前提
- 准备证书
- 下载插件
- 已经安装了Elasticsearch
关于路径说明及版本信息
Elasticsearch路径是 /opt/elasticsearch-7.8.0
插件位置是 /opt/search-guard-suite-plugin-7.8.0-43.2.0.zip
Elasticsearch版本是 elasticsearch-7.8.0
安装插件
进入 bin目录
cd /opt/elasticsearch-7.8.0/bin
安装命令
./elasticsearch-plugin install -b file:///opt/search-guard-suite-plugin-7.8.0-43.2.0.zip
准备证书和密码
将两个证书放在 config目录,必须放在这个目录下
修改配置文件 elasticsearch.yml
关闭x-pack,关闭searchguard收费版功能,使用单纯的TLS方式,不接收客户端证书也不验
xpack.security.enabled: false
searchguard.enterprise_modules_enabled: false
searchguard.ssl.http.clientauth_mode : NONE
证书和密码按照自己放在config的地方填空
证书支持两种模式,分别是
-
PEM certificates
- the keystore- and truststore file
the keystore- and truststore file模式证书的配置
searchguard.ssl.transport.keystore_filepath: CN=[hostname]-keystore.jks
searchguard.ssl.transport.keystore_password: [keystore password for this node]
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: af4e04b5cd4af41c11a2
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: CN=[hostname]-keystore.jks
searchguard.ssl.http.keystore_password: [keystore password for this node]
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: af4e04b5cd4af41c11a2
searchguard.authcz.admin_dn:
- CN=sgadmin
PEM certificates 模式证书的配置
searchguard.ssl.transport.pemcert_filepath: CN=[hostname].crtfull.pem
searchguard.ssl.transport.pemkey_filepath: CN=[hostname].key.pem
searchguard.ssl.transport.pemkey_password: [private key password for this node]
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: CN=[hostname].crtfull.pem
searchguard.ssl.http.pemkey_filepath: CN=[hostname].key.pem
searchguard.ssl.http.pemkey_password: [private key password for this node]
searchguard.ssl.http.pemtrustedcas_filepath: chain-ca.pem
按照正常的配置走一遍配置项
启动成功,运行sgadmin
在配置文件中加入如下配置
searchguard.authcz.admin_dn: - CN=sgadmin
将 证书 都放在如下目录
cd /opt/elasticsearch-7.8.0/plugins/search-guard-7/tools
授权
chmod 755 ./sgadmin.sh
运行,keystore- and truststore file模式
./sgadmin.sh -ts truststore.jks -tspass af4e04b5cd4af41c11a2 -ks CN=sgadmin-keystore.jks -kspass 72ba07ef757174c74b54 -nhnv -icl -cd ../sgconfig/
运行 PEM certificates 模式
./sgadmin.sh -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -keypass 72ba07ef757174c74b54 -nhnv -icl -cd ../sgconfig/
成功截图