Elasticsearchのインストール及び設定 その10 SSL設定(任意)
Elasticsearchに対する外部からの接続(API)部分をSSL化します。
こちらは任意の設定となります。
公式HPだけだと正直解りませんでした。
こちらの記事を基に手順の確立をしました。
上記記事に書かれている「certgen」というコマンドは古いようで、「certutil」というコマンドを利用して設定を実施します。
正直他の手段でSSL化をした方が良いような気がします・・・・
構築手順
(1)下記のコマンドを実行します。いずれかのサーバで実施します。
# /usr/share/elasticsearch/bin/x-pack/certutil cert -multiple -pem
(2)対話形式で設定をしていきます。
ちょっと見難いので表示を分割して記述します。
This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'cert' mode generates X.509 certificate and private keys. * By default, this generates a single certificate and key for use on a single instance. * The '-multiple' option will prompt you to enter details for multiple instances and will generate a certificate and key for each one * The '-in' option allows for the certificate generation to be automated by describing the details of each instance in a YAML file * An instance is any piece of the Elastic Stack that requires a SSL certificate. Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats may all require a certificate and private key. * The minimum required value for each instance is a name. This can simply be the hostname, which will be used as the Common Name of the certificate. A full distinguished name may also be used. * A filename value may be required for each instance. This is necessary when the name would result in an invalid file or directory name. The name provided here is used as the directory name (within the zip) and the prefix for the key and certificate files. The filename is required if you are prompted and the name is not displayed in the prompt. * IP addresses and DNS names are optional. Multiple values can be specified as a comma separated string. If no IP addresses or DNS names are provided, you may disable hostname verification in your SSL configuration. * All certificates generated by this tool will be signed by a certificate authority (CA). * The tool can automatically generate a new CA for you, or you can provide your own with the -ca or -ca-cert command line options. By default the 'cert' mode produces a single PKCS#12 output file which holds: * The instance certificate * The private key for the instance certificate * The CA certificate If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the instance certificate, the key and the CA certificate If you elect to generate multiple instances certificates, the output will be a zip file containing all the generated certificates
これより下が実際に入力する部分となります。
全Elasticsearchのホスト名とIP、またkibanaについても入力をします。
入力箇所には ★ をつけます。
Enter instance name: rhel1 ★ホスト名を入力 Enter name for directories and files of rhel1 [rhel1]: Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.1 ★IPアドレスを入力 Enter DNS names for instance (comma-separated if more than one) []: rhel1 ★ホスト名を入力 Would you like to specify another instance? Press 'y' to continue entering instance information: y ★連続入力は「y」 Enter instance name: rhel2 ★ Enter name for directories and files of rhel2 [rhel2]: Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.2 ★ Enter DNS names for instance (comma-separated if more than one) []: rhel2 ★ Would you like to specify another instance? Press 'y' to continue entering instance information: y ★ Enter instance name: rhel3 ★ Enter name for directories and files of rhel3 [rhel3]: Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.3 ★ Enter DNS names for instance (comma-separated if more than one) []: rhel3 ★ Would you like to specify another instance? Press 'y' to continue entering instance information: y ★ Enter instance name: rhel4 ★ Enter name for directories and files of rhel4 [rhel4]: Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.4 ★ Enter DNS names for instance (comma-separated if more than one) []: rhel4 ★ Would you like to specify another instance? Press 'y' to continue entering instance information: y ★ Enter instance name: rhel5 ★ Enter name for directories and files of elastic5 [elastic5]: Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.5 ★ Enter DNS names for instance (comma-separated if more than one) []: rhel5 ★ Would you like to specify another instance? Press 'y' to continue entering instance information: y ★ Enter instance name: kibana ★ Enter name for directories and files of kibana [kibana]: Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.6 ★ Enter DNS names for instance (comma-separated if more than one) []: kibana ★ Would you like to specify another instance? Press 'y' to continue entering instance information: ←Kibanaで終了なのでEnter Please enter the desired output file [certificate-bundle.zip]: ssl2.zip Certificates written to /root/ssl2.zip This file should be properly secured as it contains the private keys for all instances. After unzipping the file, there will be a directory for each instance. Each instance has a certificate and private key. For each Elastic product that you wish to configure, you should copy the certificate, key, and CA certificate to the relevant configuration directory and then follow the SSL configuration instructions in the product guide. For client applications, you may only need to copy the CA certificate and configure the client to trust this certificate.
(3)zipファイルが作成されますので(上記だと /root/ssl2.zip)、全てのElasticsearchサーバの証明書置き場(TLS設定で作成した/etc/elasticsearch/certificate)にコピーし、解凍しておいてください。
手元に環境が無く、確認する術がないのですが、以下のようなファイルができます。
- ホスト名.crt
- ホスト名.key
- ca.crt
(4)全てのElasticsearchサーバのkeystoreにSSLパスワードの設定をします。
#/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase Enter value for xpack.security.http.ssl.secure_key_passphrase: パスワードを入力
(5)全てのElasticsearchサーバのymlに下記の定義を追加します。(最下行に挿入で大丈夫です)
# vi /etc/elasticsearch/elasticsearch.yml
以下、追加する定義です。
各Elasticsearchでホスト名に該当する証明書及び鍵の指定をします。
また、更改鍵についても指定します。
※zip展開時にパスが異なるようでしたら、実態に合わせて記述の変更をお願いします。
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /etc/elasticsearch/certificate/ホスト名.key xpack.security.http.ssl.certificate: /etc/elasticsearch/certificate/ホスト名.crt xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/certificate/ca.crt" ]
(6)全てのノードを再起動します。
アクセス方法
Curlでのアクセス
公開鍵を指定してcurlを実施します。
※このあたりは我流で実施したので、正解かは怪しいです。
例)
# curl --cacert /etc/elasticsearch/certificate/ca/ca.crt -u elastic https://192.168.0.3:9200
kibanaサーバからのアクセス
kibanaのyml(/etc/kibana/kibana.yml)に以下の設定が必要となります。
※ Kibanaの設定は別途記述しますが、SSL通信では使用しない想定なのでここに定義を記述します。
elasticsearch.url: "https://192.168.0.3:9200" #httpsに変更 elasticsearch.username: "kibana" #elasticsearchに接続するアカウント elasticsearch.password: "パスワード" #elasticsearchに接続するパスワード server.ssl.enabled: true #kibanaに対するSSL通信を設定 server.ssl.certificate: /etc/kibana/kibana.crt #kibana用の証明書ファイルの指定 server.ssl.key: /etc/kibana/kibana.key #kibana用の鍵ファイルの指定 elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca.crt" ] #elasticsearchの公開鍵の指定
上記編集後にkibanaの再起動を実施し、httpsでkibanaに接続してください。