1.生成证书
1.执行命令创建ca 执行:
su - elasticsearch
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: ##直接回车
Enter password for elastic-stack-ca.p12 : ##直接回车
这个时候会在当前目录下生成elastic-stack-ca.p12文件
[elasticsearch@rac01 bin]$ ls -al elastic-stack-ca.p12
-rw------- 1 elasticsearch elasticsearch 2527 May 18 11:51 elastic-stack-ca.p12
然后按照提示输入Please enter the desired output file [elastic-stack-ca.p12] 此时提示输入文件名默认为:elastic-stack-ca.p12,输入完敲回车,或者直接回车默认。
接下来会提示输入Enter password for elastic-stack-ca.p12 :密码可以为空 直接回车 此时ca 创建OK 文件会在执行目录的根目录
2.根据elastic-stack-ca.p12文件 生成elastic-certificates.p12
执行命令为:elasticsearch-certutil cert --ca elastic-stack-ca.p12
[elasticsearch@rac01 bin]$./elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : ##直接回车
Please enter the desired output file [elastic-certificates.p12]: ##直接回车
Enter password for elastic-certificates.p12 : ##直接回车
这个时候当前目录会生成文件
[elasticsearch@rac01 bin]$ ls -al elastic-certificates.p12
接下来会提示 输入Enter password for CA (elastic-stack-ca.p12) :上一个ca 文件的密码 如果没有则直接回车即可,
接下来会提示Please enter the desired output file [elastic-certificates.p12]:给当前生成的文件取名默认为elastic-certificates.p12
接下来会提示给当前文件设置密码Enter password for elastic-certificates.p12 : 设置完成后回车。
至此我们有了elastic-stack-ca.p12和elastic-certificates.p12两个文件
将这两个文件拷贝到config目录下面
[elasticsearch@rac01 bin]$ mv elastic-stack-ca.p12 ../config/
[elasticsearch@rac01 bin]$ mv elastic-certificates.p12 ../config/
3.将节点1上的两个文件拷贝到另外的节点
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/config
[elasticsearch@rac01 config]$ scp elastic-certificates.p12 192.168.56.112:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 config]$ scp elastic-stack-ca.p12 192.168.56.112:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 config]$ scp elastic-certificates.p12 192.168.56.112:/usr/local/services/elasticsearch/config/
[elasticsearch@rac01 config]$ scp elastic-stack-ca.p12 192.168.56.113:/usr/local/services/elasticsearch/config/
4.修改配置文件
每台机器上的配置文件在最后面添加如下内容:
[root@rac01 middle]# su - elasticsearch
vi /usr/local/services/elasticsearch/config/elasticsearch.yml
添加如下配置项
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
5.重新启动
将原来的进程杀掉后重新启动
kill -9 进程号
[root@rac01 middle]# su - elasticsearch
[elasticsearch@es ~]$ cd /usr/local/services/elasticsearch/bin
./elasticsearch -d
这个时候使用就需要密码访问了
curl 'http://192.168.56.111:19200/_cat/nodes?pretty'
[elasticsearch@rac01 bin]$ curl 'http://192.168.56.111:19200/_cat/nodes?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/nodes?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
}
],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_cat/nodes?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
},
"status" : 401
}
下面进行密码设置
6.设置密码
在其中一台机器上执行,我这里在 192.168.56.111 这台机器上执行,我这里密码全部设置为elastic
[elasticsearch@rac01 bin]$ cd /usr/local/services/elasticsearch/bin
[elasticsearch@rac01 bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
[elasticsearch@rac01 bin]$
7.验证
curl -u elastic:elastic 'http://192.168.56.111:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.56.112:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.56.113:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.56.111:19200/_cat/health?v'
8.数据验证
查看索引:
curl -u elastic:elastic -X GET 'http://192.168.56.111:19200/_cat/indices?v'
在节点1上创建索引和写入数据
curl -u elastic:elastic -XPUT 'http://192.168.56.111:19200/db_customer'
curl -u elastic:elastic -H "Content-Type: application/json" -XPUT 'http://192.168.56.111:19200/db_customer/tb_test/1' -d '{"name": "huangxueliang"}'
查看数据
curl -u elastic:elastic -XGET 'http://192.168.56.111:19200/db_customer/tb_test/1?pretty'
在其他的节点上查看该数据
curl -u elastic:elastic -XGET 'http://192.168.56.112:19200/db_customer/tb_test/1?pretty'
curl -u elastic:elastic -XGET 'http://192.168.56.113:19200/db_customer/tb_test/1?pretty'
es7之后以及没有type的概念,所有的type都是_doc表示,下面的查询也可以查到数据
curl -u elastic:elastic -XGET 'http://192.168.56.112:19200/db_customer/_doc/1?pretty'