執行命令:
elasticsearch-service.bat install
1
安裝好之后,就可以執行自啟動服務命令了
elasticsearch-service.bat start
bin\elasticsearch-certutil.bat ca
bin\elasticsearch-certutil.bat cert --ca elastic-stack-ca.p12
bin\elasticsearch-keystore.bat add xpack.security.transport.ssl.keystore.secure_password
bin\elasticsearch-keystore.bat add xpack.security.transport.ssl.truststore.secure_password
bin\elasticsearch.bat -d
bin\elasticsearch-setup-passwords.bat interactive
kibana:
-
elasticsearch.username: "elastic"
-
elasticsearch.password: "密碼"
解決步驟
一、生成證書:
輸入./bin/elasticsearch-certutil ca
碰到第一個直接回車,不用管
碰到第二個輸入密碼,例如123456
[cjpt@localhost elasticsearch-7.3.2]$ ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: 【不用管,直接回車】
Enter password for elastic-stack-ca.p12 : 【輸入密碼】
[cjpt@localhost elasticsearch-7.3.2]$ ll
總用量 1888
......(省略其他文件)
-rw-------. 1 cjpt cjpt 2524 4月 19 16:28 elastic-stack-ca.p12
完成后會生成一個文件:elastic-stack-ca.p12
二、生成秘鑰
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
1
中間需要輸入剛才設置的密碼就直接輸入就可以了,需要輸入路徑的地方不要輸入地址,就直接回車,之后會生成一個文件:elastic-certificates.p12文件
三、將憑證遷移到指定目錄
# 先創建目錄
mkdir ./config/certificates
# 移動憑證至指定目錄下
mv ./elastic-certificates.p12 ./config/certificates/
# 賦值權限,不然會出問題
chmod 777 ./config/certificates/elastic-certificates.p12
四、憑證移動至每一台集群下面
此處省略各種scp,就是把elastic-certificates.p12這個文件移動到每一個es安裝目錄的相同路徑下
五、修改配置文件(每一台es都需要添加)
vim ./config/elasticsearch.yml
# 輸入如下的配置
# 跨域
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
xpack.security.enabled: true
xpack.security.authc.accept_default_password: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: 【es的安裝路徑】/config/certificates/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: 【es的安裝路徑】/config/certificates/elastic-certificates.p12
六、在各個節點上添加密碼(每一台es都需要操作)
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
1
輸入密碼:第一步中設置的密碼,例如本樣例中的123456
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
1
輸入密碼:第一步中設置的密碼,例如本樣例中的123456
七、逐個啟動節點
./bin/elasticsearch -d
1
啟動后看日志,是否正常,若日志異常,則需要具體排查
八、設置密碼
./bin/elasticsearch-setup-passwords interactive
# 下面會要輸入很多密碼,都要自己能記住,以后要用
# 需要設置 elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user 這些用戶的密碼
1
2
3
九、瀏覽器查看9200端口
因為我是一台機器上裝的集群,所以使用9201端口
訪問地址為:http://【ip】:9200
輸入用戶名和密碼elastic/123456
出現如上結果就是成功加上認證了
十、es-head訪問認證的es
本來想修改es-head的源代碼的,發現實在改不動,只能記錄一下了
常用的es-head采用的連接為直接輸入url
但是此方法顯然不支持帶認證的es
所以此處需要帶上賬戶名和密碼:
http://192.168.31.160:9201/?auth_user=elastic&auth_password=123456
此時再連接就可以發現連接正常了
參考鏈接:https://blog.csdn.net/hhf799954772/article/details/115870012