配置步骤:
1.安装x-pack
2.执行命令,生成elastic-stack-ca.p12
文件,密码使用123456
./bin/elasticsearch-certutil ca
3.执行命令,生成elastic-certificates.p12
文件,密码使用123456
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
4.将elastic-stack-ca.p12
和elastic-certificates.p12
拷贝到config/certs
5.在elasticsearch.yml文件中添加配置
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: 123456
xpack.security.transport.ssl.truststore.password: 123456
xpack.security.http.ssl.keystore.password: 123456
xpack.security.http.ssl.truststore.password: 123456
6.logstash连接ES
output {
elasticsearch {
hosts => ["https://MY_IP:9201"]
index => "bos-dev-log"
user => "elastic"
password => "123456"
ssl => true
ssl_certificate_verification=>false
truststore=>"/XXX/XXX/elastic-certificates.p12"
truststore_password=>"123456"
}
stdout {
codec => rubydebug }
}
7.java client验证
public static void testHttps() throws Exception {
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("elastic", "123456"));
KeyStore truststore = KeyStore.getInstance("jks");
try (InputStream is = new FileInputStream("./src/main/resources/elastic-certificates.p12")) {
truststore.load(is, "123456".toCharArray());
}
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(truststore, null).build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
.register("https", sslsf).register("http", new PlainConnectionSocketFactory()).build();
BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(
socketFactoryRegistry);
CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(sslsf)
.setDefaultCredentialsProvider(credentialsProvider).setConnectionManager(connectionManager).build();
HttpGet getMethod = new HttpGet("https://MY_IP:9200");
HttpResponse response = client.execute(getMethod);
System.out.println(IOUtils.toString(response.getEntity().getContent()));
}
8 curl命令验证
curl -k -u elastic:123456 -X GET https://MY_IP:9200