生成SSL证书
./elasticsearch-certutil ca -out config/certs/elastic-certificates.p12 -pass我这里没有设置ssl证书密码,如果需要设置密码,需要再配置给elasticsearch
在之前的步骤中,如果我们对elastic-certificates.p12 文件配置了密码,需要配置密码。输入密码:生成密钥步骤设置的密码
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
配置验证
elasticsearch.yml
config目录里,编辑elasticsearch.yml文件,增加下面配置
# 配置X-Pack
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
# 证书配置
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12重启elasticsearch服务
设置密码
bin/elasticsearch-setup-passwords interactive为每个elasticsearch用户输入两次密码,
登录验证
浏览器直接访问http://127.0.0.1:9200,会出现输入用户名、密码的弹窗,输入elastic和密码后,才能看到elasticsearch信息;
*如果密码忘了怎么办?如何重置密码?
1、修改elasticsearch.yml 配置,将身份验证相关配置屏蔽掉;
2、重启ES,查看下索引,发现多了一个.security-7索引,将其删除
3、到此就回到ES没有设置密码的阶段了,如果想重新设置密码,请从第一步开始
相关问题
x-pack 密钥配置问题
[2021-11-18T09:14:10,976][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [es02] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125) ~[elasticsearch-cli-7.4.2.jar:7.4.2]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.4.2.jar:7.4.2]
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2118) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1472) ~[?:?]
at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:97) ~[?:?]
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:65) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:384) ~[?:?]
at java.util.HashMap.computeIfAbsent(HashMap.java:1138) ~[?:?]
... 6 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2118) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1472) ~[?:?]
... 6 more解决办法:
1:可能是elastic-certificates.p12文件归属权不属于es账号所拥有
#执行以下语句,把整个目录的归属权给es账号
chown -R es:es /usr/local/huaxing/elasticsearch-7.4.2-8200
chmod 777 elastic-certificates.p12
2:若是上述问题还没解决,那可能是在生成密钥时设置了密码,需要执行以下命令。弹出提示输入密码就是在生成密钥时设置的密码
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
![SQL 注入攻击详解[基础篇]:Web 应用程序安全漏洞与防御策略](https://i-blog.csdnimg.cn/direct/ea1e7104828d4e4580ca9254657ef434.png)
