環境:
ES:6.5.0(6.8版本x-pack已經免費使用,不需要破解)
OS:Centos 7
-----------------------------------------------------------------------------------------單節點配置--------------------------------------------------------------
1.創建目錄
[esuser@localhost ~]$ cd /home/esuser
[esuser@localhost ~]$ mkdir xpach
2.准備如下2個java文件
LicenseVerifier.java
package org.elasticsearch.license; import java.nio.*; import java.util.*; import java.security.*; import org.elasticsearch.common.xcontent.*; import org.apache.lucene.util.*; import org.elasticsearch.common.io.*; import java.io.*; public class LicenseVerifier { public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) { return true; } public static boolean verifyLicense(final License license) { return true; } }
XPackBuild.java
package org.elasticsearch.xpack.core; import org.elasticsearch.common.io.*; import java.net.*; import org.elasticsearch.common.*; import java.nio.file.*; import java.io.*; import java.util.jar.*; public class XPackBuild { public static final XPackBuild CURRENT; private String shortHash; private String date; @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() { final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation(); try { return PathUtils.get(url.toURI()); } catch (URISyntaxException bogus) { throw new RuntimeException(bogus); } } XPackBuild(final String shortHash, final String date) { this.shortHash = shortHash; this.date = date; } public String shortHash() { return this.shortHash; } public String date(){ return this.date; } static { final Path path = getElasticsearchCodebase(); String shortHash = null; String date = null; Label_0157: { shortHash = "Unknown"; date = "Unknown"; } CURRENT = new XPackBuild(shortHash, date); } }
將以上兩個文件放到步驟1創建的目錄下面
[esuser@localhost xpach]$ pwd
/home/esuser/xpach
[esuser@localhost xpach]$ ls -1
LicenseVerifier.java
XPackBuild.java
3.重新生成打包
將剛創建的兩個java包打包成class文件,我們需要做的就是替換這兩個class文件(因里面需要引用到其他的jar,故需要用到javac -cp命令)
[esuser@localhost xpach]$ cd /home/esuser/xpach
javac -cp "/home/esuser/single_elasticsearch/lib/elasticsearch-6.5.0.jar:/home/esuser/single_elasticsearch/lib/lucene-core-7.5.0.jar:/home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar" LicenseVerifier.java
javac -cp "/home/esuser/single_elasticsearch/lib/elasticsearch-6.5.0.jar:/home/esuser/single_elasticsearch/lib/lucene-core-7.5.0.jar:/home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar:/home/esuser/single_elasticsearch/lib/elasticsearch-core-6.5.0.jar" XPackBuild.java
執行以上兩個命令可以看出已經生產了2個class文件
[esuser@localhost xpach]$ ls -1
LicenseVerifier.class
LicenseVerifier.java
XPackBuild.class
XPackBuild.java
4.將原來的文件給解壓出來,然后覆蓋
下面操作所在目錄為:/home/esuser/xpach
[esuser]$cd /home/esuser/xpach
將原來的包拷貝到當前目錄
[esuser]$cp -a /home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar .
解壓原來的包
[esuser]$jar -xf x-pack-core-6.5.0.jar
刪除之前的java文件和拷貝過來的包
[esuser]$rm -rf LicenseVerifier.java XPackBuild.java x-pack-core-6.5.0.jar
將class文件拷貝到相應目錄
[esuser]$cp -a LicenseVerifier.class org/elasticsearch/license/
[esuser]$cp -a XPackBuild.class org/elasticsearch/xpack/core/
刪除class文件
[esuser]$rm -rf LicenseVerifier.class XPackBuild.class
重新生成jar包
[esuser]$jar -cvf x-pack-core-6.5.0.jar *
將生成的java包覆蓋原來的
[esuser]$cp -a x-pack-core-6.5.0.jar /home/esuser/single_elasticsearch/modules/x-pack-core/
5.添加如下參數后進行重啟
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
6.License申請
申請地址
https://license.elastic.co/registration
填寫信息后,會有一個郵件發到注冊的郵箱,然后安裝提示點擊鏈接進行下載
下載后上傳服務器,修改過期時間expiry_date_in_millis,我這里修改為 4102416000000,即2100-01-01 00:00:00,type修改為platinum
我這里下載的文件名為my.json,內容如下
{"license":{"uid":"1e9a1465-3398-44e8-aa06-c76062dcfedf","type":"platinum","issue_date_in_millis":1544659200000,"expiry_date_in_millis":4102416000000,"max_nodes":100,"issued_to":"xueliang huang (richinfo)","issuer":"Web Form","signature":"AAAAAwAAAA0CkXSNg+Yl6jgouxuAAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQBbRJOy1WgeFasn9hkqXcUu4jbVTH5B51CpsbpQTIukDJUeyo9z0DW1DzXzgUn1y0LQ62VDVcjiJvi0Xci5w9ZYDQPPVwf8PN0Pg8rOkawcJpr4ZmCiBgh/dFmgcOsjOjro1EcVOp3rm9zil89FsACMUcgRiYf//Ejahsx7giFEyYnUNOqfy4umh3aHj+awlg76P1OVxnyu74IjJdWGXluMw+hTJ0EKXcaUEfJpJgBLtPUmyD6jd/LtzV8ysKL6JQTxkUzdlWVdzipskQ8MWt5Nn6ClddwJFVb5lTAOJvLy6jyEmro4Fho5LJ6eRW2NvsWS4Y1Yu6lHVoWBVW4v++Wx","start_date_in_millis":1544659200000}}
將該文件上傳到服務器指定的目錄,我這里上傳到/home/esuser目錄下
7.將license進行導入
cd /home/esuser (my.json文件在該目錄下)
curl -XPUT 'http://192.168.1.135:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json
這個時候已經導入證書並啟用了認證,下面的登陸都必須使用賬號密碼,否則沒法使用,但是我們這里還沒有設置密碼,下面通過elasticsearch-setup-passwords設置各賬號的密碼
查看證書狀態
8.交互式設置各賬號的密碼
[esuser@localhost bin]$ cd /home/esuser/single_elasticsearch/bin
[esuser@localhost bin]$ ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
9.使用賬號密碼訪問
[esuser@localhost bin]$ curl -u elastic:elastic "http://192.168.1.135:19200/_license"
{
"license" : {
"status" : "active",
"uid" : "1e9a1465-3398-44e8-aa06-c76062dcfedf",
"type" : "platinum",
"issue_date" : "2018-12-13T00:00:00.000Z",
"issue_date_in_millis" : 1544659200000,
"expiry_date" : "2049-12-31T16:00:00.000Z",
"expiry_date_in_millis" : 2524579200000,
"max_nodes" : 100,
"issued_to" : "xueliang huang (richinfo)",
"issuer" : "Web Form",
"start_date_in_millis" : 1544659200000
}
}
10.證書可以修改后重新導入,比如我想修改下過期時間
curl -u elastic:elastic -XPUT 'http://192.168.1.135:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json
11.修改密碼
curl -H "Content-Type:application/json" -XPUT -u elastic:elastic 'http://192.168.1.135:19200/_xpack/security/user/elastic/_password' -d '{ "password" : "elastic123" }'
到這里單節點的配置已經完成,下面是集群的多節點配置,配置方法跟單節點類似,為了操作方便,先在一個節點配置好,然后把相應的jar文件和license文件拷貝到另外的節點
------------------------------------------------------------集群模式配置使用xpack-------------------------------------------------------
1.拷貝相關文件到另外的節點
將已經配置好節點所在的jar包和license拷貝到另外一個節點
[esuser@localhost xpach]$ scp x-pack-core-6.5.0.jar esuser@192.168.1.134:/home/esuser/
[esuser@localhost ~]$ scp my.json esuser@192.168.1.134:/home/esuser/
2.將jar文件覆蓋當前的(要做備份)
[esuser@localhost ~]$ cd /home/esuser
[esuser@localhost ~]$ cp x-pack-core-6.5.0.jar /home/esuser/single_elasticsearch/modules/x-pack-core/
3.修改配置重啟動es
添加如下兩項配置后重啟動
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
4.導入license
cd /home/esuser (my.json文件在該目錄下)
curl -XPUT 'http://192.168.1.134:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json
5.交互式設置各賬號的密碼
[esuser@localhost bin]$ cd /home/esuser/single_elasticsearch/bin
[esuser@localhost bin]$ ./elasticsearch-setup-passwords interactive
這里所有賬號設置密碼為 elastic123,這里設置密碼可以跟其他的節點不一致,為了方便維護,建議設置成一致
6.使用賬號密碼訪問
curl -u elastic:elastic123 -X GET 'http://192.168.1.134:19200/_cat/indices?v'
7.修改密碼
curl -H "Content-Type:application/json" -XPUT -u elastic:elastic123 'http://192.168.1.134:19200/_xpack/security/user/elastic/_password' -d '{ "password" : "elastic" }'
-----------------------------------------------集群內部通信認證----------------------------------------------------------------
要是啟用了xpack的話
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
要是沒有配置內部通信認證,集群啟動會報如下的錯誤:
SSLHandshakeException: no cipher suites in common
需要進行如下配置才能解決問題,可以參考官網文檔:
https://www.elastic.co/guide/en/elasticsearch/reference/6.5/configuring-tls.html#node-certificates
1.生成ca證書(該步驟在其中一台節點上操作即可)
[esuser@localhost ~]$ mkdir esca
[esuser@localhost ~]$ cd esca
[esuser@localhost esca]$ pwd
/home/esuser/esca
[esuser@localhost esca]$ /home/esuser/single_elasticsearch/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
我這里輸入的密碼為oracle,這個密碼需要牢記,以后有新節點加入的話,需要輸入該密碼
這里會生成一個文件
[esuser@localhost esca]$ ls -1
elastic-stack-ca.p12
2.配置證書
[esuser@localhost esca]$ /home/esuser/single_elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires a SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA).
* The tool can automatically generate a new CA for you, or you can provide your own with the
-ca or -ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) : ##這里輸入的密碼是oracle
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 : ##這里輸入的密碼是oracle
Certificates written to /home/esuser/esca/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
這個時候生成的文件如下:
[esuser@localhost esca]$ ls -1
elastic-certificates.p12
elastic-stack-ca.p12
3.拷貝生成的p12結尾的文件到每個節點
可以先創建存放這些文件的目錄
[esuser@localhost esca]$mkdir -p /home/esuser/single_elasticsearch/config/certs
[esuser@localhost esca]$ cp elastic-certificates.p12 /home/esuser/single_elasticsearch/config/certs/
[esuser@localhost esca]$ cp elastic-stack-ca.p12 /home/esuser/single_elasticsearch/config/certs/
同樣的在其他節點也拷貝到對應的路徑
4.修改每個節點的配置,添加如下項
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
5.輸入認證密碼
在每個節點執行如下命令
/home/esuser/single_elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ##這里輸入之前配置的密碼 為oracle
/home/esuser/single_elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password ##這里輸入之前配置的密碼 為oracle
6.重新啟動集群
查看集群情況
curl -u elastic:elastic 'http://192.168.1.134:19200/_cat/nodes?v'
curl -u elastic:elastic 'http://192.168.1.134:19200/_cat/master?v'