Shulou(Shulou.com)06/03 Report--

Implementation of ElasticSearch Cluster encrypted Communication based on TLS

Author: "Little Wolf", welcome to reprint

Catalogue

Use of ▪

▪ ES Node Information

▪ Step1. Shut down the service

▪ Step2. Create a CA certificate

▪ Step3. Create a CERT certificate

▪ Step4. Create a KeyStore

▪ Step5. Delete CA certificate

▪ Step6. Modify elasticsearch.yml configuration

▪ Step7. Start the service

Attached to ▪. Reference documentation

Use

Previously on:

In the first EFK tutorial-Quick start Guide, ▷ described the installation and deployment of EFK, in which the architecture of ElasticSearch is three nodes, that is, the master, ingest, and data roles are deployed on three servers at the same time.

In the second EFK tutorial-ElasticSearch High performance and High availability Architecture, ▷ describes the purpose of EFK's data/ingest/master role and the deployment of three nodes separately to maximize performance while ensuring high availability.

In the third EFK tutorial (3)-ElasticSearch hot and cold data separation, ▷ expounds the multi-instance deployment of ES, which stores data with different heat on different disks, realizing the separation of hot and cold data and rational allocation of resources.

In the first three articles, the data interaction between ES clusters is plaintext interaction, but in this paper, we create CA and CERT certificates for ES clusters, and realize the two-way encrypted exchange of data between ElasticSearch clusters through TLS.

ES Node Information

Since this article is based on the environment described in the previous article, "EFK tutorial (3)-ElasticSearch hot and cold data separation", the node information is consistent with the previous article:

Step1. Shut down the service

First of all, all ElasticSearch, kibana and filebeat services need to be stopped and started after the certificate configuration is complete.

Step2. Create a CA certificate

1 ️you can find any ElasticSearch node server to operate

Cd / opt/elasticsearch/#-- days: indicates how long the validity period is sudo-u elasticsearch. / bin/elasticsearch-certutil ca-- days 3660

2 ️certificates must transfer the generated CA certificate to a safe place for permanent storage, because if you need to add a new ES node later, the certificate will also be used

3 ️please transfer the elastic-stack-ca.p12 certificate to all ES instance servers

Step3. Create a CERT certificate

Enter the corresponding directory according to the above table to create a CERT certificate

# create a certificate directory in the ES directory and give elasticsearch permission mkdir-p config/certs Chown elasticsearch.elasticsearch config/certs-R# one certificate per instance #-file name of ca CA certificate, required parameter #-dns server name, multiple server names separated by commas, optional parameter #-ip server IP, multiple IP separated by commas, optional parameter #-where to output out, optional parameter #-how long is days valid Optional parameters sudo-u elasticsearch. / bin/elasticsearch-certutil cert-- ca elastic-stack-ca.p12-- ip ${native IP}, 127.0.0.1-- out config/certs/cert.p12-- days 366commands such as elasticsearch-master-1 (192.168.1.31) execute the command: sudo-u elasticsearch. / bin/elasticsearch-certutil cert-- ca elastic-stack-ca.p12-- ip 192.168.1.31127.0.0.1-- out config/certs/cert.p12-- days 3660

If you want to generate CERT certificates in batches, please refer to the appendix link yourself. However, batch generation sometimes encounters that the generated certificates are not available, so it is recommended to generate one by one.

Step4. Create a KeyStore

Enter the corresponding directory according to the table above to create a KeyStore

# each instance needs to operate # create the password of the KeyStore sudo-u elasticsearch. / bin/elasticsearch-keystore create# PKCS#12 file sudo-u elasticsearch. / bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password# truststore password sudo-u elasticsearch. / bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

Confirm that keystore and truststore have been entered into the KeyStore

Sudo-u elasticsearch. / bin/elasticsearch-keystore list

Step5. Delete CA certificate

Since the elastic-stack-ca.p12 created above contains a private key, it is recommended to delete the file for security (be sure to back it up in advance, as it will be used later to add nodes)

Press the table above to enter the corresponding directory to delete the CA certificate

Rm-f elastic-stack-ca.p12Step6. Modify elasticsearch.yml configuration

Configure elasticsearch.yml under the conf directory according to the instance in the table above

# add the following configuration to all instances # enable transport.ssl authentication xpack.security.transport.ssl.enabled: true# xpack authentication method full is host or IP authentication and certificate authentication, certificates is certificate authentication, not host and IP authentication The default is fullxpack.security.transport.ssl.verification_mode: full# xpack the path to the PKCS#12 file containing the private key and certificate xpack.security.transport.ssl.keystore.path: certs/cert.p12# xpack the path to the PKCS#12 file containing the certificate to be trusted xpack.security.transport.ssl.truststore.path: certs/cert.p12Step7. Startup service # enable all ES instances sudo-u elasticsearch. / bin/elasticsearch# enable filebeat/opt/filebeat/filebeat-e-c / opt/filebeat/filebeat.yml-d "publish" # Open kibanasudo-u kibana/ opt/kibana/bin/kibana-c / opt/kibana/config/kibana.yml attachment. Reference documentation https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.htmlhttps://www.elastic.co/guide/en/elasticsearch/reference/7.3/certutil.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.