SearchGuard证书配置
太叔经赋
参考: https://www.jianshu.com/p/cc71e7793f6f
- TLS工具安装
- 下载TLS工具 https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.5/
- 解压unzip search-guard-tlstool-1.6.zip tlstool-1.6
- TLS生成证书配置
- 复制<tlstool directory>/config/example.yml 并修改成<tlstool-1.6>/config/tlsconfig.yml(名字随意)
- yibai 是公司名称
- ca: 根证书配置
- node: 节点证书配置
- clients: 客户端证书配置
###
### Self-generated certificate authority
###
#
# If you want to create a new certificate authority, you must specify its parameters here.
# You can skip this section if you only want to create CSRs
#
ca:
root:
# The distinguished name of this CA. You must specify a distinguished name.
dn: CN=root.ca.yibai.com,OU=CA,O=yibai Com\, Inc.,DC=yibai,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values:
# - auto: automatically generated password, returned in config output;
# - none: unencrypted private key;
# - other values: other values are used directly as password
pkPassword: auto
# The name of the generated files can be changed here
file: root-ca.pem
# If you want to use an intermediate certificate as signing certificate,
# please specify its parameters here. This is optional. If you remove this section,
# the root certificate will be used for signing.
intermediate:
# The distinguished name of this CA. You must specify a distinguished name.
dn: CN=signing.ca.yibai.com,OU=CA,O=yibai Com\, Inc.,DC=yibai,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
pkPassword: auto
# If you have a certificate revocation list, you can specify its distribution points here
crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl
###
### Default values and global settings
###
defaults:
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values:
# - auto: automatically generated password, returned in config output;
# - none: unencrypted private key;
# - other values: other values are used directly as password
pkPassword: auto
# Specifies to recognize legitimate nodes by the distinguished names
# of the certificates. This can be a list of DNs, which can contain wildcards.
# Furthermore, it is possible to specify regular expressions by
# enclosing the DN in //.
# Specification of this is optional. The tool will always include
# the DNs of the nodes specified in the nodes section.
#nodesDn:
#- "CN=*.yibai.com,OU=Ops,O=yibai Com\\, Inc.,DC=yibai,DC=com"
# - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
# - 'CN=*.yibai.com,OU=SSL,O=Test,L=Test,C=DE'
# - 'CN=elk-devcluster*'
# - '/CN=.*regex/'
# If you want to use OIDs to mark legitimate node certificates,
# the OID can be included in the certificates by specifying the following
# attribute
# nodeOid: "1.2.3.4.5.5"
# The length of auto generated passwords
generatedPasswordLength: 12
# Set this to true in order to generate config and certificates for
# the HTTP interface of nodes
httpsEnabled: true
# Set this to true in order to re-use the node transport certificates
# for the HTTP interfaces. Only recognized if httpsEnabled is true
# reuseTransportCertificatesForHttp: false
# Set this to true to enable hostname verification
#verifyHostnames: false
# Set this to true to resolve hostnames
#resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
- name: node1
dn: CN=node1.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
dns: node1.yibai.com
ip: 192.168.71.246
- name: node2
dn: CN=node2.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
dns:
- node2.yibai.com
- es2.yibai.com
ip:
- 10.0.2.1
- 192.168.2.1
- name: node3
dn: CN=node3.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
dns: node3.yibai.com
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true
#
clients:
- name: spock
dn: CN=spock.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
- name: kirk
dn: CN=kirk.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
admin: true
- TLS生成证书
<tlstool directory>/tools/sgtlstool.sh -c ../config/tlsconfig.yml -ca -crt
- 复制证书到ES
# 复制节点证书到es配置目录
cp <tlstool directory>/tools/out/<nodename>.pem <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>.key <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>_http.pem <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>_http.key <ES directory>/config/
# 复制根证书到es配置目录
cp <tlstool directory>/tools/out/root-ca.pem <ES directory>/config/
# 复制客户端证书到es配置目录
cp <tlstool directory>/tools/out/spock.pem <ES directory>/config/
cp <tlstool directory>/tools/out/spock.key <ES directory>/config/
- 修改<ES directory>/config/elasticsearch.yml 复制 <tlstool directory>/tools/outnode3_elasticsearch_config_snippet.yml里面配置信息覆盖<ES directory>/config/elasticsearch.yml相同的配置 最终的配置如下:
# 集群名称
cluster.name: ebuy-cloud-cluster
# 节点名
node.name: node-1
# 数据存储路径
path.data: /data/es_data
# 日志打印路径
path.logs: /data/es_logs
# Set the bind address to a specific IP (IPv4 or IPv6):
network.host: 0.0.0.0
# Set a custom port for HTTP:
http.port: 9200
# 节点内存配置
# Lock the memory on startup:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
discovery.zen.minimum_master_nodes: 1
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
# 开启tcp端口
transport.tcp.compress: true
transport.tcp.port: 9300
# 跨域配置
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
http.cors.allow-credentials: true
######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production
# 关闭xpack安全认证
xpack.security.enabled: false
#xpack.monitoring.enabled: false
# TLS设置
searchguard.ssl.transport.pemcert_filepath: node1.pem
searchguard.ssl.transport.pemkey_filepath: node1.key
searchguard.ssl.transport.pemkey_password: 7EJJ2hYcJFJQ
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: node1_http.pem
searchguard.ssl.http.pemkey_filepath: node1_http.key
searchguard.ssl.http.pemkey_password: 6eIWAxh4kgHs
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=node1.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
- CN=node2.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
- CN=node3.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
searchguard.authcz.admin_dn:
- CN=spock.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
# - CN=kirk.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
# 允许演示证书和自动初始化 生产环境上改为false
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
# 客户端认证
searchguard.ssl.http.clientauth_mode: OPTIONAL
# 启用审计日志记录并将生成的审计跟踪直接存储在Elasticsearch中
searchguard.audit.type: internal_elasticsearch
# 允许快照/恢复
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
# 可以访问REST的角色
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########
- TLS用户广播 在<tlstool directory>/tools/out/client-certificates.readme里面取到对应客户端帐号密码 启动es cd <ES directory>/plugins/search-guard-6/tools 运行命令:
./sgadmin.sh -cd ../sgconfig/ -icl -nhnv \
-cacert ../../../config/root-ca.pem \
-cert ../../../config/spock.pem \
-key ../../../config/spock.key \
-keypass 3QgfFoYd8Ken
类似资料: