胎教级Elasticsearch集群+安全配置+ssl配置，Kibana集群+安全配置+ssl配置

Elasticsearch部署及配置

1. 环境规划

IP地址	系统版本	角色	主机名
10.0.0.10	centos 8.4	es-node1	es00
10.0.0.11	centos 8.4	es-node2	es01
10.0.0.12	centos 8.4	es-node3	es02
10.0.0.15	centos 8.4	kibana-node1	kb01
10.0.0.16	centos 8.4	kibana-node2	kb02

2. 先决条件

1. 有基本的yum库；
2. 可以访问外网；
3. 主机内时间相同;
4. 默认选择使用root用户登录。

3. es00操作

环境相关配置：

配置项	当前值	说明
cluster.name	ergo-test	集群名称
node.name	es00	节点名称
network.host	10.0.0.10	监听地址
discovery.seed_hosts	[“10.0.0.10”, “10.0.0.11”, “10.0.0.12”]	Seed主机地址
cluster.initial_master_nodes	[“es00”, “es01”, “es02”]	初始master节点地址

3.1 登录es00节点

你需要输入:

# 通过ssh登录，默认使用22端口
$ ssh [email protected]

你应看到:

# 提示需要root密码
[email protected]'s password:

你需要输入:

# root用户ssh登录密码
(密码)

你应看到:

# 最后登录时间和登录地址可能不同
Last login: Fri Sep 24 10:55:01 2021 from 10.0.0.9
[root@es00 ~]# 

3.2 安装公钥

你需要输入:

# 导入官方提供的秘钥
$ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

你应看到:

# 无内容输出，返回命令行
[root@es00 ~]# 

3.3 创建yum库

你需要输入:

# 导入官方提供的yum库
$ cat << EOF >> /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

你应看到:

# 无内容输出，返回命令行
[root@es00 ~]# 

3.4 安装Elasticsearch

你需要输入:

# 通过dnf安装
$ dnf install -y --enablerepo=elasticsearch elasticsearch-7.14.0

你应看到

# 安装完成，返回命令行
Last metadata expiration check: 0:01:07 ago on Fri 24 Sep 2021 02:54:55 PM CST.
Dependencies resolved.
...
Installed:
  elasticsearch-7.14.0-1.x86_64                                        

Complete!
[root@es00 ~]# 

3.5 基本配置修改

你需要输入:

# 输入内容与系统运行环境相关，用户需核对脚本内容与目标环境信息一致，包括：
# 集群名称
# 节点名称
# 监听地址
# Seed主机地址
# 初始Master节点名称
sed -i \
--expression='s/#cluster.name: my-application/cluster.name: ergo-test/' \
--expression='s/#node.name: node-1/node.name: es00/' \
--expression='s/#network.host: 192.168.0.1/network.host: 10.0.0.10/' \
--expression='s/#discovery.seed_hosts: \["host1", "host2"\]/discovery.seed_hosts: \["10.0.0.10", "10.0.0.11", "10.0.0.12"\]/' \
--expression='s/#cluster.initial_master_nodes: \["node-1", "node-2"\]/cluster.initial_master_nodes: \["es00", "es01", "es02"\]/' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 无内容输出，返回命令行
[root@es00 ~]# 

你需要输入:

# 通过检索文件内容，确定配置项被正确增加
$ grep \
--regexp='cluster.name' \
--regexp='node.name' \
--regexp='network.host' \
--regexp='discovery.seed_hosts' \
--regexp='cluster.initial_master_nodes' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 搜索结果与录入一致
cluster.name: ergo-test
node.name: es00
network.host: 10.0.0.10
discovery.seed_hosts: ["10.0.0.10", "10.0.0.11", "10.0.0.12"]
cluster.initial_master_nodes: ["es00", "es01", "es02"]
[root@es00 ~]# 

3.6 配置安全功能

3.6.1 切换目录

你需要输入:

# 切换目录
$ cd /usr/share/elasticsearch

你应看到:

# 所在目录被改变
[root@es00 elasticsearch]# 

3.6.2 调用脚本，生成CA

你需要输入:

# 调用官方提供脚本，生成ca
$ ./bin/elasticsearch-certutil ca

你应看到:

# 提示需要给予ca文件名
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
...
...
Please enter the desired output file [elastic-stack-ca.p12]:

你需要输入:

# 接受默认文件名
(回车)

你会看到:

# 要求输入ca文件的保护密码
Enter password for elastic-stack-ca.p12 :

你需要输入:

(密码)

你应看到:

# 程序结束，返回命令行
[root@es00 elasticsearch]# 

3.6.3 生成Es之间互信证书

你需要输入:

# 通过官方提供脚本生成证书
$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

你应看到:

# 系统要求输入ca认证密码
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
...
...
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) : 

---

你需要输入:

(ca密码)

你应看到:

# 确认证书文件名
Please enter the desired output file [elastic-certificates.p12]: 

你需要输入:

# 接受默认文件名
(回车)

你应看到:

# 确认证书的密码
Enter password for elastic-certificates.p12 :

你需要输入:

(密码)

你应看到:

# 程序结束，返回命令行
Certificates written to /usr/share/elasticsearch/elastic-certificates.p12
...
...
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
[root@es00 elasticsearch]# 

3.6.4 将证书复制到配置文件目录

你需要输入:

# 将生成的证书复制到配置文件目录
$ cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch

你应看到:

# 无内容输出，返回命令行
[root@es00 elasticsearch]]# 

你需要输入:

# 给配置文件赋权
$ chmod g+r /etc/elasticsearch/elastic-certificates.p12

你应看到:

# 无内容输出，返回命令行
[root@es00 elasticsearch]]# 

你需要输入:

# 查看证书权限
$ ll /etc/elasticsearch/elastic-certificates.p12

你应看到:

# 权限被正确赋予,属主为读写权限，属组为读权限
-rw-r-----. 1 root elasticsearch 3596 Sep 24 16:04 /etc/elasticsearch/elastic-certificates.p12

3.6.5 添加安全通行相关配置

你需要输入:

$ cat << EOF >> /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
EOF

你应看到:

# 无内容输出，返回命令行
[root@es00 elasticsearch]]# 

你需要输入:

# 通过检索文件内容，确定配置项被正确增加。配置项包括：
# 整体安全开关
# transport协议ssl开关
# transport协议ssl证书有效性验证方式
# transport协议ssl双向验证开关
# transport协议ssl keystore文件路径信息
# transport协议ssl truststore文件路径信息
$ grep \
--regexp='xpack.security.enabled' \
--regexp='xpack.security.transport.ssl.enabled' \
--regexp='xpack.security.transport.ssl.verification_mode' \
--regexp='xpack.security.transport.ssl.client_authentication' \
--regexp='xpack.security.transport.ssl.keystore.path' \
--regexp='xpack.security.transport.ssl.truststore.path' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 与录入配置项保持一致
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
[root@es00 elasticsearch]]# 

3.6.6 安全保存transport.ssl.keystore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

你应看到:

# 即elastic-certificates.p12的解锁密码
Enter value for xpack.security.transport.ssl.keystore.secure_password:

你需要输入:

(密码)

你应看到：

# 程序执行完毕，界面回到命令行
[root@es00 elasticsearch]#

3.6.7 安全保存transport.ssl.truststore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

你应看到:

# 即elastic-certificates.p12的解锁密码
Enter value for xpack.security.transport.ssl.truststore.secure_password:

你需输入:

(密码)

你应看到:

# 程序执行完毕，界面回到命令行
[root@es00 elasticsearch]#

3.7 配置https协议

3.7.1 生成ssl证书

你需要输入:

# 通过官方提供脚本生成自签ssl证书
$ ./bin/elasticsearch-certutil http

你应看到:

# 提示是否生成CSR
## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
...
...
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.

Generate a CSR? [y/N]

你需要输入:

# 输入N，选择不需要
 N

你应看到:

# 提示是否使用已存在的CA证书
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]

你需要输入:

# 输入y，选择使用
 y

你应看到:

# 提示需要输入ca证书的位置
## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path:

你需要输入:

# 步骤3.6.2生成的ca证书位置
/usr/share/elasticsearch/elastic-stack-ca.p12

你应看到:

# 提示需要输入ca证书的保护密码
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:

你需要输入:

# ca保护密码
(密码)

你应看到:

# 提示证书生效时长
## How long should your certificates be valid?

...
...

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 

你需要输入:

# 使用默认选项
(回车)

你应看到:

# 提示是否为集群每一个节点生成证书
## Do you wish to generate one certificate per node?

...
...

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]

你需要输入:

# 输入N,只为自己节点生成证书
N

你应看到:

# 系统提示需要输入主机名
## What is the name of node #1?

## Which hostnames will be used to connect to your nodes?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

你需要输入:

# 可以输入多个，换行区分
es00
(回车)

你应看到:

# 提示是否正确
You entered the following hostnames.

 - es00

Is this correct [Y/n]

你需要输入:

# 输入正确后输入y,需要修改输入n
y

你应看到:

# 提示输入节点IP地址
## Which IP addresses will be used to connect to es00?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

你需要输入:

# 输入主机静态IP地址
10.0.0.10
(回车)

你应看到:

# 提示是否正确
You entered the following IP addresses.

 - 10.0.0.10

Is this correct [Y/n]

你需要输入:

# 配置无误输入y,需要修改输入n
y

你应看到:

# 提示是否还需要修改其中任何选项
## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: es00
Subject DN: CN=es00
Key Size: 2048

Do you wish to change any of these options? [y/N]

你需要输入:

# 确认无误，输入N
N

你应看到:

# 提示需要输入ssl证书密码
## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]

你需要输入:

(密码)

你应看到:

# 确认密码
Repeat password to confirm:

你需要输入:

(密码)

你应看到:

# 提示生成的压缩包的位置及名称
## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]

你需要输入:

# 使用默认
(回车)

你应看到:

# 程序结束，回到命令行
Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
[root@es00 elasticsearch]# 

3.7.2 解压证书

你需要输入:

# 安装unzip
$ dnf -y install unzip

---

你应看到:

# 安装完成，返回命令行
Last metadata expiration check: 15:52:07 ago on Sat 25 Sep 2021 05:54:41 PM CST.
Dependencies resolved.
...
...
Installed:
  unzip-6.0-45.el8_4.x86_64                                        

Complete!
[root@es00 elasticsearch]# 

你需要输入:

# 将证书解压
$ unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip 

你应看到:

# 会生成es的证书和kibana所用pem证书
Archive:  elasticsearch-ssl-http.zip
   creating: elasticsearch/
  inflating: elasticsearch/README.txt  
  inflating: elasticsearch/http.p12  
  inflating: elasticsearch/sample-elasticsearch.yml  
   creating: kibana/
  inflating: kibana/README.txt       
  inflating: kibana/elasticsearch-ca.pem  
  inflating: kibana/sample-kibana.yml  
[root@es00 elasticsearch]#

你需要输入:

$ cp elasticsearch/http.p12 /etc/elasticsearch

你应看到:

# 无输出内容
[root@es00 elasticsearch]# 

3.7.3 添加配置

你需要输入:

# 添加相关配置
$ cat << EOF >>  /etc/elasticsearch/elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
EOF

你应看到:

# 无输出内容
[root@es00 elasticsearch]# 

你需要输入:

# # 通过检索文件内容，确定配置项被正确增加。配置项包括：
# http协议ssl开关
# http协议ssl证书的位置
$ grep \
--regexp='xpack.security.http.ssl.enabled' \
--regexp='xpack.security.http.ssl.keystore.path' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 输入内容与录入结果一致
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
[root@es00 elasticsearch]# 

3.7.4 安全保存xpack.security.http.ssl.keystore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

你应看到:

# 证书解锁密码
Enter value for xpack.security.http.ssl.keystore.secure_password:

你需要输入:

(密码)

你应看到:

# 无输出内容
[root@es00 elasticsearch]# 

3.7.5 控制证书权限

你需要输入:

# 取消除属主和属组外其他用户读取权限
$ chmod o-r /etc/elasticsearch/http.p12

你应看到:

# 无输出内容
[root@es00 elasticsearch]# 

你需要输入:

# 查看证书权限
$ ll /etc/elasticsearch/http.p12

你应看到:

# 权限被正确赋予,属主为读写权限，属组为读权限
-rw-r-----. 1 root elasticsearch 3596 Sep 24 16:04 /etc/elasticsearch/http.p12
[root@es00 elasticsearch]# 

3.8 启动服务

你需要输入:

# 通过systemctl启动和管理elasticsearch
$ systemctl start elasticsearch.service

你应看到:

# 无输出内容
[root@es00 elasticsearch]# 

你需要输入:

# 查看elasticsearch服务状态
$ systemctl status elasticsearch.service

你应看到:

# 输出内容中active为running则表示启动成功
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; ven>
   Active: active (running) since Sun 2021-09-26 10:13:20 CST; 51s ago
     Docs: https://www.elastic.co
 Main PID: 2155 (java)
    Tasks: 51 (limit: 49460)
   Memory: 4.2G
   CGroup: /system.slice/elasticsearch.service
           ├─2155 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.netwo>
           └─2359 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86>

Sep 26 10:12:39 es00.observability.devops.lab.ecnl systemd[1]: Starting Elastic>
Sep 26 10:13:20 es00.observability.devops.lab.ecnl systemd[1]: Started Elastics>

4. es01操作

环境相关配置：

配置项	当前值	说明
cluster.name	ergo-test	集群名称
node.name	es01	节点名称
network.host	10.0.0.11	监听地址
discovery.seed_hosts	[“10.0.0.10”, “10.0.0.11”, “10.0.0.12”]	Seed主机地址
cluster.initial_master_nodes	[“es00”, “es01”, “es02”]	初始master节点地址

4.1 登录es01节点

你需要输入:

# 通过ssh登录，默认使用22端口
$ ssh [email protected]

你应看到:

# 提示需要root密码
[email protected]'s password:

你需要输入:

# root用户ssh登录密码

你应看到:

# 最后登录时间和登录地址可能不同
Last login: Fri Sep 24 10:55:01 2021 from 10.0.0.9
[root@es01 ~]# 

4.2 安装公钥

你需要输入:

# 导入官方密钥
$ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

你应看到:

# 无内容输出，返回命令行
[root@es01 ~]# 

4.3 创建yum库

你需要输入:

$ cat << EOF >> /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

你应看到:

# 无内容输出，返回命令行
[root@es01 ~]# 

4.4 安装Elasticsearch

你需要输入:

$ dnf install -y --enablerepo=elasticsearch elasticsearch-7.14.0

你应看到

# 安装完成，返回命令行
Last metadata expiration check: 0:01:07 ago on Fri 24 Sep 2021 02:54:55 PM CST.
Dependencies resolved.
...
Installed:
  elasticsearch-7.14.0-1.x86_64                                        

Complete!
[root@es01 ~]# 

4.5 基本配置修改

你需要输入:

# 输入内容与系统运行环境相关，用户需核对脚本内容与目标环境信息一致，包括：
# 集群名称
# 节点名称
# 监听地址
# Seed主机地址
# 初始Master节点名称
sed -i \
--expression='s/#cluster.name: my-application/cluster.name: ergo-test/' \
--expression='s/#node.name: node-1/node.name: es01/' \
--expression='s/#network.host: 192.168.0.1/network.host: 10.0.0.11/' \
--expression='s/#discovery.seed_hosts: \["host1", "host2"\]/discovery.seed_hosts: \["10.0.0.10", "10.0.0.11", "10.0.0.12"\]/' \
--expression='s/#cluster.initial_master_nodes: \["node-1", "node-2"\]/cluster.initial_master_nodes: \["es00", "es01", "es02"\]/' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 无内容输出，返回命令行
[root@es01 ~]# 

你需要输入:

# 通过检索文件内容，确定配置项被正确增加
$ grep \
--regexp='cluster.name' \
--regexp='node.name' \
--regexp='network.host' \
--regexp='discovery.seed_hosts' \
--regexp='cluster.initial_master_nodes' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 搜索结果与录入一致
cluster.name: ergo-test
node.name: es01
network.host: 10.0.0.11
discovery.seed_hosts: ["10.0.0.10", "10.0.0.11", "10.0.0.12"]
cluster.initial_master_nodes: ["es00", "es01", "es02"]
[root@es01 ~]# 

4.6 配置安全功能

4.6.1 切换目录

你需要输入:

$ cd /usr/share/elasticsearch

你应看到:

# 所在目录被改变
[root@es01 elasticsearch]# 

4.6.2 将证书复制到配置文件目录

你需要输入:

# 从es00节点复制来ca证书
$ scp 10.0.0.10:/usr/share/elasticsearch/elastic-stack-ca.p12 /usr/share/elasticsearch/

你应看到:

# 提示需要输入10.0.0.10主机root用户密码
Warning: Permanently added '10.0.0.10' (ECDSA) to the list of known hosts.
[email protected]'s password:

你需要输入:

# 10.0.0.10 root密码
(密码)

你应看到:

# 证书被正确传输
elastic-stack-ca.p12                                                                                        100% 2672     3.3MB/s   00:00 
[root@es01 elasticsearch]# 

4.6.3 复制ES互信证书

你需要输入:

$ scp 10.0.0.10:/etc/elasticsearch/elastic-certificates.p12 /etc/elasticsearch

你应看到:

# 提示需要输入10.0.0.10主机root用户密码
Warning: Permanently added '10.0.0.10' (ECDSA) to the list of known hosts.
[email protected]'s password:

你需要输入:

# 10.0.0.10 root密码
(密码)

你应看到:

# 证书被正确传输
elastic-certificates.p12                                                                                        100% 2672     3.3MB/s   00:00 
[root@es01 elasticsearch]# 	

4.6.4 添加安全通行相关配置

你需要输入:

$ cat << EOF >> /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
EOF

你应看到:

# 无内容输出，返回命令行
[root@es01 elasticsearch]]# 

你需要输入:

# 通过检索文件内容，确定配置项被正确增加。配置项包括：
# 整体安全开关
# transport协议ssl开关
# transport协议ssl证书有效性验证方式
# transport协议ssl双向验证开关
# transport协议ssl keystore文件路径信息
# transport协议ssl truststore文件路径信息
$ grep \
--regexp='xpack.security.enabled' \
--regexp='xpack.security.transport.ssl.enabled' \
--regexp='xpack.security.transport.ssl.verification_mode' \
--regexp='xpack.security.transport.ssl.client_authentication' \
--regexp='xpack.security.transport.ssl.keystore.path' \
--regexp='xpack.security.transport.ssl.truststore.path' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 与录入配置项保持一致
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
[root@es01 elasticsearch]]# 

4.6.5 安全保存transport.ssl.keystore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

你应看到:

# 即elastic-certificates.p12的解锁密码
Enter value for xpack.security.transport.ssl.keystore.secure_password:

你需要输入:

(密码)

你应看到：

# 程序执行完毕，界面回到命令行
[root@es01 elasticsearch]#

4.6.6 安全保存transport.ssl.truststore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

你应看到:

# 即elastic-certificates.p12的解锁密码
Enter value for xpack.security.transport.ssl.truststore.secure_password:

你需输入:

(密码)

你应看到:

# 程序执行完毕，界面回到命令行
[root@es01 elasticsearch]#

4.7 配置https协议

4.7.1 生成ssl证书

你需要输入:

# 通过官方提供脚本生成自签ssl证书
$ ./bin/elasticsearch-certutil http

你应看到:

# 提示是否生成CSR
## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
...
...
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.

Generate a CSR? [y/N]

你需要输入:

# 输入N，选择不需要
 N

你应看到:

# 提示是否使用已存在的CA证书
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]

你需要输入:

# 输入y，选择使用
 y

你应看到:

# 提示需要输入ca证书的位置
## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path:

你需要输入:

/usr/share/elasticsearch/elastic-stack-ca.p12

你应看到:

# 提示需要输入ca证书的保护密码
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:

你需要输入:

# ca保护密码
(密码)

你应看到:

# 提示证书生效时长
## How long should your certificates be valid?

...
...

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 

你需要输入:

# 使用默认选项
(回车)

你应看到:

# 提示是否为集群每一个节点生成证书
## Do you wish to generate one certificate per node?

...
...

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]

你需要输入:

# 输入N,只为当前节点生成证书
N

你应看到:

# 系统提示需要输入主机名
## What is the name of node #1?

## Which hostnames will be used to connect to your nodes?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

你需要输入:

# 可以输入多个，换行区分
es01
(回车)

你应看到:

# 提示是否正确
You entered the following hostnames.

 - es01

Is this correct [Y/n]

你需要输入:

# 输入正确后输入y,需要修改输入n
y

你应看到:

# 提示输入节点IP地址
## Which IP addresses will be used to connect to es00?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

你需要输入:

# 输入主机静态IP地址
10.0.0.11
(回车)

你应看到:

# 提示是否正确
You entered the following IP addresses.

 - 10.0.0.11

Is this correct [Y/n]

你需要输入:

# 配置无误输入y,需要修改输入n
y

你应看到:

# 提示是否还需要修改其中任何选项
## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: es01
Subject DN: CN=es01
Key Size: 2048

Do you wish to change any of these options? [y/N]

你需要输入:

# 确认无误，输入N
N

你应看到:

# 提示需要输入ssl证书密码
## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]

你需要输入:

(密码)

你应看到:

# 确认密码
Repeat password to confirm:

你需要输入:

(密码)

你应看到:

# 提示生成的压缩包的位置及名称
## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]

你需要输入:

# 使用默认
(回车)

你应看到:

# 程序结束，回到命令行
Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
[root@es01 elasticsearch]# 

4.7.2 解压证书

你需要输入:

# 安装unzip
$ dnf -y install unzip

---

你应看到:

# 安装完成，返回命令行
Last metadata expiration check: 15:52:07 ago on Sat 25 Sep 2021 05:54:41 PM CST.
Dependencies resolved.
...
...
Installed:
  unzip-6.0-45.el8_4.x86_64                                        

Complete!
[root@es01 elasticsearch]# 

你需要输入:

# 将证书临时解压在/root目录下
$ unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip 

你应看到:

# 会生成es的证书和kibana所用pem证书
Archive:  elasticsearch-ssl-http.zip
   creating: elasticsearch/
  inflating: elasticsearch/README.txt  
  inflating: elasticsearch/http.p12  
  inflating: elasticsearch/sample-elasticsearch.yml  
   creating: kibana/
  inflating: kibana/README.txt       
  inflating: kibana/elasticsearch-ca.pem  
  inflating: kibana/sample-kibana.yml  
[root@es01 elasticsearch]#

你需要输入:

$ cp elasticsearch/http.p12 /etc/elasticsearch

你应看到:

# 无输出内容
[root@es01 elasticsearch]# 

4.7.3 添加配置

你需要输入:

# 添加相关配置
$ cat << EOF >>  /etc/elasticsearch/elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
EOF

你应看到:

# 无输出内容
[root@es01 elasticsearch]# 

你需要输入:

# 通过检索文件内容，确定配置项被正确增加。配置项包括：
# http协议ssl开关
# http协议ssl证书的位置
$ grep \
--regexp='xpack.security.http.ssl.enabled' \
--regexp='xpack.security.http.ssl.keystore.path' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 输入内容与录入结果一致
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
[root@es01 elasticsearch]#

4.7.4 安全保存xpack.security.http.ssl.keystore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

你应看到:

# 证书解锁密码
Enter value for xpack.security.http.ssl.keystore.secure_password:

你需要输入:

(密码)

你应看到:

# 无输出内容
[root@es01 elasticsearch]# 

4.7.5 控制证书权限

你需要输入:

# 取消除属主和属组外其他用户读取权限
$ chmod o-r /etc/elasticsearch/http.p12

你应看到:

# 无输出内容
[root@es01 elasticsearch]# 

你需要输入:

# 查看证书权限
$ ll /etc/elasticsearch/http.p12

你应看到:

# 权限被正确赋予,属主为读写权限，属组为读权限
-rw-r-----. 1 root elasticsearch 3596 Sep 24 16:04 /etc/elasticsearch/http.p12
[root@es01 elasticsearch]# 

4.8 启动服务

你需要输入:

# 通过systemctl启动和管理elasticsearch
$ systemctl start elasticsearch.service

你应看到:

# 无输出内容
[root@es01 elasticsearch]# 

你需要输入:

# 查看elasticsearch服务状态
$ systemctl status elasticsearch.service

你应看到:

# 输出内容中active为running则表示启动成功
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; ven>
   Active: active (running) since Sun 2021-09-26 10:13:20 CST; 51s ago
     Docs: https://www.elastic.co
 Main PID: 2155 (java)
    Tasks: 51 (limit: 49460)
   Memory: 4.2G
   CGroup: /system.slice/elasticsearch.service
           ├─2155 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.netwo>
           └─2359 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86>

Sep 26 10:12:39 es01.observability.devops.lab.ecnl systemd[1]: Starting Elastic>
Sep 26 10:13:20 es01.observability.devops.lab.ecnl systemd[1]: Started Elastics>

5. es02操作

环境相关配置：

配置项	当前值	说明
cluster.name	ergo-test	集群名称
node.name	es02	节点名称
network.host	10.0.0.12	监听地址
discovery.seed_hosts	[“10.0.0.10”, “10.0.0.11”, “10.0.0.12”]	Seed主机地址
cluster.initial_master_nodes	[“es00”, “es01”, “es02”]	初始master节点地址

5.1 登录es01节点

你需要输入:

# 通过ssh登录，默认使用22端口
$ ssh [email protected]

你应看到:

# 提示需要root密码
[email protected]'s password:

你需要输入:

# root用户ssh登录密码

你应看到:

# 最后登录时间和登录地址可能不同
Last login: Fri Sep 24 10:55:01 2021 from 10.0.0.9
[root@es02 ~]# 

5.2 安装公钥

你需要输入:

# 导入官方密钥
$ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

你应看到:

# 无内容输出，返回命令行
[root@es02 ~]# 

5.3 创建yum库

你需要输入:

$ cat << EOF >> /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

你应看到:

# 无内容输出，返回命令行
[root@es02 ~]# 

5.4 安装Elasticsearch

你需要输入:

$ dnf install -y --enablerepo=elasticsearch elasticsearch-7.14.0

你应看到

# 安装完成，返回命令行
Last metadata expiration check: 0:01:07 ago on Fri 24 Sep 2021 02:54:55 PM CST.
Dependencies resolved.
...
Installed:
  elasticsearch-7.14.0-1.x86_64                                        

Complete!
[root@es02 ~]# 

5.5 基本配置修改

你需要输入:

# 输入内容与系统运行环境相关，用户需核对脚本内容与目标环境信息一致，包括：
# 集群名称
# 节点名称
# 监听地址
# Seed主机地址
# 初始Master节点名称
sed -i \
--expression='s/#cluster.name: my-application/cluster.name: ergo-test/' \
--expression='s/#node.name: node-1/node.name: es02/' \
--expression='s/#network.host: 192.168.0.1/network.host: 10.0.0.12/' \
--expression='s/#discovery.seed_hosts: \["host1", "host2"\]/discovery.seed_hosts: \["10.0.0.10", "10.0.0.11", "10.0.0.12"\]/' \
--expression='s/#cluster.initial_master_nodes: \["node-1", "node-2"\]/cluster.initial_master_nodes: \["es00", "es01", "es02"\]/' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 无内容输出，返回命令行
[root@es02 ~]# 

你需要输入:

# 通过检索文件内容，确定配置项被正确增加
$ grep \
--regexp='cluster.name' \
--regexp='node.name' \
--regexp='network.host' \
--regexp='discovery.seed_hosts' \
--regexp='cluster.initial_master_nodes' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 搜索结果与录入一致
cluster.name: ergo-test
node.name: es02
network.host: 10.0.0.12
discovery.seed_hosts: ["10.0.0.10", "10.0.0.11", "10.0.0.12"]
cluster.initial_master_nodes: ["es00", "es01", "es02"]
[root@es02 ~]# 

5.6 配置安全功能

5.6.1 切换目录

你需要输入:

$ cd /usr/share/elasticsearch

你应看到:

# 所在目录被改变
[root@es02 elasticsearch]# 

5.6.2 将证书复制到配置文件目录

你需要输入:

# 从es00节点复制来ca证书
$ scp 10.0.0.10:/usr/share/elasticsearch/elastic-stack-ca.p12 /usr/share/elasticsearch/

你应看到:

# 提示需要输入10.0.0.10主机root用户密码
Warning: Permanently added '10.0.0.10' (ECDSA) to the list of known hosts.
[email protected]'s password:

你需要输入:

# 10.0.0.10 root密码
(密码)

你应看到:

# 证书被正确传输
elastic-stack-ca.p12                                                                                        100% 2672     3.3MB/s   00:00 
[root@es02 elasticsearch]#

5.6.3 复制Es互信证书

你需要输入:

$ scp 10.0.0.10:/etc/elasticsearch/elastic-certificates.p12 /etc/elasticsearch

你应看到:

# 提示需要输入10.0.0.10主机root用户密码
Warning: Permanently added '10.0.0.10' (ECDSA) to the list of known hosts.
[email protected]'s password:

你需要输入:

# 10.0.0.10 root密码
(密码)

你应看到:

# 证书被正确传输
elastic-certificates.p12                                                                                        100% 2672     3.3MB/s   00:00 
[root@es02 elasticsearch]#

5.6.4 添加安全通行相关配置

你需要输入:

$ cat << EOF >> /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
EOF

你应看到:

# 无内容输出，返回命令行
[root@es02 elasticsearch]]# 

你需要输入:

# 通过检索文件内容，确定配置项被正确增加。配置项包括：
# 整体安全开关
# transport协议ssl开关
# transport协议ssl证书有效性验证方式
# transport协议ssl双向验证开关
# transport协议ssl keystore文件路径信息
# transport协议ssl truststore文件路径信息
$ grep \
--regexp='xpack.security.enabled' \
--regexp='xpack.security.transport.ssl.enabled' \
--regexp='xpack.security.transport.ssl.verification_mode' \
--regexp='xpack.security.transport.ssl.client_authentication' \
--regexp='xpack.security.transport.ssl.keystore.path' \
--regexp='xpack.security.transport.ssl.truststore.path' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 与录入配置项保持一致
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
[root@es02 elasticsearch]]#

5.6.5 安全保存transport.ssl.keystore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

你应看到:

# 即elastic-certificates.p12的解锁密码
Enter value for xpack.security.transport.ssl.keystore.secure_password:

你需要输入:

(密码)

你应看到：

# 程序执行完毕，界面回到命令行
[root@es02 elasticsearch]#

5.6.6 安全保存transport.ssl.truststore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

你应看到:

# 即elastic-certificates.p12的解锁密码
Enter value for xpack.security.transport.ssl.truststore.secure_password:

你需输入:

(密码)

你应看到:

# 程序执行完毕，界面回到命令行
[root@es02 elasticsearch]#

5.7 配置https协议

5.7.1 生成ssl证书

你需要输入:

# 通过官方提供脚本生成自签ssl证书
$ ./bin/elasticsearch-certutil http

你应看到:

# 提示是否生成CSR
## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
...
...
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.

Generate a CSR? [y/N]

你需要输入:

# 输入N，选择不需要
 N

你应看到:

# 提示是否使用已存在的CA证书
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]

你需要输入:

# 输入y，选择使用
 y

你应看到:

# 提示需要输入ca证书的位置
## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path:

你需要输入:

/usr/share/elasticsearch/elastic-stack-ca.p12

你应看到:

# 提示需要输入ca证书的保护密码
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:

你需要输入:

# ca保护密码
(密码)

你应看到:

# 提示证书生效时长
## How long should your certificates be valid?

...
...

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 

你需要输入:

# 使用默认选项
(回车)

你应看到:

# 提示是否为集群每一个节点生成证书
## Do you wish to generate one certificate per node?

...
...

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]

你需要输入:

# 输入N,只为当前节点生成证书
N

你应看到:

# 系统提示需要输入主机名
## What is the name of node #1?

## Which hostnames will be used to connect to your nodes?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

你需要输入:

# 可以输入多个，换行区分
es02
(回车)

你应看到:

# 提示是否正确
You entered the following hostnames.

 - es02

Is this correct [Y/n]

你需要输入:

# 输入正确后输入y,需要修改输入n
y

你应看到:

# 提示输入节点IP地址
## Which IP addresses will be used to connect to es00?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

你需要输入:

# 输入主机静态IP地址
10.0.0.12
(回车)

你应看到:

# 提示是否正确
You entered the following IP addresses.

 - 10.0.0.12

Is this correct [Y/n]

你需要输入:

# 配置无误输入y,需要修改输入n
y

你应看到:

# 提示是否还需要修改其中任何选项
## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: es02
Subject DN: CN=es02
Key Size: 2048

Do you wish to change any of these options? [y/N]

你需要输入:

# 确认无误，输入N
N

你应看到:

# 提示需要输入ssl证书密码
## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]

你需要输入:

(密码)

你应看到:

# 确认密码
Repeat password to confirm:

你需要输入:

(密码)

你应看到:

# 提示生成的压缩包的位置及名称
## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]

你需要输入:

# 使用默认
(回车)

你应看到:

# 程序结束，回到命令行
Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
[root@es02 elasticsearch]# 

5.7.2 解压证书

你需要输入:

# 安装unzip
$ dnf -y install unzip

---

你应看到:

# 安装完成，返回命令行
Last metadata expiration check: 15:52:07 ago on Sat 25 Sep 2021 05:54:41 PM CST.
Dependencies resolved.
...
...
Installed:
  unzip-6.0-45.el8_4.x86_64                                        

Complete!
[root@es02 elasticsearch]# 

你需要输入:

# 将证书临时解压在/root目录下
$ unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip 

你应看到:

# 会生成es的证书和kibana所用pem证书
Archive:  elasticsearch-ssl-http.zip
   creating: elasticsearch/
  inflating: elasticsearch/README.txt  
  inflating: elasticsearch/http.p12  
  inflating: elasticsearch/sample-elasticsearch.yml  
   creating: kibana/
  inflating: kibana/README.txt       
  inflating: kibana/elasticsearch-ca.pem  
  inflating: kibana/sample-kibana.yml  
[root@es02 elasticsearch]#

你需要输入:

$ cp elasticsearch/http.p12 /etc/elasticsearch

你应看到:

# 无输出内容
[root@es02 elasticsearch]# 

5.7.3 添加配置

你需要输入:

# 添加相关配置
$ cat << EOF >>  /etc/elasticsearch/elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
EOF

你应看到:

# 无输出内容
[root@es02 elasticsearch]# 

你需要输入:

# # 通过检索文件内容，确定配置项被正确增加。配置项包括：
# http协议ssl开关
# http协议ssl证书的位置
$ grep \
--regexp='xpack.security.http.ssl.enabled' \
--regexp='xpack.security.http.ssl.keystore.path' \
/etc/elasticsearch/elasticsearch.yml

你应看到:

# 输入内容与录入结果一致
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
[root@es02 elasticsearch]#

5.7.4 安全保存xpack.security.http.ssl.keystore密码

你需要输入:

# 调用官方提供脚本安全保存密码
$ ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

你应看到:

# 证书解锁密码
Enter value for xpack.security.http.ssl.keystore.secure_password:

你需要输入:

(密码)

你应看到:

# 无输出内容
[root@es02 elasticsearch]# 

5.7.5 控制证书权限

你需要输入:

# 取消除属主和属组外其他用户读取权限
$ chmod o-r /etc/elasticsearch/http.p12

你应看到:

# 无输出内容
[root@es02 elasticsearch]# 

你需要输入:

# 查看证书权限
$ ll /etc/elasticsearch/http.p12

你应看到:

# 权限被正确赋予,属主为读写权限，属组为读权限
-rw-r-----. 1 root elasticsearch 3596 Sep 24 16:04 /etc/elasticsearch/http.p12
[root@es02 elasticsearch]# 

5.8 启动服务

你需要输入:

# 通过systemctl启动和管理elasticsearch
$ systemctl start elasticsearch.service

你应看到:

# 无输出内容
[root@es02 elasticsearch]# 

你需要输入:

# 查看elasticsearch服务状态
$ systemctl status elasticsearch.service

你应看到:

# 输出内容中active为running则表示启动成功
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; ven>
   Active: active (running) since Sun 2021-09-26 10:13:20 CST; 51s ago
     Docs: https://www.elastic.co
 Main PID: 2155 (java)
    Tasks: 51 (limit: 49460)
   Memory: 4.2G
   CGroup: /system.slice/elasticsearch.service
           ├─2155 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.netwo>
           └─2359 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86>

Sep 26 10:12:39 es01.observability.devops.lab.ecnl systemd[1]: Starting Elastic>
Sep 26 10:13:20 es01.observability.devops.lab.ecnl systemd[1]: Started Elastics>

5.9 初始化密码

你需要输入:

# 使用官方提供脚本生成密码，auto为随机生成
$ ./bin/elasticsearch-setup-passwords auto

你应看到:

# 提示是否继续
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]

你需要输入:

# 输入y，继续进行
y

你应看到:

# 自动生成的密码
Changed password for user apm_system
PASSWORD apm_system = Aj16HcMJcCpQkKnU9QHG

Changed password for user kibana_system
PASSWORD kibana_system = tUtPD2P9Zuz2jvRnPbrD

Changed password for user kibana
PASSWORD kibana = tUtPD2P9Zuz2jvRnPbrD

Changed password for user logstash_system
PASSWORD logstash_system = nydJAfdLw2YgySmc3IuW

Changed password for user beats_system
PASSWORD beats_system = r4ki42b4hT8lIXefPbOj

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = PCSlDryM7FTNm9Mlmobo

Changed password for user elastic
PASSWORD elastic = WNZwnUKkMRWTYdq2sJ52

对于此密码，管理员需妥善保管

6. 关闭cluster.initial_master_nodes

6.1 es00操作

你需要输入:

# 注释cluster.initial_master_nodes
$ sed -i 's/cluster.initial_master_nodes: \["es00", "es01", "es02"\]/\# cluster.initial_master_nodes: \["es00", "es01", "es02"\]/'  /etc/elasticsearch/elasticsearch.yml 

你应看到:

# 无输出内容，返回命令行
[root@es00 elasticsearch]#

验证，你需要输入:

# 过滤查看配置文件节点内容
$ grep cluster.initial_master_nodes /etc/elasticsearch/elasticsearch.yml

你应看到:

# 配置内容以注释
# cluster.initial_master_nodes: ["es00", "es01", "es02"]

6.2 es01操作

你需要输入:

# 注释cluster.initial_master_nodes
$ sed -i 's/cluster.initial_master_nodes: \["es00", "es01", "es02"\]/\# cluster.initial_master_nodes: \["es00", "es01", "es02"\]/'  /etc/elasticsearch/elasticsearch.yml 

你应看到:

# 无输出内容，返回命令行
[root@es01 elasticsearch]#

验证，你需要输入:

# 过滤查看配置文件节点内容
$ grep cluster.initial_master_nodes /etc/elasticsearch/elasticsearch.yml

你应看到:

# 配置内容以注释
# cluster.initial_master_nodes: ["es00", "es01", "es02"]
[root@es01 elasticsearch]#

6.3 es02操作

你需要输入:

# 注释cluster.initial_master_nodes
$ sed -i 's/cluster.initial_master_nodes: \["es00", "es01", "es02"\]/\# cluster.initial_master_nodes: \["es00", "es01", "es02"\]/'  /etc/elasticsearch/elasticsearch.yml 

你应看到:

# 无输出内容，返回命令行
[root@es02 elasticsearch]#

验证，你需要输入:

# 过滤查看配置文件节点内容
$ grep cluster.initial_master_nodes /etc/elasticsearch/elasticsearch.yml

你应看到:

# 配置内容以注释
# cluster.initial_master_nodes: ["es00", "es01", "es02"]
[root@es02 elasticsearch]#

7. 访问验证

通过浏览器访问https://10.0.0.10:9200或输入:

# 通过elastic用户查看集群状态
$  curl https://10.0.0.10:9200/_cluster/health?pretty --user elastic --insecure

你应看到:

# 提示需要输入elastic密码
Enter host password for user 'elastic':

你需要输入:

# 为步骤5.9初始化elastic用户随机密码
(密码)

你应看到:

# 输出集群信息，并返回命令行
{
  "cluster_name" : "ergo-test",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 2,
  "active_shards" : 4,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
[root@es02 elasticsearch]#

至此Elasticsearch集群部署完成

Kibana部署及配置

8. es00操作

生成kibana ssl证书
你需要输入:

# 生成kb00节点ssl证书
$ ./bin/elasticsearch-certutil csr --name kibana-server -dns 10.0.0.15

你应看到:

# 系统提示需要输出的文件名
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
...
...
signing requests and private keys for each instance.
    * Each certificate signing request is provided as a standard PEM encoding of a PKCS#10 CSR.
    * Each key is provided as a PEM encoding of an RSA private key

Please enter the desired output file [csr-bundle.zip]

你需要输入:

# 用节点主机名作为文件名
kb00.zip

你应看到:

# 程序结束并返回命令行
Certificate signing requests have been written to /usr/share/elasticsearch/kb00.zip

This file should be properly secured as it contains the private keys for all
instances.

After unzipping the file, there will be a directory for each instance containing
the certificate signing request and the private key. Provide the certificate
signing requests to your certificate authority. Once you have received the
signed certificate, copy the signed certificate, key, and CA certificate to the
configuration directory of the Elastic product that they will be used for and
follow the SSL configuration instructions in the product guide.
[root@es00 elasticsearch]#

你需要输入:

# 解压文件
$ unzip kb00.zip

你应看到:

# 解压后会创建kibana-server目录，返回命令行
Archive:  kb00.zip
   creating: kibana-server/
  inflating: kibana-server/kibana-server.csr  
  inflating: kibana-server/kibana-server.key  
[root@es00 elasticsearch]#

你需要输入:

# 重命名证书文件，确保节点二证书解压后不会覆盖调节点1证书
$ mv kibana-server/ kibana-server1/

你应看到:

# 无输出内容，返回命令行
[root@es00 elasticsearch]#

你需要输入:

# 生成crt证书
$ openssl x509 -req -in elastic-stack-ca.p12 -signkey kibana-server1/kibana-server.key -in kibana-server1/kibana-server.csr -out kibana-server1/kibana.crt -days 90

你应看到:

Signature ok
subject=CN = kibana-server
Getting Private key
[root@es00 elasticsearch]#

生成kb01节点证书，你需要输入:

$ ./bin/elasticsearch-certutil csr --name kibana-server -dns 10.0.0.16

你应看到:

# 系统提示需要输出的文件名
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
...
...
signing requests and private keys for each instance.
    * Each certificate signing request is provided as a standard PEM encoding of a PKCS#10 CSR.
    * Each key is provided as a PEM encoding of an RSA private key

Please enter the desired output file [csr-bundle.zip]

你需要输入:

# 用节点主机名作为文件名
kb01.zip

你应看到:

# 程序结束并返回命令行
Certificate signing requests have been written to /usr/share/elasticsearch/kb01.zip

This file should be properly secured as it contains the private keys for all
instances.

After unzipping the file, there will be a directory for each instance containing
the certificate signing request and the private key. Provide the certificate
signing requests to your certificate authority. Once you have received the
signed certificate, copy the signed certificate, key, and CA certificate to the
configuration directory of the Elastic product that they will be used for and
follow the SSL configuration instructions in the product guide.
[root@es00 elasticsearch]#

你需要输入:

# 解压文件
$ unzip kb01.zip

你应看到:

# 解压后会创建kibana-server目录，返回命令行
Archive:  kb01.zip
   creating: kibana-server/
  inflating: kibana-server/kibana-server.csr  
  inflating: kibana-server/kibana-server.key  
[root@es00 elasticsearch]#

你需要输入:

# 重命名证书文件，保证目录名一致，方便管理
$ mv kibana-server/ kibana-server2/

你应看到:

# 无输出内容，返回命令行
[root@es00 elasticsearch]#

你需要输入:

# 生成crt证书
$ openssl x509 -req -in elastic-stack-ca.p12 -signkey kibana-server2/kibana-server.key -in kibana-server2/kibana-server.csr -out kibana-server2/kibana.crt -days 90

你应看到:

Signature ok
subject=CN = kibana-server
Getting Private key
[root@es00 elasticsearch]#

9. kb00操作

环境相关配置：

配置项	当前值	说明
server.port	5601	监听端口
server.host	“10.0.0.15”	监听地址
server.publicBaseUrl	“https://10.0.0.15:5601”	kibana最终访问地址
elasticsearch.hosts	“https://10.0.0.10:9200”, “https://10.0.0.11:9200”, “https://10.0.0.12:9200”]	elasticsearch地址
kibana.index	“.kibana”	kibana生成的索引
elasticsearch.username	“kibana_system”	kibana连接elasticsearch所用的用户名
elasticsearch.password	tUtPD2P9Zuz2jvRnPbrD	kibana连接elasticsearch所用密码

9.1 登录节点kb00

你需要输入:

# 通过ssh登录，默认使用22端口
$ ssh [email protected]

你应看到:

# 提示需要root密码
[email protected]'s password:

你需要输入:

# root用户ssh登录密码
(密码)

你应看到:

# 最后登录时间和登录地址可能不同
Last login: Fri Sep 24 10:55:01 2021 from 10.0.0.9
[root@kb00 ~]# 

9.2 安装公钥

你需要输入:

# 导入官方提供的秘钥
$ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

你应看到:

# 无内容输出，返回命令行
[root@kb00 ~]# 

9.3 创建yum库

你需要输入:

# 导入官方提供的yum库
$ cat << EOF >> /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

你应看到:

# 无内容输出，返回命令行
[root@kb00 ~]# 

9.4 安装Kibana

你需要输入:

# 通过dnf安装kibana-7.14.0版本
$ dnf install -y --enablerepo=elasticsearch kibana-7.14.0

你应看到:

# 可以看到kibana被正确安装并返回命令行
CentOS Linux 8 - AppStream                                                                                    7.5 kB/s | 4.3 kB     00:00    
CentOS Linux 8 - BaseOS                                                                                       6.9 kB/s | 3.9 kB     00:00    
CentOS Linux 8 - Extras                                                                                       5.1 kB/s | 3.0 kB     00:00    
Elasticsearch repository for 7.x packages                                                                     7.8 MB/s |  32 MB     00:04    
...
...
Created Kibana keystore in /etc/kibana/kibana.keystore

  Verifying        : kibana-7.14.0-1.x86_64                                                                                               1/1 

Installed:
  kibana-7.14.0-1.x86_64                                                                                                                      

Complete!
[root@kb00 ~]# 

9.5 配置kibana

你需要收入:

# 通过sed方式添加相关配置，包括：
# 监听端口
# 监听主机
# 公开访问地址
# 连接elasticsearch地址
# kibana生成默认索引
# 连接elasticsearch所用用户名
# 连接elasticsearch所用密码,要与步骤5.9初始化的kibana_system用户密码对应
# 启动ssl协议
# ssl crt证书和秘密
# 认证elasticsearch证书
# kibana设置中文界面
sed -i \
--expression='s/#server.port: 5601/server.port: 5601/' \
--expression='s/#server.host: "localhost"/server.host: "10.0.0.15"/' \
--expression='s/#server.publicBaseUrl: ""/server.publicBaseUrl: "https:\/\/10.0.0.15:5601"/' \
--expression='s/#elasticsearch.hosts: \["http:\/\/localhost:9200"\]/elasticsearch.hosts: \["https:\/\/10.0.0.10:9200", "https:\/\/10.0.0.11:9200", "https:\/\/10.0.0.12:9200"\]/' \
--expression='s/#kibana.index: ".kibana"/kibana.index: ".kibana"/' \
--expression='s/#elasticsearch.username: "kibana_system"/elasticsearch.username: "kibana_system"/' \
--expression='s/#elasticsearch.password: "pass"/elasticsearch.password: "tUtPD2P9Zuz2jvRnPbrD"/' \
--expression='s/#server.ssl.enabled: false/server.ssl.enabled: true/' \
--expression='s/#server.ssl.certificate: \/path\/to\/your\/server.crt/server.ssl.certificate: \/etc\/kibana\/kibana.crt/' \
--expression='s/#server.ssl.key: \/path\/to\/your\/server.key/server.ssl.key: \/etc\/kibana\/kibana-server.key/' \
--expression='s/#elasticsearch.ssl.certificateAuthorities: \[ "\/path\/to\/your\/CA.pem" \]/elasticsearch.ssl.certificateAuthorities: \["\/etc\/kibana\/elasticsearch-ca.pem"\]/' \
--expression='s/#i18n.locale: "en"/i18n.locale: "zh-CN"/' \
/etc/kibana/kibana.yml

你应看到:

# 无内容输出，返回命令行
[root@kb00 ~]# 

验证配置，你需要输入：

# 通过正则过滤配置文件
grep \
--regexp='server.port' \
--regexp='server.host' \
--regexp='server.publicBaseUrl' \
--regexp='elasticsearch.hosts' \
--regexp='kibana.index' \
--regexp='elasticsearch.username' \
--regexp='elasticsearch.password' \
--regexp='server.ssl.enabled' \
--regexp='server.ssl.certificate' \
--regexp='elasticsearch.ssl.certificateAuthorities' \
--regexp='i18n.locale' \
/etc/kibana/kibana.yml

你应看到:

# 与录入配置为一致
server.port: 5601
server.host: "10.0.0.15"
server.publicBaseUrl: "https://10.0.0.15:5601"
elasticsearch.hosts: ["https://10.0.0.10:9200", "https://10.0.0.11:9200", "https://10.0.0.12:9200"]
kibana.index: ".kibana"
elasticsearch.username: "kibana_system"
elasticsearch.password: "tUtPD2P9Zuz2jvRnPbrD"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana.crt
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elasticsearch-ca.pem"]
i18n.locale: "zh-CN"
[root@kb00 ~]# 

从es00复制证书，你需输入:

# 从es00节点下载生成的证书
$ scp 10.0.0.10:/usr/share/elasticsearch/kibana-server1/* /etc/kibana/

你应看到:

# 提示需要输入密码
[email protected]'s password:

你需要输入：

# 10.0.0.10节点root密码
(密码)

你应看到:

# 证书被正确传输到本地
kibana.crt                                                                                                  100% 1001     1.1MB/s   00:00    
kibana-server.csr                                                                                           100%  948     1.1MB/s   00:00    
kibana-server.key                                                                                           100% 1675     1.9MB/s   00:00    
[root@kb00 ~]# 

你需要输入:

# 下载和elasticsearch认证证书
$ scp 10.0.0.10:/usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/kibana/

你应看到:

# 提示需要输入密码
[email protected]'s password:

你需要输入：

# 10.0.0.10节点root密码
(密码)

你应看到:

# 可以看到证书被正确下载
elasticsearch-ca.pem                                                                                        100% 1200   946.9KB/s   00:00  
[root@kb00 ~]# 

9.6 配置kibana安全配置

你需要输入:

$ cat << EOF >> /etc/kibana/kibana.yml
csp.strict: true
xpack.security.session.lifespan: "30d"
xpack.security.session.idleTimeout: "1h"
server.securityResponseHeaders.disableEmbedding: true
xpack.security.encryptionKey: "a81jmf56as881dsfc9zxmm213mzxck10iza"
server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
EOF

你应看到:

# 无提示，返回命令行
[root@kb00 ~]#

你需要输入:

# 对kibana.yml文件添加配置
# 开启csp安全策略阻止浏览器允许写入不安全的脚本
# 设置会话最长保持时间
# 设置会话空闲断开时间
# 配置确保kibana中不能嵌入其他页面
# 设置至少32位字符来保证会话加密，两台kibana此设置必须一致
# 设置此选项保证只能访问TLS/SSL,生命周期为一年
$ grep \
--regexp='csp.strict' \
--regexp='xpack.security.session.lifespan' \
--regexp='xpack.security.session.idleTimeout' \
--regexp='server.securityResponseHeaders.disableEmbedding' \
--regexp='xpack.security.encryptionKey' \
--regexp='server.securityResponseHeaders.strictTransportSecurity' \
/etc/kibana/kibana.yml

你应看到:

# 与录入配置项保持一致
csp.strict: true
xpack.security.session.lifespan: "30d"
xpack.security.session.idleTimeout: "1h"
server.securityResponseHeaders.disableEmbedding: true
xpack.security.encryptionKey: "a81jmf56as881dsfc9zxmm213mzxck10iza"
server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
[root@kb00 ~]#

9.7启动kibana

你需要输入:

# 通过systemctl启动和管理kibana
$ systemctl start kibana.service

你应看到:

# 无提示，返回命令行
[root@kb00 ~]#

你需要输入:

# 查看kibana服务启动状态
$ systemctl status kibana.service

你应看到:

# 输出内容中active为running则表示启动成功
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-09-28 14:48:19 CST; 10s ago
     Docs: https://www.elastic.co
 Main PID: 2139 (node)
    Tasks: 18 (limit: 49460)
   Memory: 472.2M
   CGroup: /system.slice/kibana.service
           ├─2139 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pi>
           └─2151 /usr/share/kibana/node/bin/node --preserve-symlinks-main --preserve-symlinks /usr/share/kibana/src/cli/dist --logging.dest=>

Sep 28 14:48:19 kb00.observability.devops.lab.ecnl systemd[1]: Started Kibana.
[root@kb00 ~]# 

10. kb01操作

环境相关配置：

配置项	当前值	说明
server.port	5601	监听端口
server.host	“10.0.0.16”	监听地址
server.publicBaseUrl	“https://10.0.0.16:5601”	kibana最终访问地址
elasticsearch.hosts	“https://10.0.0.10:9200”, “https://10.0.0.11:9200”, “https://10.0.0.12:9200”]	elasticsearch地址
kibana.index	“.kibana”	kibana生成的索引
elasticsearch.username	“kibana_system”	kibana连接elasticsearch所用的用户名
elasticsearch.password	tUtPD2P9Zuz2jvRnPbrD	kibana连接elasticsearch所用密码

10.1 登录节点kb01

你需要输入:

# 通过ssh登录，默认使用22端口
$ ssh [email protected]

你应看到:

# 提示需要root密码
[email protected]'s password:

你需要输入:

# root用户ssh登录密码
(密码)

你应看到:

# 最后登录时间和登录地址可能不同
Last login: Fri Sep 24 10:55:01 2021 from 10.0.0.9
[root@kb01 ~]# 

10.2 安装公钥

你需要输入:

# 导入官方提供的秘钥
$ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

你应看到:

# 无内容输出，返回命令行
[root@kb01 ~]# 

10.3 创建yum库

你需要输入:

# 导入官方提供的yum库
$ cat << EOF >> /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

你应看到:

# 无内容输出，返回命令行
[root@kb01 ~]# 

10.4 安装Kibana

你需要输入:

# 通过dnf安装kibana-7.14.0版本
$ dnf install -y --enablerepo=elasticsearch kibana-7.14.0

你应看到:

# 可以看到kibana被正确安装并返回命令行
CentOS Linux 8 - AppStream                                                                                    7.5 kB/s | 4.3 kB     00:00    
CentOS Linux 8 - BaseOS                                                                                       6.9 kB/s | 3.9 kB     00:00    
CentOS Linux 8 - Extras                                                                                       5.1 kB/s | 3.0 kB     00:00    
Elasticsearch repository for 7.x packages                                                                     7.8 MB/s |  32 MB     00:04    
...
...
Created Kibana keystore in /etc/kibana/kibana.keystore

  Verifying        : kibana-7.14.0-1.x86_64                                                                                               1/1 

Installed:
  kibana-7.14.0-1.x86_64                                                                                                                      

Complete!
[root@kb01 ~]# 

10.5 配置kibana基本配置

你需要收入:

# 通过sed方式添加相关配置，包括：
# 监听端口
# 监听主机
# 公开访问地址
# 连接elasticsearch地址
# kibana生成默认索引
# 连接elasticsearch所用用户名
# 连接elasticsearch所用密码,与步骤5.9生成的kibna_system用户所用密码一致
# 启动ssl协议
# ssl crt证书和秘密
# 认证elasticsearch证书
# kibana设置中文界面
sed -i \
--expression='s/#server.port: 5601/server.port: 5601/' \
--expression='s/#server.host: "localhost"/server.host: "10.0.0.16"/' \
--expression='s/#server.publicBaseUrl: ""/server.publicBaseUrl: "https:\/\/10.0.0.16:5601"/' \
--expression='s/#elasticsearch.hosts: \["http:\/\/localhost:9200"\]/elasticsearch.hosts: \["https:\/\/10.0.0.10:9200", "https:\/\/10.0.0.11:9200", "https:\/\/10.0.0.12:9200"\]/' \
--expression='s/#kibana.index: ".kibana"/kibana.index: ".kibana"/' \
--expression='s/#elasticsearch.username: "kibana_system"/elasticsearch.username: "kibana_system"/' \
--expression='s/#elasticsearch.password: "pass"/elasticsearch.password: "tUtPD2P9Zuz2jvRnPbrD"/' \
--expression='s/#server.ssl.enabled: false/server.ssl.enabled: true/' \
--expression='s/#server.ssl.certificate: \/path\/to\/your\/server.crt/server.ssl.certificate: \/etc\/kibana\/kibana.crt/' \
--expression='s/#server.ssl.key: \/path\/to\/your\/server.key/server.ssl.key: \/etc\/kibana\/kibana-server.key/' \
--expression='s/#elasticsearch.ssl.certificateAuthorities: \[ "\/path\/to\/your\/CA.pem" \]/elasticsearch.ssl.certificateAuthorities: \["\/etc\/kibana\/elasticsearch-ca.pem"\]/' \
--expression='s/#i18n.locale: "en"/i18n.locale: "zh-CN"/' \
/etc/kibana/kibana.yml

你应看到:

# 无内容输出，返回命令行
[root@kb01 ~]# 

验证配置，你需要输入：

# 通过正则过滤配置文件
grep \
--regexp='server.port' \
--regexp='server.host' \
--regexp='server.publicBaseUrl' \
--regexp='elasticsearch.hosts' \
--regexp='kibana.index' \
--regexp='elasticsearch.username' \
--regexp='elasticsearch.password' \
--regexp='server.ssl.enabled' \
--regexp='server.ssl.certificate' \
--regexp='elasticsearch.ssl.certificateAuthorities' \
--regexp='i18n.locale' \
/etc/kibana/kibana.yml

你应看到:

# 与录入配置为一致
server.port: 5601
server.host: "10.0.0.16"
server.publicBaseUrl: "https://10.0.0.16:5601"
elasticsearch.hosts: ["https://10.0.0.10:9200", "https://10.0.0.11:9200", "https://10.0.0.12:9200"]
kibana.index: ".kibana"
elasticsearch.username: "kibana_system"
elasticsearch.password: "tUtPD2P9Zuz2jvRnPbrD"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana.crt
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elasticsearch-ca.pem"]
i18n.locale: "zh-CN"
[root@kb01 ~]# 

从es00复制证书，你需输入:

# 从es00节点下载生成的证书
$ scp 10.0.0.10:/usr/share/elasticsearch/kibana-server2/* /etc/kibana/

你应看到:

# 提示需要输入密码
[email protected]'s password:

你需要输入：

# 10.0.0.10节点root密码
(密码)

你应看到:

# 证书被正确传输到本地
kibana.crt                                                                                                  100% 1001     1.1MB/s   00:00    
kibana-server.csr                                                                                           100%  948     1.1MB/s   00:00    
kibana-server.key                                                                                           100% 1675     1.9MB/s   00:00    
[root@kb01 ~]# 

你需要输入:

# 下载和elasticsearch认证证书
$ scp 10.0.0.10:/usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/kibana/

你应看到:

# 提示需要输入密码
[email protected]'s password:

你需要输入：

# 10.0.0.10节点root密码
(密码)

你应看到:

# 可以看到证书被正确下载
elasticsearch-ca.pem                                                                                        100% 1200   946.9KB/s   00:00  
[root@kb01 ~]# 

10.6 配置kibana安全配置

你需要输入:

$ cat << EOF >> /etc/kibana/kibana.yml
csp.strict: true
xpack.security.session.lifespan: "30d"
xpack.security.session.idleTimeout: "1h"
server.securityResponseHeaders.disableEmbedding: true
xpack.security.encryptionKey: "a81jmf56as881dsfc9zxmm213mzxck10iza"
server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
EOF

你应看到:

# 无提示，返回命令行
[root@kb01 ~]#

你需要输入:

# 对kibana.yml文件添加配置
# 开启csp安全策略阻止浏览器允许写入不安全的脚本
# 设置会话最长保持时间
# 设置会话空闲断开时间
# 配置确保kibana中不能嵌入其他页面
# 设置至少32位字符来保证会话加密，两台kibana此设置必须一致
# 设置此选项保证只能访问TLS/SSL,生命周期为一年
$ grep \
--regexp='csp.strict' \
--regexp='xpack.security.session.lifespan' \
--regexp='xpack.security.session.idleTimeout' \
--regexp='server.securityResponseHeaders.disableEmbedding' \
--regexp='xpack.security.encryptionKey' \
--regexp='server.securityResponseHeaders.strictTransportSecurity' \
/etc/kibana/kibana.yml

你应看到:

# 与录入配置项保持一致
csp.strict: true
xpack.security.session.lifespan: "30d"
xpack.security.session.idleTimeout: "1h"
server.securityResponseHeaders.disableEmbedding: true
xpack.security.encryptionKey: "a81jmf56as881dsfc9zxmm213mzxck10iza"
server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
[root@kb01 ~]#

10.7 启动kibana

你需要输入:

# 通过systemctl启动和管理kibana
$ systemctl start kibana.service

你应看到:

# 无提示，返回命令行
[root@kb01 ~]#

你需要输入:

# 查看kibana服务启动状态
$ systemctl status kibana.service

你应看到:

# 输出内容中active为running则表示启动成功
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-09-28 14:48:19 CST; 10s ago
     Docs: https://www.elastic.co
 Main PID: 2139 (node)
    Tasks: 18 (limit: 49460)
   Memory: 472.2M
   CGroup: /system.slice/kibana.service
           ├─2139 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pi>
           └─2151 /usr/share/kibana/node/bin/node --preserve-symlinks-main --preserve-symlinks /usr/share/kibana/src/cli/dist --logging.dest=>

Sep 28 14:48:19 kb01.observability.devops.lab.ecnl systemd[1]: Started Kibana.
[root@kb01 ~]# 

11. 清理证书

11.1 es00操作

你需要输入:

# 删除证书
$ rm -rf /usr/share/elasticsearch/{elasticsearch-ssl-http.zip,kb00.zip,kb01.zip,kibana,elasticsearch,kibana-server1,kibana-server2,elastic-certificates.p12}

你应看到:

# 无输出内容，返回命令行
[root@es00 elasticsearch]#

你需要输入:

# 查看目录下文件,保留ca证书
$ ls /usr/share/elasticsearch

你应看到:

# 证书已删除
bin  elastic-stack-ca.p12  jdk  lib  LICENSE.txt  modules  NOTICE.txt  plugins  README.asciidoc
[root@es00 elasticsearch]#

11.2 es01操作

你需要输入:

# 删除证书
$ rm -rf /usr/share/elasticsearch/{elasticsearch,elasticsearch-ssl-http.zip,elastic-certificates.p12,kibana}

你应看到:

# 无输出内容，返回命令行
[root@es01 elasticsearch]#

你需要输入:

# 查看目录下文件,保留ca证书
$ ls /usr/share/elasticsearch

你应看到:

# 证书已删除
bin  elastic-stack-ca.p12  jdk  lib  LICENSE.txt  modules  NOTICE.txt  plugins  README.asciidoc
[root@es01 elasticsearch]#

11.2 es02操作

你需要输入:

# 删除证书
$ rm -rf /usr/share/elasticsearch/{elasticsearch,elasticsearch-ssl-http.zip,elastic-certificates.p12,kibana}

你应看到:

# 无输出内容，返回命令行
[root@es02 elasticsearch]#

你需要输入:

# 查看目录下文件,保留ca证书
$ ls /usr/share/elasticsearch
[root@es02 elasticsearch]#

你应看到:

# 证书已删除
bin  elastic-stack-ca.p12  jdk  lib  LICENSE.txt  modules  NOTICE.txt  plugins  README.asciidoc