IP | 主机名 | 部署组件 | 备注 |
---|---|---|---|
11.0.1.4 | es1 | es+kibana | |
11.0.1.5 | es2 | es | |
11.0.1.6 | es3 | es |
1、下载es8.5.1和kibana8.5.1二进制安装包
2、三台服务器分别执行以下操作
(1)创建用户和目录
[root@es1 ~]# useradd dev
[root@es1 ~]# mkdir -p /app/install
[root@es1 ~]# mkdir /data
[root@es1 install]# chown -R dev:dev /data
(2)上传es和kibana的tar包到/app/install目录,并解压至/app目录下
[root@es1 install]# tar -zxf elasticsearch-8.5.1-linux-x86_64.tar.gz -C /app
[root@es1 install]# mv elasticsearch-8.5.1 elasticsearch
[root@es1 install]# chown -R dev:dev /app
(3)调整最大文件打开数
[root@es1 ~]# vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc 4096
* hard nproc 4096
(4)修改虚拟内存大小:
[root@es1 ~]# vim /etc/sysctl.conf
vm.max_map_count=262144
使修改后的配置生效:
[root@es1 ~]# sysctl -p
vm.max_map_count = 262144
(5)修改主机域名解析
[root@es1 ~]# vim /etc/hosts
11.0.1.4 es1
11.0.1.5 es2
11.0.1.6 es3
3、在es1上创建证书
[root@es1 ~]# su - dev
[dev@es1 ~]$ cd /app/elasticsearch
[dev@es1 elasticsearch]$ bin/elasticsearch-certutil ca #直接回车
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private keyPlease enter the desired output file [elastic-stack-ca.p12]: #直接回车
Enter password for elastic-stack-ca.p12 : #直接回车[dev@es1 elasticsearch]$ bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 #直接回车
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.* By default, this generates a single certificate and key for useon a single instance.* The '-multiple' option will prompt you to enter details for multipleinstances and will generate a certificate and key for each one* The '-in' option allows for the certificate generation to be automated by describingthe details of each instance in a YAML file* An instance is any piece of the Elastic Stack that requires an SSL certificate.Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beatsmay all require a certificate and private key.* The minimum required value for each instance is a name. This can simply be thehostname, which will be used as the Common Name of the certificate. A fulldistinguished name may also be used.* A filename value may be required for each instance. This is necessary when thename would result in an invalid file or directory name. The name provided hereis used as the directory name (within the zip) and the prefix for the key andcertificate files. The filename is required if you are prompted and the nameis not displayed in the prompt.* IP addresses and DNS names are optional. Multiple values can be specified as acomma separated string. If no IP addresses or DNS names are provided, you maydisable hostname verification in your SSL configuration.* All certificates generated by this tool will be signed by a certificate authority (CA)unless the --self-signed command line option is specified.The tool can automatically generate a new CA for you, or you can provide your own withthe --ca or --ca-cert command line options.By default the 'cert' mode produces a single PKCS#12 output file which holds: #直接回车* The instance certificate* The private key for the instance certificate* The CA certificateIf you specify any of the following options:* -pem (PEM formatted output)* -multiple (generate multiple certificates)* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key filesEnter password for CA (elastic-stack-ca.p12) : #直接回车
Please enter the desired output file [elastic-certificates.p12]: #直接回车
Enter password for elastic-certificates.p12 : #直接回车Certificates written to /app/elasticsearch/elastic-certificates.p12This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
[dev@es1 elasticsearch]$ ll
总用量 28
drwxr-xr-x. 2 zhaoll zhaoll 4096 11月 10 05:08 bin
drwxr-xr-x. 4 zhaoll zhaoll 4096 11月 21 22:52 config
-rw------- 1 zhaoll zhaoll 3596 11月 21 22:55 elastic-certificates.p12
-rw------- 1 zhaoll zhaoll 2672 11月 21 22:53 elastic-stack-ca.p12
drwxr-xr-x. 8 zhaoll zhaoll 96 11月 10 05:08 jdk
drwxr-xr-x. 5 zhaoll zhaoll 4096 11月 10 05:08 lib
drwxr-xr-x. 2 zhaoll zhaoll 4096 11月 21 22:32 logs
drwxr-xr-x. 67 zhaoll zhaoll 4096 11月 10 05:09 modules
drwxr-xr-x. 2 zhaoll zhaoll 6 11月 10 05:05 plugins
[dev@es1 elasticsearch]$ mv elastic-* config/certs/
[dev@es1 elasticsearch]$ bin/elasticsearch-certutil http## Elasticsearch HTTP Certificate UtilityThe 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.This tool will ask you a number of questions in order to generate the right
set of files for your needs.## Do you wish to generate a Certificate Signing Request (CSR)?A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.Generate a CSR? [y/N]n #是否开始请求证书,选择n## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.If you do not have an existing CA, one will be generated for you.Use an existing CA? [y/N]y #是否选择已存在的证书,选择y## What is the path to your CA?Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /app/elasticsearch/config/certs/elastic-stack-ca.p12 #输入证书路径
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press at the prompt
Password for elastic-stack-ca.p12: #直接回车## How long should your certificates be valid?Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)For how long should your certificate be valid? [5y] 20y #证书有效期默认是5年## Do you wish to generate one certificate per node?If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.Generate a certificate per node? [y/N]n #是否为每个es节点创建一个证书,我们选择n## Which hostnames will be used to connect to your nodes?These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.Enter all the hostnames that you need, one per line. #输入每个主机的主机名
When you are done, press once more to move on to the next step.es1
es2
es3You entered the following hostnames.- es1- es2- es3Is this correct [Y/n]y #是否确认## Which IP addresses will be used to connect to your nodes?If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press to skip this step.Enter all the IP addresses that you need, one per line. #输入每个主机的IP
When you are done, press once more to move on to the next step.11.0.1.4
11.0.1.5
11.0.1.6You entered the following IP addresses.- 11.0.1.4- 11.0.1.5- 11.0.1.6Is this correct [Y/n]y #是否确认## Other certificate optionsThe generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.Key Name: es1
Subject DN: CN=node1
Key Size: 2048Do you wish to change any of these options? [y/N]n #是否修改以上信息?选择n## What password do you want for your private key(s)?Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.If you wish to use a blank password, simply press at the prompt below.
Provide a password for the "http.p12" file: [ for none] #直接回车## Where should we save the generated files?A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.These files will be included in a single zip archive.What filename should be used for the output zip file? [/app/elasticsearch/elasticsearch-ssl-http.zip]Zip file written to /app/elasticsearch/elasticsearch-ssl-http.zip #证书打包成了elasticsearch-ssl-http.zip
[dev@es1 elasticsearch]$
解压证书包,并将证书文件拷贝到config/certs目录:
[dev@es1 elasticsearch]$ unzip elasticsearch-ssl-http.zip
[dev@es1 elasticsearch]$ cp elasticsearch/http.p12 config/certs/
[dev@es1 elasticsearch]$ cp kibana/elasticsearch-ca.pem config/certs/
[dev@es1 elasticsearch]$ mv elastic-certificates.p12 config/certs/
[dev@es1 elasticsearch]$ mv elastic-stack-ca.p12 config/certs/
将config/certs下的所有证书文件发送给es2和es3服务器:
[dev@es1 elasticsearch]$ scp config/certs/* root@es2:/app/elasticsearch/config/certs/
[dev@es1 elasticsearch]$ scp config/certs/* root@es3:/app/elasticsearch/config/certs/
es2和es3服务器上修改一下上述证书文件的归属用户组
[root@es2 elasticsearch]# chown -R dev:dev /app
[root@es3 elasticsearch]# chown -R dev:dev /app
修改es配置文件:
(1)es1配置文件如下:
cluster.name: elk
node.name: elk01
path.data: /data/es
path.logs: /app/elasticsearch/logs
bootstrap.memory_lock: false
network.host: es1
http.port: 9200
cluster.initial_master_nodes: ["elk01"]
discovery.seed_hosts: ["11.0.1.5", "11.0.1.6"]xpack.security.enabled: true
xpack.security.enrollment.enabled: false
xpack.security.http.ssl:enabled: truekeystore.path: /app/elasticsearch/config/certs/http.p12truststore.path: /app/elasticsearch/config/certs/http.p12
xpack.security.transport.ssl:enabled: trueverification_mode: certificatekeystore.path: /app/elasticsearch/config/certs/elastic-certificates.p12truststore.path: /app/elasticsearch/config/certs/elastic-certificates.p12
ingest.geoip.downloader.enabled: false
xpack.security.http.ssl.client_authentication: none
(2)es2配置文件如下:
cluster.name: elk
node.name: elk02
path.data: /data/es
path.logs: /app/elasticsearch/logs
bootstrap.memory_lock: false
network.host: es2
http.port: 9200
cluster.initial_master_nodes: ["elk01"]
discovery.seed_hosts: ["11.0.1.4", "11.0.1.6"]xpack.security.enabled: true
xpack.security.enrollment.enabled: false
xpack.security.http.ssl:enabled: truekeystore.path: /app/elasticsearch/config/certs/http.p12truststore.path: /app/elasticsearch/config/certs/http.p12
xpack.security.transport.ssl:enabled: trueverification_mode: certificatekeystore.path: /app/elasticsearch/config/certs/elastic-certificates.p12truststore.path: /app/elasticsearch/config/certs/elastic-certificates.p12
ingest.geoip.downloader.enabled: false
xpack.security.http.ssl.client_authentication: none
(3)es3配置文件如下:
cluster.name: elk
node.name: elk03
path.data: /data/es
path.logs: /app/elasticsearch/logs
bootstrap.memory_lock: false
network.host: es3
http.port: 9200
cluster.initial_master_nodes: ["elk01"]
discovery.seed_hosts: ["11.0.1.4", "11.0.1.5"]xpack.security.enabled: true
xpack.security.enrollment.enabled: false
xpack.security.http.ssl:enabled: truekeystore.path: /app/elasticsearch/config/certs/http.p12truststore.path: /app/elasticsearch/config/certs/http.p12
xpack.security.transport.ssl:enabled: trueverification_mode: certificatekeystore.path: /app/elasticsearch/config/certs/elastic-certificates.p12truststore.path: /app/elasticsearch/config/certs/elastic-certificates.p12
ingest.geoip.downloader.enabled: false
xpack.security.http.ssl.client_authentication: none
尝试启动elk01节点,正常情况下可以看到如下内容:
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):KRx_=mh4S9h5Ft86I6fF #此处为系统设置的elastic管理员密码❌ Unable to generate an enrollment token for Kibana instances, try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.❌ An enrollment token to enroll new nodes wasn't generated. To add nodes and enroll them into this cluster:
• On this node:⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.⁃ Restart Elasticsearch.
• On other nodes:⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token `, using the enrollment token that you generated.
然后启动elk02和elk03节点即可。
1、将kibana的tar包解压到/app/kibana目录
[dev@es1 install]$ tar -zxf kibana-8.5.1-linux-x86_64.tar.gz -C /app
2、为kibana创建证书
(1)先到elasticsearch的目录创建csr文件
[root@es1 ~]# su - dev
[dev@es1 ~]$ cd /app/elasticsearch
[dev@es1 elasticsearch]$ bin/elasticsearch-certutil csr -name kibana -dns es1 #此时会生成一个csr-bundle.zip文件
#解压csr-bundle.zip,证书文件会解压到/app/elasticsearch/kibana目录
[dev@es1 elasticsearch]$ unzip csr-bundle.zip
创建kibana证书
[dev@es1 ~]$ cd /app/kibana/config
[dev@es1 config]$ mkdir certs
[dev@es1 config]$ cp /app/elasticsearch/kibana/elasticsearch-ca.pem certs/
[dev@es1 config]$ mv /app/elasticsearch/kibana/kibana.* certs/
[dev@es1 config]$ cd certs/
[dev@es1 certs]$ openssl x509 -req kibana.csr -signkey kibana.key -out kibana.crt
[dev@es1 certs]$ openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt
修改kibana配置文件
[dev@es1 config]$ vim kibana.yml
server.port: 5601
server.host: "11.0.1.4"
i18n.locale: "zh-CN"
elasticsearch.hosts: ["https://es1:9200","https://es2:9200","https://es3:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "GrYv*cC6pP676VH*1_WN"
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: /app/kibana/config/certs/elasticsearch-ca.pem
server.ssl.enabled: true
server.ssl.certificate: /app/kibana/config/certs/kibana.crt
server.ssl.key: /app/kibana/config/certs/kibana.key
启动kibana