ElasticsearchKibana

[Elasticsearch, Kibana] TLS 암호화 및 HTTPS 통신 사용

강의 내용은 서버의 SSH 또는 터미널 접속 localhost IP 상태에서 진행하겠습니다.

현재 라이센스 확인

curl -X GET "http://localhost:9200/_xpack/license"
변경 전 : basic

라이센스 기본으로 업그레이드

curl -X POST "http://localhost:9200/_license/start_trial?acknowledge=true&pretty"
변경 후 type : trial

Elasticsearch 서비스 중단

systemctl stop elasticsearch

자체 서명된 인증 기관 생성

본 예제에서는 인증 기관 비밀번호 없이 진행합니다.

/usr/share/elasticsearch/bin/elasticsearch-certutil  ca

Elasticsearch 노드에 대한 인증서 생성

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

이런 명령 출력이 발생

This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA).
    * The tool can automatically generate a new CA for you, or you can provide your own with the
         -ca or -ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :

Certificates written to /usr/share/elasticsearch/elastic-certificates.p12

This file should be properly secured as it contains the private key for
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

사용 권한 설정

cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/
chown root.elasticsearch /etc/elasticsearch/elastic-certificates.p12
chmod 660 /etc/elasticsearch/elastic-certificates.p12

HTTPS 통신 인증서 생성

/usr/share/elasticsearch/bin/elasticsearch-certutil  http

진행 순서

N -> y -> Enter -> N -> Enter -> Y -> Enter -> Y -> N -> Enter

인증서 복사 후 설정

cd /usr/share/elasticsearch
unzip elasticsearch-ssl-http.zip
cp  /usr/share/elasticsearch/elasticsearch/http.p12 /etc/elasticsearch/
chown root.elasticsearch /etc/elasticsearch/http.p12
chmod 660 /etc/elasticsearch/http.p12

Elasticsearch 설정 파일 열기

vi /etc/elasticsearch/elasticsearch.yml

내용 수정

#cluster.initial_master_nodes: ["node-1", "node-2"] # 기존 node 설정 주석 처리
cluster.initial_master_nodes: elasticsearch.local
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/http.p12

Elasticsearch 서비스 시작

systemctl start elasticsearch

Elasticsearch 기본 제공 사용자 비밀번호 설정

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

curl --insecure -X GET "https://localhost:9200/?pretty"

에러 발생

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication credentials for REST request [/?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication credentials for REST request [/?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

# 해석 : 사용자 인증이 필요합니다

Elasticsearch 서버에 등록되어 있는 사용자 인증 필요

curl --user elastic --insecure -X GET "https://localhost:9200/?pretty"

에러 발생

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

# 해석 : 사용자 비밀번호를 입력하세요

사용자:비밀번호 입력

curl --user elastic:비밀번호 --insecure -X GET "https://localhost:9200/?pretty"


Kibana 설정

Kibana 서비스 중단

systemctl stop kibana.service

키바나

cp  /usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/kibana/

자체 서명된 인증 기관 인증서를 복사

vi /etc/kibana/kibana.yml

내용 수정

elasticsearch.hosts: ["https://localhost:9200"] # 변경된 elasticsearch https 통신
elasticsearch.username: "kibana"
elasticsearch.password: "비밀먼호"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: none

Kibana 서비스 시작

systemctl start elasticsearch

Elasticsearch, Kibana에 TLS 암호화와 HTTPS 통신 설정에 대해 해보았습니다. 수고하셨습니다

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다