Elasticsearch6.8.0开启X-PACK服务以及开启客户端SSL

Elasticsearch6.8.0以后免费开放部分安全认证服务

下载

Kibana版本

https://www.elastic.co/cn/downloads/past-releases/kibana-6-8-0

Elasticsearch版本

https://www.elastic.co/cn/downloads/past-releases/elasticsearch-6-8-0

 

配置：

步骤1：配置Elasticsearch

1.生成节点通信证书

bin/elasticsearch-certutil cert ca --pem --out config/cert.zip

2.解压证书

unzip cert.zip

3.配置Elasticsearch

打开Elasticsearch 配置文件:elasticsearch.yml

在底部增加：

xpack.security.enabled: true
##节点间加密通信
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: instance/instance.key
xpack.security.transport.ssl.certificate: instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: ca/ca.crt

4.启动Elasticsearch

bin/elasticsearch &

5.设置密码

 bin/elasticsearch-setup-passwords auto

得到记录这些密码
 

 

6.配置Kibana

打开Kibana 配置文件

打开配置：

server.port: 5601
server.host: "127.0.0.1"
elasticsearch.hosts: ["http://127.0.0.1:9200"]
kibana.index: ".kibana"
##配置Elasticsearch中前面生成的kibana用户密码
elasticsearch.username: "kibana"
elasticsearch.password: "SA4RKa3QOmVD8nMA6OUU"
##Elasticsearch配置证书
elasticsearch.ssl.certificate: /Users/beishan/elasticsearch/elasticsearch-6.8.0/config/instance/instance.crt
elasticsearch.ssl.key: /Users/beishan/elasticsearch/elasticsearch-6.8.0/config/instance/instance.key
##Elasticsearch 配置是否验证证书有效
elasticsearch.ssl.verificationMode: none

 

7.启动Kibana

得到

8.使用超级用户elastic登录Kibana

 

 

9.注意

如果要开启客户端SSL加密通信（目前不需要）

1、在elasticsearch.yml 添加

##客户端加密通信
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: instance/instance.key
xpack.security.http.ssl.certificate: instance/instance.crt
xpack.security.http.ssl.certificate_authorities: ca/ca.crt

2.在kibana.yml中elasticsearch.hosts改为https

elasticsearch.hosts: ["https://127.0.0.1:9200"]

3.申请局域网域名映射到具体IP上，并将客户端SSL证书需要添加到客户端JVM的受信任证书列表中，这样Java客户端才可连接

 

参考

官网说明：

Elasticsearch配置

https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-tls.html#tls-http

Kibana配置

https://www.elastic.co/guide/en/kibana/6.8/settings.html

博客：

https://www.elastic.co/cn/blog/getting-started-with-elasticsearch-security

https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash