Java Low Level REST Client 官网说明-加密文档

翻译已于 2024-01-23 19:20:23 修改 · 200 阅读

CC 4.0 BY-SA版权

原文链接：https://www.elastic.co/guide/en/elasticsearch/client/java-api-client/current/_encrypted_communication.html#_encrypted_communication

文章标签：

#elasticsearch #开发语言

于 2021-12-02 21:40:01 首次发布

工具安装同时被 2 个专栏收录

11 篇文章

订阅专栏

文档翻译

8 篇文章

订阅专栏

本文档详细介绍了如何为访问使用TLS的Elasticsearch实例配置客户端。提供了使用p12和pem证书的信任store设置，以及在需要客户端TLS认证时，如何从p12 keystore加载证书和私钥。同时提到了在安全管理器环境下，可能需要调整JVM的主机名缓存策略。并给出了ApacheHttpAsyncClient的进一步配置参考。

加密文档

加密文档使用的TLS能通过HttpClientConfigCallback被配置，org.apache.http.impl.nio.client.HttpAsyncClientBuilder被作为一个参数接收。有很多方法去配置加密文档比如按照最不重要的排序方法有setSSLContext, setSSLSessionStrategy and setConnectionManager

当访问一个使用基于TLS的http组件，客户端需要去信任Elasticsearch使用的证书，下面的例子就是一个设置client去信任Elasticsearch使用的一个被标注的认证的例子，当认证是p12证书的时候：

Path trustStorePath = Paths.get("/path/to/truststore.p12");

KeyStore truststore = KeyStore.getInstance("pkcs12");

try (InputStream is = Files.newInputStream(trustStorePath)) {

truststore.load(is, keyStorePass.toCharArray());

}

SSLContextBuilder sslBuilder = SSLContexts.custom()

.loadTrustMaterial(truststore, null);

final SSLContext sslContext = sslBuilder.build();

RestClientBuilder builder = RestClient.builder(

new HttpHost("localhost", 9200, "https"))

.setHttpClientConfigCallback(new HttpClientConfigCallback() {

@Override

public HttpAsyncClientBuilder customizeHttpClient(

HttpAsyncClientBuilder httpClientBuilder) {

return httpClientBuilder.setSSLContext(sslContext);

}

});

下面的例子就是一个设置client去信任Elasticsearch使用的一个被标注的认证的例子，当认证是pem证书的时候：

Path caCertificatePath = Paths.get("/path/to/ca.crt");

CertificateFactory factory =

CertificateFactory.getInstance("X.509");

Certificate trustedCa;

try (InputStream is = Files.newInputStream(caCertificatePath)) {

trustedCa = factory.generateCertificate(is);

}

KeyStore trustStore = KeyStore.getInstance("pkcs12");

trustStore.load(null, null);

trustStore.setCertificateEntry("ca", trustedCa);

SSLContextBuilder sslContextBuilder = SSLContexts.custom()

.loadTrustMaterial(trustStore, null);

final SSLContext sslContext = sslContextBuilder.build();

RestClient.builder(

new HttpHost("localhost", 9200, "https"))

.setHttpClientConfigCallback(new HttpClientConfigCallback() {

@Override

public HttpAsyncClientBuilder customizeHttpClient(

HttpAsyncClientBuilder httpClientBuilder) {

return httpClientBuilder.setSSLContext(sslContext);

}

});

When Elasticsearch is configured to require client TLS authentication, for example when a PKI realm is configured, the client needs to provide a client certificate during the TLS handshake in order to authenticate. The following is an example of setting up the client for TLS authentication with a certificate and a private key that are stored in a PKCS#12 keystore.

当Elasticsearch 被配置要求TLS认证，比如当一个PKI域被配置，client需要去提供一个client证书在为了认证进行的TLS握手期间，下面是个例子，就是一个设置client为了TLS认证，使用一个证书和私有key存储在p12证书中：

Path trustStorePath = Paths.get("/path/to/your/truststore.p12");

Path keyStorePath = Paths.get("/path/to/your/keystore.p12");

KeyStore trustStore = KeyStore.getInstance("pkcs12");

KeyStore keyStore = KeyStore.getInstance("pkcs12");

try (InputStream is = Files.newInputStream(trustStorePath)) {

trustStore.load(is, trustStorePass.toCharArray());

}

try (InputStream is = Files.newInputStream(keyStorePath)) {

keyStore.load(is, keyStorePass.toCharArray());

}

SSLContextBuilder sslBuilder = SSLContexts.custom()