SearchGuard证书配置

SearchGuard证书配置

增加hosts

192.168.10.120 node1.company.com
192.168.10.xxx node2.company.com
192.168.10.xxx node3.company.com

• TLS工具安装

  • 下载TLS工具
    https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.5/
  • 解压unzip search-guard-tlstool-1.6.zip tlstool-1.6

• TLS生成证书配置

  • 复制<tlstool directory>/config/example.yml 并修改成<tlstool-1.6>/config/tlsconfig.yml(名字随意)
  • company 是公司名称
  • ca: 根证书配置
  • node: 节点证书配置
  • clients: 客户端证书配置

###
### Self-generated certificate authority
### 
# 
# If you want to create a new certificate authority, you must specify its parameters here. 
# You can skip this section if you only want to create CSRs
#
ca:
   root:
      # The distinguished name of this CA. You must specify a distinguished name.   
      dn: CN=root.ca.company.com,OU=CA,O=company Com\, Inc.,DC=company,DC=com

      # The size of the generated key in bits
      keysize: 2048

      # The validity of the generated certificate in days from now
      validityDays: 3650
      
      # Password for private key
      #   Possible values: 
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
      pkPassword: auto 
      
      # The name of the generated files can be changed here
      file: root-ca.pem
      
   # If you want to use an intermediate certificate as signing certificate,
   # please specify its parameters here. This is optional. If you remove this section,
   # the root certificate will be used for signing.         
   intermediate:
      # The distinguished name of this CA. You must specify a distinguished name.
      dn: CN=signing.ca.company.com,OU=CA,O=company Com\, Inc.,DC=company,DC=com
   
      # The size of the generated key in bits   
      keysize: 2048
      
      # The validity of the generated certificate in days from now      
      validityDays: 3650
  
      pkPassword: auto
            
      # If you have a certificate revocation list, you can specify its distribution points here      
      crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

### 
### Default values and global settings
###
defaults:

      # The validity of the generated certificate in days from now
      validityDays: 3650 
      
      # Password for private key
      #   Possible values: 
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
      pkPassword: auto      
      
      # Specifies to recognize legitimate nodes by the distinguished names
      # of the certificates. This can be a list of DNs, which can contain wildcards.
      # Furthermore, it is possible to specify regular expressions by
      # enclosing the DN in //. 
      # Specification of this is optional. The tool will always include
      # the DNs of the nodes specified in the nodes section.            
      #nodesDn:
      #- "CN=*.company.com,OU=Ops,O=company Com\\, Inc.,DC=company,DC=com"
      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=*.company.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=elk-devcluster*'
      # - '/CN=.*regex/' 

      # If you want to use OIDs to mark legitimate node certificates, 
      # the OID can be included in the certificates by specifying the following
      # attribute
      
      # nodeOid: "1.2.3.4.5.5"

      # The length of auto generated passwords            
      generatedPasswordLength: 12
      
      # Set this to true in order to generate config and certificates for 
      # the HTTP interface of nodes
      httpsEnabled: true
      
      # Set this to true in order to re-use the node transport certificates
      # for the HTTP interfaces. Only recognized if httpsEnabled is true
      
      # reuseTransportCertificatesForHttp: false
      
      # Set this to true to enable hostname verification
      #verifyHostnames: false
      
      # Set this to true to resolve hostnames
      #resolveHostnames: false
      
      
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#      
nodes:
  - name: node1
    dn: CN=node1.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
    dns: node1.company.com
    ip: 192.168.10.120
  - name: node2
    dn: CN=node2.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
    dns: 
      - node2.company.com
      - es2.company.com
    #ip: 
    #  - 10.0.2.1
    #  - 192.168.2.1
  - name: node3
    dn: CN=node3.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
    dns: node3.company.com

###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true    
#        
clients:
  - name: spock
    dn: CN=spock.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
  - name: kirk
    dn: CN=kirk.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
    admin: true
 

• TLS生成证书

<tlstool directory>/tools/sgtlstool.sh -c ../config/tlsconfig.yml -ca -crt

• 复制证书到ES

# 复制节点证书到es配置目录
cp <tlstool directory>/tools/out/<nodename>.pem <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>.key <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>_http.pem <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>_http.key <ES directory>/config/
# 复制根证书到es配置目录
cp <tlstool directory>/tools/out/root-ca.pem <ES directory>/config/
# 复制客户端证书到es配置目录
cp <tlstool directory>/tools/out/spock.pem <ES directory>/config/
cp <tlstool directory>/tools/out/spock.key <ES directory>/config/

• 修改<ES directory>/config/elasticsearch.yml
  复制 <tlstool directory>/tools/outnode3_elasticsearch_config_snippet.yml里面配置信息覆盖<ES directory>/config/elasticsearch.yml相同的配置
  最终的配置如下:

# 集群配置参数,"/"号，按照不同服务器用“/”隔开的参数配置每个节点
# 集群名称
cluster.name: cluster

# 节点名
node.name: es01/es02/es03

# 数据存储路径
path.data: /data/es_data

# 日志打印路径
path.logs: /data/es_logs

# Set the bind address to a specific IP (IPv4 or IPv6):
# network.host: 192.168.10.xxx/192.168.10.xxx/192.168.10.xxx,localhost
network.host: 0.0.0.0

# Set a custom port for HTTP:
http.port: 9200

# 节点内存配置
# Lock the memory on startup:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
discovery.zen.minimum_master_nodes: 1

# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

# 开启tcp端口
transport.tcp.compress: true
transport.tcp.port: 9300

# 跨域配置
http.cors.enabled: true 
http.cors.allow-origin: "*" 
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type 
http.cors.allow-credentials: true 

######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production

# 关闭xpack安全认证
xpack.security.enabled: false
#xpack.monitoring.enabled: false

# TLS设置
searchguard.ssl.transport.pemcert_filepath: node1.pem
searchguard.ssl.transport.pemkey_filepath: node1.key
searchguard.ssl.transport.pemkey_password: 7EJJ2hYcJFJQ
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: node1_http.pem
searchguard.ssl.http.pemkey_filepath: node1_http.key
searchguard.ssl.http.pemkey_password: 6eIWAxh4kgHs
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=node1.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
- CN=node2.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
- CN=node3.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
searchguard.authcz.admin_dn:
  - CN=spock.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com
# - CN=kirk.company.com,OU=Ops,O=company Com\, Inc.,DC=company,DC=com

# 允许演示证书和自动初始化 生产环境上改为false
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true

# 客户端认证
searchguard.ssl.http.clientauth_mode: OPTIONAL

# 启用审计日志记录并将生成的审计跟踪直接存储在Elasticsearch中
searchguard.audit.type: internal_elasticsearch

# 允许快照/恢复
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true

# 可以访问REST的角色
searchguard.restapi.roles_enabled: ["sg_all_access"]

cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

######## End Search Guard Demo Configuration ########

• TLS用户广播
  在<tlstool directory>/tools/out/client-certificates.readme里面取到对应客户端帐号密码
  启动es
  cd <ES directory>/plugins/search-guard-6/tools
  运行命令:

./sgadmin.sh -cd ../sgconfig/ -icl -nhnv \
   -cacert ../../../config/root-ca.pem \
   -cert ../../../config/spock.pem \
   -key ../../../config/spock.key \
   -keypass <密码>