1. Introduction
You can use the Enterprise CA certificate to complete this step, but generally, we can generate the certificate through the elasticsearch certutil command provided by elasticsearch. Then each node can communicate securely through the certificate.
Create certificate for node
TLS: TLS protocol requires X.509 certificate issued by Trusted Certificate Authority(CA)
Different levels of certification
Certificate: the node joining the cluster needs to use the certificate issued by the CA
Full verification: to join the cluster, the node needs to use the certificate issued by the CA and verify the Hostname or IP address
No verification: any node can join. The development environment is used for diagnostic purposes
First issue the CA certificate, and then issue the certificate of each node based on the CA certificate
2. Steps
2.1 generate certificate
After setting up the es cluster, take the first node to operate, enter the elasticsearch directory, and then execute the following command
# Generate CA certificate bin/elasticsearch-certutil ca (CA Certificate: elastic-stack-ca.p12) Set default name: elastic-stack-ca.p12 Setting password: 123456 (personal habits) # Generate node certificate bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 (Node certificate: elastic-certificates.p12) Set default name: elastic-certificates.p12 Setting password: 123456 (personal habits) `# bin/elasticsearch-certutil cert -out /etc/elasticsearch/elastic-certificates.p12 -pass`# Generate the certificate to the configuration file directory (this step will not be operated temporarily) After the above command is executed successfully, it will be displayed in`/etc/elasticsearch/`Generated under folder elastic-certificates.p12 certificate Note: the certificate authority needs to be changed for the certificate generated on this machine:`chmod 644 elastic-certificates.p12` (If used, run es If the user of the program creates a certificate, you do not need to change the certificate permissions) The default certificate authority is 600, which can be run elasticsearch The user of the program does not have permission to read, which will cause elasticsearch Start failed
2.2 edit the configuration file and open certificate access
Edit profile/etc/elasticsearch/elasticsearch.yml,Uncomment the following lines(Note the certificate path)
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate # Certificate certification level
xpack.security.transport.ssl.keystore.path: ${path}/elastic-certificates.p12 --Fill in the certificate path
xpack.security.transport.ssl.truststore.path: ${path}/elastic-certificates.p12 --Fill in the certificate path
The elastic certificates generated in the above steps Copy the p12 certificate to the corresponding / etc/elasticsearch / folder on the other two es nodes, and
xpack.security.* The configuration options are also copied to the elasticsearch In the YML file
2.3 set the default password of each component of elasticsearch
Start the three nodes. After the node is started, enter the elasticsearch directory of the first node, execute the following command and set the password:
cd /usr/share/elasticsearch bin/elasticsearch-setup-passwords interactive # Output results Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y # Enter y # Enter the password directly, and then repeat the password again. The account number is in square brackets Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
For the convenience of subsequent use, it can be set as the same here: 123456
Start the cluster and access/_ cat, the authentication information required appears, indicating that xpack is successfully opened