本文详细介绍如何在Elasticsearch中生成SSL证书,包括使用elasticsearch-certutil工具生成CA及节点证书,修改elasticsearch.yml配置文件启用安全传输,并设置密码策略。
一 生成证书
在elasticsearch目录下执行,会在目录elasticsearch的文件目录生成elastic-stack-ca.p12文件,比如我这里是/home/elasticsearch
./elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]: elastic-stack-ca.p12
Enter password for elastic-stack-ca.p12 :
生成 elastic-stack-ca.p12后,执行命令elasticsearch-certutil,需要注意的是elastic-stack-ca.p12文件必须是完整路径
./elasticsearch-certutil cert --ca /home/elasticsearch/elastic-stack-ca.p12
Enter password for CA (/home/elasticsearch/elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]: elastic-certificates.p12
Enter password for elastic-certificates.p12 : #这里可以不用输入密码,直接按回车键
Certificates written to /home/elasticsearch/elastic-certificates.p12
生成的elastic-certificates.p12文件拷贝到每个节点的config目录下
二 修改配置elasticsearch.yml
elasticsearch.yml配置文件中增加下列配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
三 配置密码
在bin目录下输入下列命令
./elasticsearch-setup-passwords interactive
Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
