Elasticsearch 6.8.0配置TLS/SSL

配置步驟：

1.安裝x-pack

2.執行命令，生成elastic-stack-ca.p12文件，密碼使用123456

./bin/elasticsearch-certutil ca

3.執行命令，生成elastic-certificates.p12文件，密碼使用123456

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

4.將elastic-stack-ca.p12和elastic-certificates.p12拷貝到config/certs

5.在elasticsearch.yml文件中添加配置

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: 123456
xpack.security.transport.ssl.truststore.password: 123456
xpack.security.http.ssl.keystore.password: 123456
xpack.security.http.ssl.truststore.password: 123456

6.logstash連接ES

output {
    elasticsearch {
    hosts => ["https://MY_IP:9201"]
    index => "bos-dev-log"
    user => "elastic"
    password => "123456"
    ssl => true
    ssl_certificate_verification=>false
    truststore=>"/XXX/XXX/elastic-certificates.p12"
    truststore_password=>"123456"
    }
  stdout { codec => rubydebug }
}

7.java client驗證

public static void testHttps() throws Exception {
		CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
		credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("elastic", "123456"));
		KeyStore truststore = KeyStore.getInstance("jks");
		try (InputStream is = new FileInputStream("./src/main/resources/elastic-certificates.p12")) {
			truststore.load(is, "123456".toCharArray());
		}
		SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(truststore, null).build();
		SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);

		Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
				.register("https", sslsf).register("http", new PlainConnectionSocketFactory()).build();

		BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(
				socketFactoryRegistry);
		CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(sslsf)
				.setDefaultCredentialsProvider(credentialsProvider).setConnectionManager(connectionManager).build();
		HttpGet getMethod = new HttpGet("https://MY_IP:9200");
		HttpResponse response = client.execute(getMethod);
		System.out.println(IOUtils.toString(response.getEntity().getContent()));
	}

8 curl命令驗證

 curl -k -u elastic:123456 -X GET https://MY_IP:9200

參考鏈接