【elasticsearch6.8.6】elasticsearch開啓集羣驗證步驟

    以下步驟都是基於centos7、elasticsearch-6.8.6.tar.gz版本下的集羣已經正確啓動後的操作。

    1.生成ca文件，bin/elasticsearch-certutil ca，可以指定文件名，配置密碼

    2.生成節點祕鑰文件，bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12，可以指定文件名，配置密碼

    3.複製節點祕鑰文件到各節點的指定目錄下，具體哪個目錄是由elasticsearch.yml中的配置項xpack.security.transport.ssl.keystore.path、xpack.security.transport.ssl.truststore.path指定

    3.1.如果指定了祕鑰文件密碼，需要執行以下兩條命令（不執行啓動會報錯，所有節點都要執行）

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

   4.增加elasticsearch.yml配置

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

    5.重啓es集羣

    6.設置密碼bin/elasticsearch-setup-passwords interactive

    7.測試訪問

# 不加密訪問（失敗）
curl 192.168.113.197:9202/_cluster/health?pretty
# 加密訪問（成功）
curl -u elastic:elastic 192.168.113.197:9202/_cluster/health?pretty

參考：https://blog.csdn.net/u011271894/article/details/99626711