ElasticSearch开启xpack
ES开启xpack
1、生成ca证书(用户名和密码不用设置,一路回车,生成证书文件elastic-stack-ca.p12,生成kibana证书的时候也需要该ca证书)
/opt/dtstack/es-6.8.23/es/bin/elasticsearch-certutil ca
2、通过ca生成证书和私钥(用户密码可以为空,一路回车)
/opt/dtstack/es-6.8.23/es/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
3、给生成的文件进行授权
chmod 660 elastic-certificates.p12 chown admin:admin elastic-certificates.p12
4、修改配置文件elasticsearch.yml吗,开启xpack功能
#增加如下内容 xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
5、重启elasticsearch
6、创建keytab文件(如果已经存在可以忽略此步)
#判断是否存在elasticsearch.keystore ls /etc/elasticsearch/elasticsearch.keystore #不存在时执行 /opt/dtstack/es-6.8.23/es/bin/elasticsearch-keystore create
7、设置内置用户的密码
内置用户
只在集群中一个节点上执行,默认会创建一个索引.secutity-6
注意:执行之前一定要看一下集群的日志,由于刚才进行了重启,集群的状态从red还未变成yellow或者green,集群状态变成yellow时就可以操作了,目的是要能创建索引。否则创建失败。
如需要自动生成密码可以将interactive 替换为 auto,让系统自动生成
/opt/dtstack/es-6.8.23/es/bin/elasticsearch-setup-passwords interactive Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic]
设置完成后重启es。
kibana开启xpack
1、使用使用es生成的p12证书生成kibana证书
/opt/dtstack/es-6.8.23/es/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns kibana --name kibana
2、获取pem证书
kibana 不能够直接使用 PKCS#12类型的证书,所以需要基于p12生成pem证书
openssl pkcs12 -in kibana.p12 -clcerts -nokeys -chain -out ca.pem 执行后会得到kibana使用的pem证书,名为 ca.pem
拓展:用下面的命令 从 elastic-stack-ca.p12 中分离出 kibana节点的key 和 crt,执行以下命令:
bin/elasticsearch-certutil cert --pem -ca elastic-stack-ca.p12 --dns kibana
适应key和crt的方式的话,需要将配置文件增加
#用HTTPS方式访问kibana,使用获取到的crt和key文件 server.ssl.enabled: true server.ssl.certificate: /opt/kibana-6.8.0-linux-x86_64/config/xp/instance/instance.crt server.ssl.key: /opt/kibana-6.8.0-linux-x86_64/config/xp/instance/instance.key
3、修改配置文件kibana.yml
server.port: 5601 server.host: hostip server.name: hostname #es集群 elasticsearch.hosts: [http://hostip1:9200,http://hostip2:9200,http://hostip3:9200] kibana.index: .kibana elasticsearch.username: "kibana" elasticsearch.password: "kibana用户的密码" #使用pem方式 elasticsearch.ssl.certificateAuthorities: [ "/opt/dtstack/kibana-6.8.23/kibana/config/ca.pem" ] xpack.reporting.encryptionKey: "something_at_least_32_characters" elasticsearch.ssl.verificationMode: certificate i18n.locale: zh-CN
完整版:
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: hostip
# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""
# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false
# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""
# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576
# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"
server.name: hostname
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: [http://hostip1:9200,http://hostip2:9200,http://hostip3:9200]
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
kibana.index: .kibana
# The default application to load.
#kibana.defaultAppId: "home"
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana"
elasticsearch.password: "kibana用户的密码"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "/opt/dtstack/kibana-6.8.23/kibana/config/ca.pem" ]
xpack.reporting.encryptionKey: "something_at_least_32_characters"
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
elasticsearch.ssl.verificationMode: certificate
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000
# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false
# Specifies the path where Kibana creates the process ID file.
#pid.file: /run/kibana/kibana.pid
# Enables you to specify a file where Kibana stores log output.
#logging.dest: stdout
# Set the value of this setting to true to suppress all logging output.
#logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
i18n.locale: zh-CN拓展:
kibana中用哪种一种证书去与es通讯,取决于 es集群用的是哪种证书:es集群 如果是用 .p12 格式的证书去配置的 keystore 、truststore,那么 kibana 用 .pem 证书;如果es集群用的是 .key 和 .crt 格式的证书 去开启的x-pack,那么 kibana 用 .crt 证书 去做 elasticsearch.ssl.certificateAuthorities 的配置。
