728x90
Elasticsearch에서 SSL/TLS를 구성하는 방법
Elasticsearch - node1
- password : elastic
- CA file : /etc/elasticsearch/certs/elastic-stack-ca.p12
- Certificates file : /etc/elasticsearch/certs/elastic-certificates.p12
- CA(Certificate Authority) 생성
/usr/share/elasticsearch/bin/elasticsearch-certutil ca \
--out /etc/elasticsearch/certs/elastic-stack-ca.p12 \
--days 3650$ /usr/share/elasticsearch/bin/elasticsearch-certutil ca \
> --out /etc/elasticsearch/certs/elastic-stack-ca.p12 \
> --days 3650
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Enter password for elastic-stack-ca.p12 :- 인증서(Certificate) 생성
/usr/share/elasticsearch/bin/elasticsearch-certutil cert \
--ca /etc/elasticsearch/certs/elastic-stack-ca.p12 \
--out /etc/elasticsearch/certs/elastic-certificates.p12 \
--days 3650$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert \
> --ca /etc/elasticsearch/certs/elastic-stack-ca.p12 \
> --out /etc/elasticsearch/certs/elastic-certificates.p12 \
> --days 3650
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA)
unless the --self-signed command line option is specified.
The tool can automatically generate a new CA for you, or you can provide your own with
the --ca or --ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (/etc/elasticsearch/certs/elastic-stack-ca.p12) :
Enter password for elastic-certificates.p12 :
Certificates written to /etc/elasticsearch/certs/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.chown -R root:elasticsearch /etc/elasticsearch/certs/elastic-certificates.p12chmod 660 /etc/elasticsearch/certs/elastic-certificates.p12- node2, node3 elastic-certificates.p12 파일 복사
rsync -avz /etc/elasticsearch/certs/elastic-certificates.p12 root@192.168.56.72:/etc/elasticsearch/certs/.rsync -avz /etc/elasticsearch/certs/elastic-certificates.p12 root@192.168.56.73:/etc/elasticsearch/certs/.
Elasticsearch - node1, node2, node3
Elasticsearch keystore 설정
- password : elastic
- Elasticsearch용 키 저장소를 생성
/usr/share/elasticsearch/bin/elasticsearch-keystore create- Elasticsearch의 Transport Layer Security (TLS) 통신에서 사용할 SSL/TLS 인증서의 비밀번호를 저장
/usr/share/elasticsearch/bin/elasticsearch-keystore \
add xpack.security.transport.ssl.keystore.secure_password- Elasticsearch의 TLS 통신에서 신뢰할 수 있는 CA 인증서의 비밀번호를 저장
/usr/share/elasticsearch/bin/elasticsearch-keystore \
add xpack.security.transport.ssl.truststore.secure_password- Elasticsearch HTTP 클라이언트에서 사용할 SSL/TLS 인증서의 비밀번호를 저장
/usr/share/elasticsearch/bin/elasticsearch-keystore \
add xpack.security.http.ssl.keystore.secure_password- Elasticsearch HTTP 클라이언트에서 사용할 신뢰할 수 있는 CA 인증서의 비밀번호를 저장
/usr/share/elasticsearch/bin/elasticsearch-keystore \
add xpack.security.http.ssl.truststore.secure_password- 키 저장소에 현재 저장된 모든 키를 나열
/usr/share/elasticsearch/bin/elasticsearch-keystore list- http(http.p12)의 비밀번호
/usr/share/elasticsearch/bin/elasticsearch-keystore \
show xpack.security.http.ssl.keystore.secure_password- transport(transport.p12)의 비밀번호 확인
/usr/share/elasticsearch/bin/elasticsearch-keystore \
show xpack.security.transport.ssl.keystore.secure_passwordelasticsearch.yml 편집
vim /etc/elasticsearch/elasticsearch.yml# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/elastic-certificates.p12
truststore.path: certs/elastic-certificates.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/elastic-certificates.p12
truststore.path: certs/elastic-certificates.p12
Elastic 기본 사용자의 비밀번호를 재설정
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elasticexport ELASTIC_PASSWORD="6li2MsFz3YnySXUQyu9q"Elasticsearch 클러스터의 기본 상태 확인
curl -k -u elastic:$ELASTIC_PASSWORD https://localhost:9200클러스터의 Cluster Health
curl -k -u elastic:$ELASTIC_PASSWORD https://localhost:9200/_cluster/health?pretty클러스터의 Cluster State
curl -k -u elastic:$ELASTIC_PASSWORD https://localhost:9200/_cluster/state?pretty클러스터의 노드 목록
curl -k -u elastic:$ELASTIC_PASSWORD https://localhost:9200/_cat/nodes?pretty
rsync -avz /etc/elasticsearch/certs/elastic-certificates.p12 root@192.168.56.72:/etc/elasticsearch/certs/.
728x90
'리눅스' 카테고리의 다른 글
| 우분투에서 Elasticsearch 8.x 설치 및 클러스터 구성 방법 (0) | 2024.02.22 |
|---|---|
| Kibana를 설치하고 구성하는 방법(SSL/TLS 암호화 구성) (0) | 2024.02.22 |
| 우분투에서 Elasticsearch를 설치하고 Kibana를 사용하여 클러스터 상태를 확인하는 방법 (0) | 2024.02.18 |
| [draft] Helm을 사용하여 Ingress Controller를 설치하는 방법 (0) | 2024.02.17 |
| 쿠버네티스 kubeadm init 오류 (0) | 2024.02.16 |
