After adding password protection to the minimum security configuration, you need to configure Transport Layer Security (TLS). The transport layer handles all internal communication between nodes in the cluster. If the cluster has multiple nodes, you must configure TLS between the nodes. If TLS is not enabled, the production mode cluster will not start. The transport layer relies on two-way TLS to encrypt and authenticate nodes. Proper application of TLS ensures that malicious nodes cannot join the cluster and exchange data with other nodes. Although user name and password authentication at the HTTP layer is useful for protecting local clusters, TLS is required for communication security between nodes. Configuring TLS between nodes is a basic security setting to prevent unauthorized nodes from accessing your cluster.
Cluster Installation Installation of Elasticsearch (Traditional & docker) &Integrating Springboot_ Well-known Snail Blog - CSDN Blog
1. Generate certificates
./bin/elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]: Press Enter here
Enter password for elastic-stack-ca.p12: Enter the password snail (or not)
2. Generate certificates and private keys for any node in the cluster
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12): Enter the password above
Please enter the desired output file [elastic-certificates.p12]: Enter
Enter password for elastic-certificates.p12: Enter the password above
3. The certificate elastic-certificates.p12 has been generated and copied to the config directory of each node
/usr/local/elasticsearch/config
4. Store passwords on each node
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
5. Modify each node elasticsearch.yml
# ======================== Elasticsearch Configuration ========================= # # NOTE: Elasticsearch comes with reasonable defaults for most settings. # Before you set out to tweak and tune the configuration, make sure you # understand what are you trying to accomplish and the consequences. # # The primary way of configuring a node is via this file. This template lists # the most important settings you may want to configure for a production cluster. # # Please consult the documentation for further information on configuration options: # https://www.elastic.co/guide/en/elasticsearch/reference/index.html # # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # cluster.name: my-es # # ------------------------------------ Node ------------------------------------ # # Use a descriptive name for the node: # node.name: node-3 # # Add custom attributes to the node: # #node.attr.rack: r1 # # ----------------------------------- Paths ------------------------------------ # # Path to directory where to store the data (separate multiple locations by comma): # path.data: /usr/local/es/data # # Path to log files: # path.logs: /usr/local/es/logs # # ----------------------------------- Memory ----------------------------------- # # Lock the memory on startup: # #bootstrap.memory_lock: true # # Make sure that the heap size is set to about half the memory available # on the system and that the owner of the process is allowed to use this # limit. # # Elasticsearch performs poorly when the system is swapping the memory. # # ---------------------------------- Network ----------------------------------- # # By default Elasticsearch is only accessible on localhost. Set a different # address here to expose this node on the network: # network.host: 0.0.0.0 # # By default Elasticsearch listens for HTTP traffic on the first free port it # finds starting at 9200. Set a specific HTTP port here: # http.port: 9200 # # For more information, consult the network module documentation. # # --------------------------------- Discovery ---------------------------------- # # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is ["127.0.0.1", "[::1]"] # discovery.seed_hosts: ["192.168.139.160","192.168.139.161", "192.168.139.162"] # # Bootstrap the cluster using an initial set of master-eligible nodes: # cluster.initial_master_nodes: ["node-1", "node-2","node-3"] # # For more information, consult the discovery and cluster formation module documentation. # # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: # #action.destructive_requires_name: true #Set Password xpack.security.enabled: true http.cors.allow-headers: Authorization xpack.license.self_generated.type: basic #Set Single Point Mode #discovery.type: single-node #Set Certificate xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.client_authentication: required xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
6. Authorization Certificate File
chown -R snail_es.es /usr/local/elasticsearch/
7. Set Password
./bin/elasticsearch-setup-passwords interactive Manual ./bin/elasticsearch-setup-passwords auto automatic
Changed password for user apm_system
PASSWORD apm_system = Yu0vjHZxkCBXuGnTM9VM
Changed password for user kibana_system
PASSWORD kibana_system = oNXyGWsWHLC3VllVb4Qb
Changed password for user kibana
PASSWORD kibana = oNXyGWsWHLC3VllVb4Qb
Changed password for user logstash_system
PASSWORD logstash_system = XFd1IoqZAgt7scdxwXN2
Changed password for user beats_system
PASSWORD beats_system = 1oENHpgMQLeLyiugkmRy
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = bjGZqG7SxffKciVJRxsX
Changed password for user elastic
PASSWORD elastic = cGKuMaWGZLBaSSDW7qKX
elastic
A built-in superuser.
kibana_system
Kibana is used to connect to and communicate with Elasticsearch.
logstash_system
The user Logstash uses to store monitoring information in Elasticsearch.
beats_system
User Beats uses to store monitoring information in Elasticsearch.
apm_system
Users used by the APM server to store monitoring information in Elasticsearch.
remote_monitoring_user
User Metricbeat used to collect and store monitoring information in Elasticsearch.
It has remote_monitoring_agent and remote_monitoring_collector has built-in roles.
8. End
Docker mode1. Create mount directory and authorize
[root@localhost ~]# mkdir -p /data/es/ #To grant authorization [root@localhost ~]# chmod 777 -R /data/
2. Enter the container to generate the certificate
docker exec -it elasticsearch /bin/bash ./bin/elasticsearch-certutil ca #Generate certificates and private keys for any node in the cluster ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
3. Copy the certificate to each node's config directory (mount directory)
Copy Certificate to Host #copy docker cp elasticsearch:/usr/share/elasticsearch/elastic-certificates.p12 /root
4. Copy the certificate into each node docker container
docker cp /data/es/conf/elastic-certificates.p12 elasticsearch:/usr/share/elasticsearch/config #Store passwords executed by each node ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
5. Modify the profile as above
6. Enter the container to set the password
docker exec -it elasticsearch /bin/bash ./bin/elasticsearch-setup-passwords interactive Manual ./bin/elasticsearch-setup-passwords auto automatic
7. Restart the container or create a new container
docker run --name elasticsearch --privileged=true --net=host \ -v /data/es/conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \ -v /data/es/data:/usr/share/elasticsearch/data \ -v /data/es/logs:/usr/share/elasticsearch/logs \ -v /data/es/plugins:/usr/share/elasticsearch/plugins \ -d elasticsearch:7.14.2
8. End