亲测es版本6.8.0
elasticsearch-6.8.0.tar.gz
启动ES
省略
设置ES内置用户及密码
1、先创建keystore文件 bin/elasticsearch-keystore create。
2、在Elasticsearch目录中运行命令:./bin/elasticsearch-setup-passwords interactive,回车之后为每一个用户设置独立的密码。记住ES实例必须启动。
3、你需要在后续步骤中使用这些内置用户,因此务必牢记前面设置的密码!
ES生成密钥
使用pem,执行以下命令
1、在/es安装目录/bin/下执行
./elasticsearch-certutil ca --days 720 --pem
执行后会在bin文件夹下生成根密钥:elastic-stack-ca.zip(默认zip包的名称)
2、解压根密钥,会生成一个 ca文件夹,包含ca.key,和ca.cert
3、在/es安装目录/bin/下执行
./elasticsearch-certutil cert --ca-cert ./ca/ca.crt --ca-key ./ca/ca.key --days 720 --pem
执行后会生成节点密钥:certificate-bundle.zip(默认zip包的名称)
4、解压后会生成 一个instance文件夹,包含instance.key,和instance.crt
5、将ca和instance两个文件夹 拷贝至 es的配置文件所在目录 config下创建文件夹x-pack,并将ca和instance文件夹 拷贝进去并且修改所属权限为es用户
ES 配置文件elasticsearch.yml
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: x-pack/instance/instance.key
xpack.ssl.certificate: x-pack/instance/instance.crt
xpack.ssl.certificate_authorities: x-pack/ca/ca.crt
xpack.ssl.verification_mode: certificate
xpack.ssl.client_authentication: required
POM引入:
<repositories>
<!-- add the elasticsearch repo -->
<repository>
<id>elasticsearch-releases</id>
<url>https://artifacts.elastic.co/maven</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<!-- 引入ES -->
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
<version>${elasticsearch.version}</version>
</dependency>
<!-- 引入ES-client -->
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
<version>${elasticsearch.version}</version>
<exclusions>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- 引入x-pack -->
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>x-pack-transport</artifactId>
<version>${elasticsearch.version}</version>
</dependency>
java客户端连接代码:
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "my-application")
.put("xpack.security.user", "elastic:pw123456")
.put("xpack.ssl.key", "/opt/cert/my-application/my-application.key")
.put("xpack.ssl.certificate", "/opt/cert/my-application/my-application.crt")
.put("xpack.ssl.certificate_authorities", "/opt/cert/ca/ca.crt")
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("xpack.security.transport.ssl.enabled", "true")
.build());
注意:
xpack.security.transport.ssl.verification_mode 属性的值,es默认为 full,即为 全量验证,包含 对 dns、ip、实例名称,证书等等一系列的验证,当我们设置verification_mode的属性值为 certificate 的时候,意味着 只进行证书验证,由于生成密钥的时候 全程回车,所以此处 如果 java客户端 不添加该属性为 certificate ,则es日志会有以下报错信息:
“client did not trust this server’s certificate”
排错非常痛苦,酸爽!!!
#es主节点配置:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: x-pack/instance/instance.key
xpack.ssl.certificate: x-pack/instance/instance.crt
xpack.ssl.certificate_authorities: x-pack/ca/ca.crt
xpack.ssl.verification_mode: certificate
xpack.ssl.client_authentication: required
#verification_mode设置为 certificate (网上帖子所谓的:关闭host验证)
#当设置为 full的时候 会验证 dns 和 ip 没有设置dns和ip 会报错client did not trust this server’s certificate
es从节点配置:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: x-pack/instance/instance.key
xpack.security.transport.ssl.certificate: x-pack/instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: x-pack/ca/ca.crt
#es集群节点间通讯(集群节点发现)用tcp端口 (默认9300) 重要的事情说三遍
#es集群节点间通讯(集群节点发现)用tcp端口 (默认9300) 重要的事情说三遍
#es集群节点间通讯(集群节点发现)用tcp端口 (默认9300) 重要的事情说三遍
版权声明:本文为博主原创文章,遵循 CC 4.0 BY 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/LSY929981117/article/details/107714001