Elasticsearch Rest Client Encrypted Communication

当你需要通过RestClient连接Elasticsearch，此时提供的Elasticsearch服务处于安全考虑，需要通过提供的证书进行加密访问，也可以通过 HttpClientConfigCallback 配置使用 TLS 的加密通信。 作为参数接收的 org.apache.http.impl.nio.client.HttpAsyncClientBuilder 公开了多种配置加密通信的方法：setSSLContext、setSSLSessionStrategy 和 setConnectionManager，按优先级从最不重要的顺序排列。

访问在 HTTP 层上为 TLS 设置的 Elasticsearch 集群时，客户端需要信任 Elasticsearch 正在使用的证书。 以下是设置客户端以信任已签署 Elasticsearch 正在使用的证书的 CA 的示例，当该 CA 证书在 PKCS#12 密钥库中可用时：

Path trustStorePath = Paths.get("/path/to/truststore.p12");
KeyStore truststore = KeyStore.getInstance("pkcs12");
try (InputStream is = Files.newInputStream(trustStorePath)) {
    truststore.load(is, keyStorePass.toCharArray());
}
SSLContextBuilder sslBuilder = SSLContexts.custom()
    .loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
RestClientBuilder builder = RestClient.builder(
    new HttpHost("localhost", 9200, "https"))
    .setHttpClientConfigCallback(new HttpClientConfigCallback() {
        @Override
        public HttpAsyncClientBuilder customizeHttpClient(
                HttpAsyncClientBuilder httpClientBuilder) {
            return httpClientBuilder.setSSLContext(sslContext);
        }
    });

下面是我们需要提供Keystore和TrustStore的场景：

public static RestHighLevelClient initRestHighLevelClient() {
        try {
            KeyStore keyStore =KeyStore.getInstance("jceks"); //Depands on your keyStoreType
            keyStore.load(new FileInputStream(keyStorePath), keyStorePwd.toCharArray());

            SSLContextBuilder builder = new SSLContextBuilder();
            builder.loadKeyMaterial(keyStore, keyStorePwd.toCharArray());
            builder.loadTrustMaterial(new File(trustStorePath));

            final SSLContext context = builder.build();
            
            List hostLists = new ArrayList<>();
            String[] hostList = address.split(",");
            for (String addr : hostList) {
                String host = addr.split(":")[0];
                String port = addr.split(":")[1];
                hostLists.add(new HttpHost(host, Integer.parseInt(port), "https"));
            }
            HttpHost[] httpHost = hostLists.toArray(new HttpHost[]{});
    
            final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
            credentialsProvider.setCredentials(
                AuthScope.ANY, new UsernamePasswordCredentials(userName, password));
            RestClientBuilder restClientBuilder = RestClient
                .builder(httpHost)
                .setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
                  @Override
                  public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder) {
                    return httpAsyncClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(context);
                  }
                });
            return new RestHighLevelClient(restClientBuilder);
        } catch (Exception e) {
            log.error("=======init RestHighLevelClient faild : " + e.getMessage());
            return null;
        }
    } 

更多其他加密通信场景可参考官网：
https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_encrypted_communication.html