.5.0-linux-x86_64/config/certs/
# 非必须:修改证书权限

# kibana上操作
# 开启，并设置证书(注意证书路径写法)
server.ssl.enabled: true
server.ssl.certificate: config/certs/ca.crt
server.ssl.key: config/certs/ca.key

es Profile

cluster.name: my-application
node.name: node0
path.data: node0_data
network.host: 192.168.80.10
http.port: 9200
discovery.seed_hosts: ["192.168.80.10"]
cluster.initial_master_nodes: ["192.168.80.10"]

xpack.security.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

kibana profile

server.port: 5601
server.host: "192.168.80.10"
elasticsearch.hosts: ["https://192.168.80.10:9200"]

elasticsearch.username: "kibana"
elasticsearch.password: "changeme"

server.ssl.enabled: true
server.ssl.certificate: config/certs/ca.crt
server.ssl.key: config/certs/ca.key

elasticsearch.ssl.certificateAuthorities: ["/usr/local/kibana-7.5.0-linux-x86_64/config/certs/elastic-ca.pem"]
elasticsearch.ssl.verificationMode: certificate