传输网络层用于集群中节点之间的内部通讯。启用安全功能时,必须使用TLS来确保节点之间的通讯是加密的。
现在已经天生了证书颁发机构和证书,现在更新您的集群以使用这些文件。
Elasticsearch监视全部设置为TLS相干节点设置值的文件,如证书、密钥、密钥库或信托库。如果您更新这些文件中的任何一个,比如当您的主机名改变大概您的证书到期时,Elasticsearch会重新加载它们。按照全局弹性搜刮确定的频率轮询文件是否有更改resource.reload.interval.high设置,默认为5秒。
1、在集群的全部节点上实行以下使用,
vim /etc/elasticsearch/elasticsearch.yml添加以下设置xpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.verification_mode: certificate #由于你正在使用相同的elastic-certificates.p12文件,将验证模式设置为证书:xpack.security.transport.ssl.client_authentication: requiredxpack.security.transport.ssl.keystore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.path: elastic-certificates.p12生存退却出;完备的设置文件egrep -v "^$|^#" /etc/elasticsearch/elasticsearch.yml cluster.name: my-elsnode.name: es01path.data: /var/lib/elasticsearchpath.logs: /var/log/elasticsearchbootstrap.memory_lock: truexpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.client_authentication: requiredxpack.security.transport.ssl.keystore.path: elastic-certificates.p12xpack.security.transport.ssl.truststore.path: elastic-certificates.p12network.host: 0.0.0.0http.port: 9200http.cors.enabled: true http.cors.allow-origin: "*"bootstrap.system_call_filter: falsediscovery.seed_hosts: ["192.168.100.181", "192.168.100.182","192.168.100.183"]cluster.initial_master_nodes: ["192.168.100.181", "192.168.100.182","192.168.100.183"]2、如果在创建节点证书时输入了暗码,须要运行以下命令将暗码存储在Elasticsearch密钥库中:
cd /usr/share/elasticsearch/# ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_passwordwarning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOMEFuture versions of Elasticsearch will require Java 11; your Java version from [/usr/local/jdk1.8.0_11/jre] does not meet this requirement. Consider switching to a distribution of Elasticsearch with a bundled JDK. If you are already using a distribution with a bundled JDK, ensure the JAVA_HOME environment variable is not set.Enter value for xpack.security.transport.ssl.keystore.secure_password: [root@es01 elasticsearch]# ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordwarning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOMEFuture versions of Elasticsearch will require Java 11; your Java version from [/usr/local/jdk1.8.0_11/jre] does not meet this requirement. Consider switching to a distribution of Elasticsearch with a bundled JDK. If you are already using a distribution with a bundled JDK, ensure the JAVA_HOME environment variable is not set.Enter value for xpack.security.transport.ssl.truststore.secure_password: 在三个节点上都存储了证书暗码后,而且确认已经给/etc/elasticsearch/elastic-certificates.p12 授予660权限后。
须实行完备的集群重启。设置为使用TLS举行传输的节点无法与使用未加密传输毗连的节点通讯(反之亦然)。
启动elasticsearch服务
systemctl start elasticsearch.service然后开启账号暗码认证。
