以下步驟都是基於centos7、elasticsearch-6.8.6.tar.gz版本下的集羣已經正確啓動後的操作。
1.生成ca文件,bin/elasticsearch-certutil ca,可以指定文件名,配置密碼
2.生成節點祕鑰文件,bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12,可以指定文件名,配置密碼
3.複製節點祕鑰文件到各節點的指定目錄下,具體哪個目錄是由elasticsearch.yml中的配置項xpack.security.transport.ssl.keystore.path、xpack.security.transport.ssl.truststore.path指定
3.1.如果指定了祕鑰文件密碼,需要執行以下兩條命令(不執行啓動會報錯,所有節點都要執行)
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
4.增加elasticsearch.yml配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
5.重啓es集羣
6.設置密碼bin/elasticsearch-setup-passwords interactive
7.測試訪問
# 不加密訪問(失敗)
curl 192.168.113.197:9202/_cluster/health?pretty
# 加密訪問(成功)
curl -u elastic:elastic 192.168.113.197:9202/_cluster/health?pretty
參考:https://blog.csdn.net/u011271894/article/details/99626711