Setting Up Elasticsearch 7.x Cluster with Certificate Authority

1. PEM 형식의 인증서 (CA) 파일 생성
- elastic-stack-ca.p12 파일 생성

bin/elasticsearch-certutil ca --pem

2. 압축 해제
- ca/ca.crt, ca/ca.key 파일을 config/certs 폴더로 이동

unzip elastic-stack-ca.p12

3. 인스턴스 yaml 파일 생성

instances:
  - name: 'search1'
    ip: ['192.168.156.90']
  - name: 'search2'
    ip: ['192.168.156.91']
  - name: 'search3'
    ip: ['192.168.156.92']
  - name: 'search4'
    ip: ['192.168.156.93']
  - name: 'search5'
    ip: ['192.168.156.94']
  - name: 'search6'
    ip: ['192.168.156.95']

4. 생성된 CA 인증서와 개인 키를 사용하여, PEM 형식의 Elasticsearch 노드 인증서를 생성하고, 결과를 ZIP 파일로 저장

bin/elasticsearch-certutil cert --pem --ca-cert config/certs/ca.crt --ca-key config/certs/ca.key --in config/instance.yml --out config/certs/certs.zip

5. 서버에 인증서 복사
- ${HOSTNAME}.crt, ${HOSTNAME}.key, ca.crt 파일을 모든 노드의 config/cert/ 경로에 복사

 scp -P3030 -r ./certs kogun82@192.168.156.91:/home/es/config
 scp -P3030 -r ./certs kogun82@192.168.156.92:/home/es/config
 scp -P3030 -r ./certs kogun82@192.168.156.93:/home/es/config
 scp -P3030 -r ./certs kogun82@192.168.156.94:/home/es/config
 scp -P3030 -r ./certs kogun82@192.168.156.95:/home/es/config

6. config/elasticsearch.yml TLS 설정

cluster.name: kobic-es-cluster

node.name: ${HOSTNAME}
node.master: true
node.data: false

node.attr.rack: r1

path.data: /BiO/storage/elasticsearch/data
path.logs: /BiO/storage/elasticsearch/logs

network.host: 0.0.0.0

http.port: 9200
transport.tcp.port: 9300

discovery.seed_hosts: ["192.168.156.90", "192.168.156.91", "192.168.156.92", "192.168.156.93", "192.168.156.94", "192.168.156.95"]

cluster.initial_master_nodes: ["search1", "search2", "search3"]

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/${HOSTNAME}.key
xpack.security.transport.ssl.certificate: certs/${HOSTNAME}.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/${HOSTNAME}.key
xpack.security.http.ssl.certificate: certs/${HOSTNAME}.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt

 

7. 패스워드 초기 설정

- 데몬 구동 전 패스워드 초기 설정 

./bin/elasticsearch-setup-passwords interactive -u "https://192.168.156.90:9200"