Elasticsearch+Kibana-8.7 SSL P12证书制作和服务配置
0. 基本信息
操作系统: RHEL 8.10 x64
Elastic Stack版本: v8.7.1
1. Elasticsearch安全配置
1.1 制作Transport SSL证书
【登录es8-node1节点操作】
【假设elasticsearch软件安装位置在/app/elasticsearch-8.7.1】
su - elastic
1.1.1 创建CA
./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: Enter password for elastic-stack-ca.p12 :
【注意:生成的elastic-stack-ca.p12文件在/app/elasticsearch-8.7.1/目录下】
1.1.2 创建Transport SSL证书
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA)
unless the --self-signed command line option is specified.
The tool can automatically generate a new CA for you, or you can provide your own with
the --ca or --ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
Certificates written to /app/elasticsearch-8.7.1/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
【注意:生成的elastic-certificates.p12文件在/app/elasticsearch-8.7.1/目录下】
【备注:CA和Transport SSL证书文件可以直接在配置文件里使用,无需解压或转换操作。】
将CA和SSL证书文件复制到<ES_HOME>/config目录下
【注意文件属主必须是elastic】
cp elastic-certificates.p12 elastic-stack-ca.p12 config/
将CA和SSL证书文件远程复制到其它ES节点的<ES_HOME>/config目录下
【注意文件属主必须是elastic】
scp elastic-certificates.p12 elastic-stack-ca.p12 es8-node2:/app/elasticsearch-8.7.1/config/
scp elastic-certificates.p12 elastic-stack-ca.p12 es8-node3:/app/elasticsearch-8.7.1/config/
1.2 制作HTTP SSL证书
1.2.1 创建HTTP SSL证书
./bin/elasticsearch-certutil http
【注意:需要根据提示输入若干信息,如IP、主机名等】
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
Generate a CSR? [y/N]n
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /app/elasticsearch-8.7.1/config/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
For how long should your certificate be valid? [5y]
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
Generate a certificate per node? [y/N]n
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
es8-node1
es8-node2
es8-node3
You entered the following hostnames.
- es8-node1
- es8-node2
- es8-node3
Is this correct [Y/n]y
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
192.168.36.176
192.168.36.177
192.168.36.178
You entered the following IP addresses.
- 192.168.36.176
- 192.168.36.177
- 192.168.36.178
Is this correct [Y/n]y
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: es8-node1
Subject DN: CN=es8-node1
Key Size: 2048
Do you wish to change any of these options? [y/N]n
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none]
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/app/elasticsearch-8.7.1/elasticsearch-ssl-http.zip]
Zip file written to /app/elasticsearch-8.7.1/elasticsearch-ssl-http.zip
【备注:生成的elasticsearch-ssl-http.zip文件在/app/elasticsearch-8.7.1/目录下】
1.2.2 解压HTTP SSL证书文件
【备注;HTTP SSL证书zip文件不能直接使用,需要解压后使用里面的单独文件。】
mkdir certs
unzip elasticsearch-ssl-http.zip -d certs/
Archive: elasticsearch-ssl-http.zip
creating: certs/elasticsearch/
inflating: certs/elasticsearch/README.txt
inflating: certs/elasticsearch/http.p12 #【这个是配置在ES里的】
inflating: certs/elasticsearch/sample-elasticsearch.yml
creating: certs/kibana/
inflating: certs/kibana/README.txt
inflating: certs/kibana/elasticsearch-ca.pem #【这个是配置在Kibana里的】
inflating: certs/kibana/sample-kibana.yml
[elastic@es8-node1 elasticsearch-8.7.1]$ ls certs/
ls -1R certs/
certs/:
elasticsearch
kibana
certs/elasticsearch:
http.p12
README.txt
sample-elasticsearch.yml
certs/kibana:
elasticsearch-ca.pem
README.txt
sample-kibana.yml
复制http ssl文件到<ES_HOME>/config
【注意文件属主必须是elastic】
cp certs/elasticsearch/http.p12 config/
远程复制http ssl文件到其它ES节点的<ES_HOME>/config
【注意文件属主必须是elastic】
scp certs/elasticsearch/http.p12 es8-node2:/app/elasticsearch-8.7.1/config/
scp certs/elasticsearch/http.p12 es8-node3:/app/elasticsearch-8.7.1/config/
远程复制certs目录里的kibana/elasticsearch-ca.pem文件到kibana节点的<KIBANA__HOME>/config目录下
【注意文件属主必须是elastic】
scp certs/kibana/elasticsearch-ca.pem es8-kbn1:/app/kibana-8.7.1/config
检查ES程序目录下的CA和SSL证书文件
【这3个文件都应该在<ES_HOME>/config/目录下,不能在更下层的子目录下。】
ls -1 /app/elasticsearch-8.7.1/config/
elastic-certificates.p12 #【这个是Transport SSL证书文件】
elasticsearch.keystore
elasticsearch-plugins.example.yml
elasticsearch.yml
elasticsearch.yml.bak
elastic-stack-ca.p12 #【这个是CA文件】
http.p12 #【这个是HTTP SSL证书文件】
jvm.options
jvm.options.d
log4j2.properties
role_mapping.yml
roles.yml
users
users_roles
修改ES配置文件
vim /app/elasticsearch-8.7.1/config/elasticsearch.yml
action.destructive_requires_name: true
path.data: /data/esdata
path.logs: logs
cluster.name: test-es87
node.name: ${HOSTNAME}
node.roles: [ master, data, ingest, remote_cluster_client ]
discovery.seed_hosts:
- es8-node1
- es8-node2
- es8-node3
cluster.initial_master_nodes:
- es8-node1
- es8-node2
- es8-node3
network.host: _ens192_
http.port: 9200
transport.port: 9300
bootstrap.memory_lock: true
xpack.security.transport.ssl.enabled: true #【启用Transport,ES8必须启用】
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 #[这个是Transport SSL证书,对集群节点内部通信加密]
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12 #[这个是HTTP SSL证书,对外部访问提供加密验证,如Kibana访问ES]
1.3 创建ES内置用户密码(可选)
【如果已经初始化过内置用户,不要重复执行这个步骤。这里是新集群需要密码访问验证集群。】
./bin/elasticsearch-setup-passwords auto
******************************************************************************
Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This command will be removed in a future release.
******************************************************************************
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Changed password for user apm_system
PASSWORD apm_system = TW9jGuFpz9YOtZ5n8CyH
Changed password for user kibana_system #【这个是Kibana连接ES的用户名】
PASSWORD kibana_system = eum62kLBQLnBkrAaQayB #【这个是Kibana连接ES的密码】
Changed password for user kibana
PASSWORD kibana = eum62kLBQLnBkrAaQayB
Changed password for user logstash_system
PASSWORD logstash_system = B52Pv23STmAeONm06nCx
Changed password for user beats_system
PASSWORD beats_system = z1o38oZfRqAS8Jfj6yM8
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = BCuG3r3zJ12VJp6jAPBX
Changed password for user elastic #【这个是elastic超级管理员】
PASSWORD elastic = fXC5eEkQGQbvLlBLZF4f #【这个是elastic超级管理员密码】
使用上面的elastic用户密码验证集群访问
【-k 忽略HTTP SSL验证】
curl -k -u elastic:fXC5eEkQGQbvLlBLZF4f https://es8-node1:9200/_cluster/health?pretty
{
"cluster_name" : "test-es87",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 1,
"active_shards" : 2,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
使用elasticsearch-ca.pem证书访问ES集群,验证证书有效性
cp -r /app/elasticsearch-8.7.1/certs ~/
cd ~
curl -u elastic:fXC5eEkQGQbvLlBLZF4f https://es8-node1:9200/_cluster/health?pretty --cacert ./certs/kibana/elasticsearch-ca.pem
{
"cluster_name" : "test-es87",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 14,
"active_shards" : 30,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
【验证结果elasticsearch-ca.pem 有效】
2. Kibana安全配置
ls -1 /app/kibana-8.7.1/config/
elasticsearch-ca.pem #[这个是连接ES集群的SSL证书]
kibana.yml
node.options
配置Kibana访问ES HTTPS
vim /app/kibana-8.7.1/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
server.publicBaseUrl: "http://192.168.36.179:5601"
server.name: "es8-kbn1"
elasticsearch.hosts:
- "https://es8-node1:9200"
- "https://es8-node2:9200"
- "https://es8-node3:9200"
elasticsearch.username: "kibana_system"
elasticsearch.password: "eum62kLBQLnBkrAaQayB"
elasticsearch.ssl.certificateAuthorities: [ "/app/kibana-8.7.1/config/elasticsearch-ca.pem" ] #【pem证书文件必须是绝对路径】
elasticsearch.ssl.verificationMode: certificate
logging.root.level: info
logging.appenders.default:
type: file
fileName: logs/kibana.log
layout:
type: json
logging.loggers:
- name: elasticsearch.query
level: info
- name: http.server.response
level: info
- name: metrics.ops
level: info
path.data: data
pid.file: /app/kibana-8.7.1/logs/kibana.pid #【pid文件必须是绝对路径】
ops.interval: 5000
i18n.locale: "en"
xpack.encryptedSavedObjects.encryptionKey: 85e423051b3e3cd8f8552516430bca8a
xpack.reporting.encryptionKey: fb4f332661750dd22ba866895dbfa6ee
xpack.security.encryptionKey: 8b36777b943a0e7f08c852e563491996
浙公网安备 33010602011771号