ELK Lesson 5:設定Elasticsearch加密傳輸
Elasticsearch傳輸加密為哪樁?
Elasticsearch的加密分為兩個部分:
- Elasticsearch Cluster節點之間的傳輸加密
- Elasticsearch API on Https
加密後的Elasticsearch可以套用密碼管理機制,Kibana的介面也能支援角色分權與帳號管理,從此ELK再也不裸奔了。
接下來,我們設定通訊加密也分為四個部分:
- 產生加密用的憑證與私鑰
- 設定Elasticsearch Cluster節點間加密
- 產生系統使用的帳號與密碼
- 設定Elasticsearch API on Https
Part 1:產生加密用的憑證與私鑰
步驟1:建立一個節點清單的yaml檔,將這個yaml檔案存放於任意的地點,在此,我們放在以下地方:
/tmp/elk/instances.yml
instances.yml檔案內容結構如下:
instances:
- name: "lab-elk-1"
ip: "192.168.50.101"
dns: "lab-elk-1.example.com"
- name: "lab-elk-2"
ip: "192.168.50.102"
dns: "lab-elk-2.example.com"
- name: "lab-elk-3"
ip: "192.168.50.103"
dns: "lab-elk-3.example.com"
步驟2:執行Elasticsearch產生憑證的語法。
$ cd /usr/share/elasticsearch/
$ bin/elasticsearch-certutil cert ca --pem --in /tmp/elk/instances.yml --out /tmp/certs/certs.zip --keep-ca-key
參數 | 說明 |
bin/elasticsearch-certutil | Elasticsearch憑證產生的工具 |
cert ca –pem | 指定PEM格式的憑證 |
–in /tmp/elk/instances.yml | 指定參考的節點清單檔案 |
–out /tmp/certs/certs.zip | 指定輸出的目錄與檔名 |
–pass changeme | 指定憑證的密碼 |
–keep-ca-key | 輸出私鑰 |
步驟3:解壓縮並取得憑證。
$ unzip /tmp/certs/certs.zip -d cert_file/
解壓縮後,可以在/tmp/certs/cert_file底下看到各節點的憑證。
$ ls /tmp/certs/cert_file
ca lab-elk-1 lab-elk-2 lab-elk-3
各資料夾內有各節點的憑證,將憑證放置於各主機,待稍後設定時使用,本範例將憑證(包含ca/ca.crt)都放置於/etc/elasticsearch/certs底下。
特別要注意的是,ca這個資料夾內的檔案請務必保存,未來若是要增加節點,需要使用裡面的私鑰。
Part 2:設定Elasticsearch Cluster節點間加密
步驟4:在每一個節點的elasticsearch.yml增加以下設定參數。(以lab-elk-1為例)
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: certs/lab-elk-1.key
xpack.security.transport.ssl.certificate: certs/lab-elk-1.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
步驟5:重新啟動Elasticsearch服務。
Part 3:產生系統使用的帳號與密碼
步驟5:在任一個節點使用elasticsearch-setup-passwords指令產生密碼
$ cd /usr/share/elasticsearch/
$ bin/elasticsearch-setup-passwords auto
這個指令會自動產生亂數密碼,若將auto改為interactive,則系統會詢問你並手動輸入你想要的密碼。
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y
Changed password for user apm_system
PASSWORD apm_system = xxxxxxxxxx
Changed password for user kibana_system
PASSWORD kibana_system = xxxxxxxxxx
Changed password for user kibana
PASSWORD kibana = xxxxxxxxxx
Changed password for user logstash_system
PASSWORD logstash_system = xxxxxxxxxx
Changed password for user beats_system
PASSWORD beats_system = xxxxxxxxxx
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = xxxxxxxxxx
Changed password for user elastic
PASSWORD elastic = xxxxxxxxxx
這些密碼務必務必務必要好好保存,不見了會非常的麻煩。
Part 4:設定Elasticsearch API on Https
步驟6:繼續在每一個節點elasticsearch.yml增加https加密的設定參數。(以lab-elk-1為例)
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/lab-elk-1.key
xpack.security.http.ssl.certificate: certs/lab-elk-1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
步驟7:重新啟動Elasticsearch服務即完成加密的設定。
~ END ~