Elasticsearch Kibana SSL认证_elasticsearch ssl认证
赞
踩
一、es安全认证
1、生产证书:
cd到es安装目录下
然后执行:bin/elasticsearch-certutil ca
输入文件名 默认[elastic-stack-ca.p12]回车,输入密码回车
生成ca文件:elastic-stack-ca.p12
2、创建私钥:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
输入密码回车,输入文件名 默认[elastic-certificates.p12]回车
3、mkdir config/certs/
mv elastic-stack-ca.p12 elastic-certificates.p12 config/certs/
4、修改配置elasticsearch.yml
添加内容
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/local/elasticsearch-7.11.2/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/local/elasticsearch-7.11.2/config/certs/elastic-certificates.p12
重启es
5、elasticsearch各节点为xpack.security.transport添加密码
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
6、给认证的集群创建用户密码:
bin/elasticsearch-setup-passwords interactive
Enter password for [elastic]: ***
Enter password for [apm_system]: ***
Enter password for [kibana_system]: ***
Enter password for [logstash_system]: ***
Enter password for [beats_system]: ***
Enter password for [remote_monitoring_user]: ***
二、配置Kibana到Elasticsearch的校验
cd到es安装目录
bin/elasticsearch-certutil cert --ca \ config/certs/elastic-stack-ca.p12
输入密码 文件名 密码,生成证书文件elastic-certificates.p12
elastic-certificates.p12的文件包含对我们的Elasticsearch集群进行PKI身份验证所需的所有信息,为了使用此证书,需要将其分解为其私钥,公共证书和CA证书:
openssl pkcs12 -in elastic-certificates.p12 -nocerts -nodes > client.key #私钥
openssl pkcs12 -in elastic-certificates.p12 -clcerts -nokeys > client.cer #公共证书
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -chain > client-ca.cer #签署公共证书的CA
2、复制证书文件到kibana目录
mkdir …/kibana-7.11.2/config/certs
mv client* …/kibana-7.11.2/config/certs/
3、修改配置文件kibana.yml
xpack.security.enabled: true
elasticsearch.username: “kibana_system”
elasticsearch.password: “***”
server.ssl.enabled: true
server.ssl.certificate: /usr/local/kibana-7.11.2/config/certs/client.cer
server.ssl.key: /usr/local/kibana-7.11.2/config/certs/client.key
elasticsearch.ssl.certificate: /usr/local/kibana-7.11.2/config/certs/client.cer
elasticsearch.ssl.key: /usr/local/kibana-7.11.2/config/certs/client.key
elasticsearch.ssl.certificateAuthorities: [ “/usr/local/kibana-7.11.2/config/certs/client-ca.cer” ]
elasticsearch.ssl.verificationMode: certificate
4、重启kibana
https访问kibana
