elasticsearch使用xpack安全验证

elasticsearch、kibana、logstash版本：7.3.2

#使用es自带工具生成CA及证书
ES_HOME=/usr/local/elasticsearch
$ES_HOME/bin/elasticsearch-certutil ca
$ES_HOME/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
mkdir $ES_HOME/config/certs && mv $ES_HOME/elastic-* $ES_HOME/config/certs

复制证书到其他es节点

#es配置文件(es1为例)
elasticsearch.yml
cluster.name: my-es
node.name: es-1
node.master: true 
node.data: true
node.ingest: false
path.data: /usr/local/elasticsearch/data/
path.logs: /usr/local/elasticsearch/log/
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
transport.compress: true
discovery.seed_hosts: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"]
cluster.initial_master_nodes: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"]
#head插件
http.cors.enabled: true
http.cors.allow-origin: "*"
#开启安全功能
xpack.security.enabled: true
#集群内部通信加密
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

#使用systemd管理es
/usr/lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
User=es
Group=es
LimitNOFILE=100000
LimitNPROC=100000
ExecStart=/usr/local/elasticsearch-7.3.2/bin/elasticsearch
[Install]
WantedBy=multi-user.target

#启动es集群；设置默认账户密码
#自动生成密码
$ES_HOME/bin/elasticsearch-setup-passwords auto

#手动设置密码
$ES_HOME/bin/elasticsearch-setup-passwords interactive

#Kibana相关证书
Kibana_HOME=/usr/local/kibana
#kibana连接es加密需要使用pem证书
cd  $ES_HOME/config/certs
#证书转换
openssl pkcs12 -in elastic-certificates.p12 -out elastic-certificates.pem -nodes
mkdir $Kibana_HOME/config/certs && mv elastic-certificates.pem $Kibana_HOME/config/certs
#https证书
$ES_HOME/bin/elasticsearch-certutil ca --pem
mv $ES_HOME/elastic-stack-ca.zip $Kibana_HOME/config/certs && unzip $Kibana_HOME/config/certs/elastic-stack-ca.zip

#kibana配置文件
kibana.yml
server.host: "192.168.3.102"
elasticsearch.hosts: ["http://192.168.3.102:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "ukCAClFof70DU5mWnHC7"
logging.dest: /usr/local/kibana/log/kibana.log
logging.quiet: true
#启用https访问kibana；使用私有证书会有访问日志报错的问题
#server.ssl.enabled: true
#server.ssl.certificate: /usr/local/kibana/config/certs/ca/ca.crt
#server.ssl.key: /usr/local/kibana/config/certs/ca/ca.key
#启用elasticsearch连接加密
elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana/config/certs/elastic-certificates.pem" ]
elasticsearch.ssl.verificationMode: certificate

#systemd管理kibana
/usr/lib/systemd/system/kibana.service
[Unit]
Description=Kinaba
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
User=kibana
Group=kibana
ExecStart=/usr/local/kibana/bin/kibana
[Install]
WantedBy=multi-user.target

#logstash示例
input {
  stdin {
  }
}
output {
  elasticsearch {
    hosts => ["http://192.168.3.100:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"]
    index => "test-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "HkqZIHZsuXSv6B5OwqJ7"
  }
}

使用PKCS12配置logstash=>es安全加密未成功(有大佬成功的话私信或者评论下)，可以参考下面链接使用PEM方式来完成各组件之间的安全通信

https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash#step-5-2

参考：

https://www.elastic.co/guide/en/elastic-stack-overview/7.3/ssl-tls.html

https://www.elastic.co/guide/en/elasticsearch/reference/7.3/configuring-security.html

https://www.elastic.co/guide/en/kibana/7.3/using-kibana-with-security.html

https://www.elastic.co/guide/en/kibana/7.3/configuring-tls.html