SearchGuard证书配置

参考: https://www.jianshu.com/p/cc71e7793f6f

  • TLS工具安装
    • 下载TLS工具 https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.5/
    • 解压unzip search-guard-tlstool-1.6.zip tlstool-1.6
  • TLS生成证书配置
    • 复制<tlstool directory>/config/example.yml 并修改成/config/tlsconfig.yml(名字随意)
    • yibai 是公司名称
    • ca: 根证书配置
    • node: 节点证书配置
    • clients: 客户端证书配置
###
### Self-generated certificate authority
###
#
# If you want to create a new certificate authority, you must specify its parameters here.
# You can skip this section if you only want to create CSRs
#
ca:
  root:
      # The distinguished name of this CA. You must specify a distinguished name.   
     dn: CN=root.ca.yibai.com,OU=CA,O=yibai Com\, Inc.,DC=yibai,DC=com

      # The size of the generated key in bits
     keysize: 2048

      # The validity of the generated certificate in days from now
     validityDays: 3650
     
      # Password for private key
      #   Possible values:
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
     pkPassword: auto
     
      # The name of the generated files can be changed here
     file: root-ca.pem
     
   # If you want to use an intermediate certificate as signing certificate,
   # please specify its parameters here. This is optional. If you remove this section,
   # the root certificate will be used for signing.         
  intermediate:
      # The distinguished name of this CA. You must specify a distinguished name.
     dn: CN=signing.ca.yibai.com,OU=CA,O=yibai Com\, Inc.,DC=yibai,DC=com
  
      # The size of the generated key in bits   
     keysize: 2048
     
      # The validity of the generated certificate in days from now      
     validityDays: 3650
 
     pkPassword: auto
           
      # If you have a certificate revocation list, you can specify its distribution points here      
     crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

###
### Default values and global settings
###
defaults:

      # The validity of the generated certificate in days from now
     validityDays: 3650
     
      # Password for private key
      #   Possible values:
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
     pkPassword: auto      
     
      # Specifies to recognize legitimate nodes by the distinguished names
      # of the certificates. This can be a list of DNs, which can contain wildcards.
      # Furthermore, it is possible to specify regular expressions by
      # enclosing the DN in //.
      # Specification of this is optional. The tool will always include
      # the DNs of the nodes specified in the nodes section.            
      #nodesDn:
      #- "CN=*.yibai.com,OU=Ops,O=yibai Com\\, Inc.,DC=yibai,DC=com"
      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=*.yibai.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=elk-devcluster*'
      # - '/CN=.*regex/'

      # If you want to use OIDs to mark legitimate node certificates,
      # the OID can be included in the certificates by specifying the following
      # attribute
     
      # nodeOid: "1.2.3.4.5.5"

      # The length of auto generated passwords            
     generatedPasswordLength: 12
     
      # Set this to true in order to generate config and certificates for
      # the HTTP interface of nodes
     httpsEnabled: true
     
      # Set this to true in order to re-use the node transport certificates
      # for the HTTP interfaces. Only recognized if httpsEnabled is true
     
      # reuseTransportCertificatesForHttp: false
     
      # Set this to true to enable hostname verification
      #verifyHostnames: false
     
      # Set this to true to resolve hostnames
      #resolveHostnames: false
     
     
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#      
nodes:
 - name: node1
   dn: CN=node1.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   dns: node1.yibai.com
   ip: 192.168.71.246
 - name: node2
   dn: CN=node2.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   dns:
     - node2.yibai.com
     - es2.yibai.com
   ip:
     - 10.0.2.1
     - 192.168.2.1
 - name: node3
   dn: CN=node3.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   dns: node3.yibai.com

###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true    
#        
clients:
 - name: spock
   dn: CN=spock.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
 - name: kirk
   dn: CN=kirk.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   admin: true

 

  • TLS生成证书
/tools/sgtlstool.sh -c ../config/tlsconfig.yml -ca -crt

 

  • 复制证书到ES
# 复制节点证书到es配置目录
cp /tools/out/.pem /config/
cp /tools/out/.key /config/
cp /tools/out/_http.pem /config/
cp /tools/out/_http.key /config/
# 复制根证书到es配置目录
cp /tools/out/root-ca.pem /config/
# 复制客户端证书到es配置目录
cp /tools/out/spock.pem /config/
cp /tools/out/spock.key /config/

 

  • 修改<ES directory>/config/elasticsearch.yml 复制 <tlstool directory>/tools/outnode3_elasticsearch_config_snippet.yml里面配置信息覆盖<ES directory>/config/elasticsearch.yml相同的配置 最终的配置如下:
# 集群名称
cluster.name: ebuy-cloud-cluster

# 节点名
node.name: node-1

# 数据存储路径
path.data: /data/es_data

# 日志打印路径
path.logs: /data/es_logs

# Set the bind address to a specific IP (IPv4 or IPv6):
network.host: 0.0.0.0

# Set a custom port for HTTP:
http.port: 9200

# 节点内存配置
# Lock the memory on startup:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
discovery.zen.minimum_master_nodes: 1

# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

# 开启tcp端口
transport.tcp.compress: true
transport.tcp.port: 9300

# 跨域配置
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
http.cors.allow-credentials: true

######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production

# 关闭xpack安全认证
xpack.security.enabled: false
#xpack.monitoring.enabled: false

# TLS设置
searchguard.ssl.transport.pemcert_filepath: node1.pem
searchguard.ssl.transport.pemkey_filepath: node1.key
searchguard.ssl.transport.pemkey_password: 7EJJ2hYcJFJQ
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: node1_http.pem
searchguard.ssl.http.pemkey_filepath: node1_http.key
searchguard.ssl.http.pemkey_password: 6eIWAxh4kgHs
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=node1.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
- CN=node2.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
- CN=node3.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
searchguard.authcz.admin_dn:
 - CN=spock.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
# - CN=kirk.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com

# 允许演示证书和自动初始化 生产环境上改为false
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true

# 客户端认证
searchguard.ssl.http.clientauth_mode: OPTIONAL

# 启用审计日志记录并将生成的审计跟踪直接存储在Elasticsearch中
searchguard.audit.type: internal_elasticsearch

# 允许快照/恢复
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true

# 可以访问REST的角色
searchguard.restapi.roles_enabled: ["sg_all_access"]

cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

######## End Search Guard Demo Configuration ########

 

  • TLS用户广播 在<tlstool directory>/tools/out/client-certificates.readme里面取到对应客户端帐号密码 启动es cd <ES directory>/plugins/search-guard-6/tools 运行命令:
./sgadmin.sh -cd ../sgconfig/ -icl -nhnv \
  -cacert ../../../config/root-ca.pem \
  -cert ../../../config/spock.pem \
  -key ../../../config/spock.key \
  -keypass 3QgfFoYd8Ken

 

你可能感兴趣的:(SearchGuard)