环境:
ES:6.5.0(6.8版本x-pack已经免费使用,不需要破解)
OS:Centos 7
-----------------------------------------------------------------------------------------单节点配置--------------------------------------------------------------
1.创建目录
[esuser@localhost ~]$ cd /home/esuser
[esuser@localhost ~]$ mkdir xpach
2.准备如下2个java文件
LicenseVerifier.java
package org.elasticsearch.license;
import java.nio.*; import java.util.*;
import java.security.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.common.io.*;
import java.io.*;
public class LicenseVerifier {
public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
return true;
}
public static boolean verifyLicense(final License license) {
return true;
}
}
XPackBuild.java
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild {
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try { return PathUtils.get(url.toURI()); }
catch (URISyntaxException bogus) {
throw new RuntimeException(bogus); }
}
XPackBuild(final String shortHash, final String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date(){
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0157: { shortHash = "Unknown"; date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
将以上两个文件放到步骤1创建的目录下面
[esuser@localhost xpach]$ pwd
/home/esuser/xpach
[esuser@localhost xpach]$ ls -1
LicenseVerifier.java
XPackBuild.java
3.重新生成打包
将刚创建的两个java包打包成class文件,我们需要做的就是替换这两个class文件(因里面需要引用到其他的jar,故需要用到javac -cp命令)
[esuser@localhost xpach]$ cd /home/esuser/xpach
javac -cp "/home/esuser/single_elasticsearch/lib/elasticsearch-6.5.0.jar:/home/esuser/single_elasticsearch/lib/lucene-core-7.5.0.jar:/home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar" LicenseVerifier.java
javac -cp "/home/esuser/single_elasticsearch/lib/elasticsearch-6.5.0.jar:/home/esuser/single_elasticsearch/lib/lucene-core-7.5.0.jar:/home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar:/home/esuser/single_elasticsearch/lib/elasticsearch-core-6.5.0.jar" XPackBuild.java
执行以上两个命令可以看出已经生产了2个class文件
[esuser@localhost xpach]$ ls -1
LicenseVerifier.class
LicenseVerifier.java
XPackBuild.class
XPackBuild.java
4.将原来的文件给解压出来,然后覆盖
下面操作所在目录为:/home/esuser/xpach
[esuser]$cd /home/esuser/xpach
将原来的包拷贝到当前目录
[esuser]$cp -a /home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar .
解压原来的包
[esuser]$jar -xf x-pack-core-6.5.0.jar
删除之前的java文件和拷贝过来的包
[esuser]$rm -rf LicenseVerifier.java XPackBuild.java x-pack-core-6.5.0.jar
将class文件拷贝到相应目录
[esuser]$cp -a LicenseVerifier.class org/elasticsearch/license/
[esuser]$cp -a XPackBuild.class org/elasticsearch/xpack/core/
删除class文件
[esuser]$rm -rf LicenseVerifier.class XPackBuild.class
重新生成jar包
[esuser]$jar -cvf x-pack-core-6.5.0.jar *
将生成的java包覆盖原来的
[esuser]$cp -a x-pack-core-6.5.0.jar /home/esuser/single_elasticsearch/modules/x-pack-core/
5.添加如下参数后进行重启
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
6.License申请
申请地址
https://license.elastic.co/registration
填写信息后,会有一个邮件发到注册的邮箱,然后安装提示点击链接进行下载
下载后上传服务器,修改过期时间expiry_date_in_millis,我这里修改为 4102416000000,即2100-01-01 00:00:00,type修改为platinum
我这里下载的文件名为my.json,内容如下
{"license":{"uid":"1e9a1465-3398-44e8-aa06-c76062dcfedf","type":"platinum","issue_date_in_millis":1544659200000,"expiry_date_in_millis":4102416000000,"max_nodes":100,"issued_to":"xueliang huang (richinfo)","issuer":"Web Form","signature":"AAAAAwAAAA0CkXSNg+Yl6jgouxuAAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQBbRJOy1WgeFasn9hkqXcUu4jbVTH5B51CpsbpQTIukDJUeyo9z0DW1DzXzgUn1y0LQ62VDVcjiJvi0Xci5w9ZYDQPPVwf8PN0Pg8rOkawcJpr4ZmCiBgh/dFmgcOsjOjro1EcVOp3rm9zil89FsACMUcgRiYf//Ejahsx7giFEyYnUNOqfy4umh3aHj+awlg76P1OVxnyu74IjJdWGXluMw+hTJ0EKXcaUEfJpJgBLtPUmyD6jd/LtzV8ysKL6JQTxkUzdlWVdzipskQ8MWt5Nn6ClddwJFVb5lTAOJvLy6jyEmro4Fho5LJ6eRW2NvsWS4Y1Yu6lHVoWBVW4v++Wx","start_date_in_millis":1544659200000}}
将该文件上传到服务器指定的目录,我这里上传到/home/esuser目录下
7.将license进行导入
cd /home/esuser (my.json文件在该目录下)
curl -XPUT 'http://192.168.1.135:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json
这个时候已经导入证书并启用了认证,下面的登陆都必须使用账号密码,否则没法使用,但是我们这里还没有设置密码,下面通过elasticsearch-setup-passwords设置各账号的密码
查看证书状态
8.交互式设置各账号的密码
[esuser@localhost bin]$ cd /home/esuser/single_elasticsearch/bin
[esuser@localhost bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
9.使用账号密码访问
[esuser@localhost bin]$ curl -u elastic:elastic "http://192.168.1.135:19200/_license"
{
"license" : {
"status" : "active",
"uid" : "1e9a1465-3398-44e8-aa06-c76062dcfedf",
"type" : "platinum",
"issue_date" : "2018-12-13T00:00:00.000Z",
"issue_date_in_millis" : 1544659200000,
"expiry_date" : "2049-12-31T16:00:00.000Z",
"expiry_date_in_millis" : 2524579200000,
"max_nodes" : 100,
"issued_to" : "xueliang huang (richinfo)",
"issuer" : "Web Form",
"start_date_in_millis" : 1544659200000
}
}
10.证书可以修改后重新导入,比如我想修改下过期时间
curl -u elastic:elastic -XPUT 'http://192.168.1.135:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json
11.修改密码
curl -H "Content-Type:application/json" -XPUT -u elastic:elastic 'http://192.168.1.135:19200/_xpack/security/user/elastic/_password' -d '{ "password" : "elastic123" }'
到这里单节点的配置已经完成,下面是集群的多节点配置,配置方法跟单节点类似,为了操作方便,先在一个节点配置好,然后把相应的jar文件和license文件拷贝到另外的节点
------------------------------------------------------------集群模式配置使用xpack-------------------------------------------------------
1.拷贝相关文件到另外的节点
将已经配置好节点所在的jar包和license拷贝到另外一个节点
[esuser@localhost xpach]$ scp x-pack-core-6.5.0.jar esuser@192.168.1.134:/home/esuser/
[esuser@localhost ~]$ scp my.json esuser@192.168.1.134:/home/esuser/
2.将jar文件覆盖当前的(要做备份)
[esuser@localhost ~]$ cd /home/esuser
[esuser@localhost ~]$ cp x-pack-core-6.5.0.jar /home/esuser/single_elasticsearch/modules/x-pack-core/
3.修改配置重启动es
添加如下两项配置后重启动
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
4.导入license
cd /home/esuser (my.json文件在该目录下)
curl -XPUT 'http://192.168.1.134:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json
5.交互式设置各账号的密码
[esuser@localhost bin]$ cd /home/esuser/single_elasticsearch/bin
[esuser@localhost bin]$ ./elasticsearch-setup-passwords interactive
这里所有账号设置密码为 elastic123,这里设置密码可以跟其他的节点不一致,为了方便维护,建议设置成一致
6.使用账号密码访问
curl -u elastic:elastic123 -X GET 'http://192.168.1.134:19200/_cat/indices?v'
7.修改密码
curl -H "Content-Type:application/json" -XPUT -u elastic:elastic123 'http://192.168.1.134:19200/_xpack/security/user/elastic/_password' -d '{ "password" : "elastic" }'
-----------------------------------------------集群内部通信认证----------------------------------------------------------------
要是启用了xpack的话
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
要是没有配置内部通信认证,集群启动会报如下的错误:
SSLHandshakeException: no cipher suites in common
需要进行如下配置才能解决问题,可以参考官网文档:
https://www.elastic.co/guide/en/elasticsearch/reference/6.5/configuring-tls.html#node-certificates
1.生成ca证书(该步骤在其中一台节点上操作即可)
[esuser@localhost ~]$ mkdir esca
[esuser@localhost ~]$ cd esca
[esuser@localhost esca]$ pwd
/home/esuser/esca
[esuser@localhost esca]$ /home/esuser/single_elasticsearch/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
我这里输入的密码为oracle,这个密码需要牢记,以后有新节点加入的话,需要输入该密码
这里会生成一个文件
[esuser@localhost esca]$ ls -1
elastic-stack-ca.p12
2.配置证书
[esuser@localhost esca]$ /home/esuser/single_elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires a SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA).
* The tool can automatically generate a new CA for you, or you can provide your own with the
-ca or -ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) : ##这里输入的密码是oracle
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 : ##这里输入的密码是oracle
Certificates written to /home/esuser/esca/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
这个时候生成的文件如下:
[esuser@localhost esca]$ ls -1
elastic-certificates.p12
elastic-stack-ca.p12
3.拷贝生成的p12结尾的文件到每个节点
可以先创建存放这些文件的目录
[esuser@localhost esca]$mkdir -p /home/esuser/single_elasticsearch/config/certs
[esuser@localhost esca]$ cp elastic-certificates.p12 /home/esuser/single_elasticsearch/config/certs/
[esuser@localhost esca]$ cp elastic-stack-ca.p12 /home/esuser/single_elasticsearch/config/certs/
同样的在其他节点也拷贝到对应的路径
4.修改每个节点的配置,添加如下项
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
5.输入认证密码
在每个节点执行如下命令
/home/esuser/single_elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ##这里输入之前配置的密码 为oracle
/home/esuser/single_elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password ##这里输入之前配置的密码 为oracle
6.重新启动集群
查看集群情况
curl -u elastic:elastic 'http://192.168.1.134:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.134:19200/_cat/master?v'