linuxmalaysia · December 14, 2020 21:02
diff --git a/elasticsearch-secure-ssl.txt b/elasticsearch-secure-ssl.txt
 1. Create SSL

 Please adjust IP and domain name as per site.

 =========

 Rujukan

 https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html

 1.1 Step pertama di node pertama

 https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html

 No password untuk semua certs

 /usr/share/elasticsearch/bin/elasticsearch-certutil ca

 cp /usr/share/elasticsearch/elastic-stack-ca.p12 /etc/elasticsearch


 /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

 cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/

 /usr/share/elasticsearch/bin/elasticsearch-certutil http

 path to our ca /etc/elasticsearch/elastic-stack-ca.p12

 Senarai IP (Please adjust IP and domain name as per site)


 es-1
 localhost
 *.domainame

 192.168.0.10
 127.0.0.1


 === Edit config elasticsearch

 ######

 edit Elasticsearch config /etc/elasticsearch/elasticsearch.yml

 #cluster.name: yoursite
 #node.name: node-1
 #path.data: /var/lib/elasticsearch
 #path.logs: /var/log/elasticsearch
 #bootstrap.memory_lock: true
 #network.host: _eth0_
 #network.bind_host: ["_eth0_","_lo_"]
 #network.publish_host: _eth0_
 #discovery.seed_hosts: ["node-1", "node-2", "node-3","node-4", "node-5"]

 xpack.monitoring.enabled: true
 xpack.monitoring.collection.enabled: true
 xpack.security.enabled: true

 transport.tcp.compress: true

 node.master: true

 xpack.security.transport.ssl.enabled: true
 xpack.security.transport.ssl.verification_mode: certificate
 xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

 xpack.security.http.ssl.enabled: true
 xpack.security.http.ssl.keystore.path: "http.p12"

 ===

 Pastikan permission fail seperti http.p12 owner adalah elasticsearch 

 ====

 password contohpassword

 curl --user elastic:contohpassword  -H 'Content-Type: application/json' -XGET https://es-1:9200/_cluster/health?pretty

 === Pastikan IP tu tukar kepada IP semua nodes Elasticsearch

 cp /usr/share/elasticsearch/elasticsearch-ssl-http.zip /etc/elasticsearch

 Dan salin semua ke semua nodes dalam elastic ke dir /etc/elasticsearch setiap nodes

 =====

 Update /etc/hosts tukar ip yang ikut vm vm dan namanya juga

 192.168.0.10 node-1


 ===

 Up kan semua nodes

 dan pada node pertama rujuk semula

 https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html

 /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

 Start dulu kibana periksa pada vm kibana /etc/kibana/kibana.yml

 === Kibana

 server.host: "kibana"
 elasticsearch.hosts: ["https://node-1:9200"]
 elasticsearch.username: "kibana_system"
 elasticsearch.password: "masukkan password"
 server.ssl.enabled: true
 server.ssl.key: /etc/kibana/kibana.key.pem
 server.ssl.certificate: /etc/kibana/kibana.crt.pem
 elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
 elasticsearch.ssl.verificationMode: none
 xpack.security.encryptionKey: "in1adalahuntukk4tsael4sticse@rch"
 xpack.encryptedSavedObjects.encryptionKey: "in14da4lahuntukk4tsaelasticse@rch"

 xpack.security.session.idleTimeout: "9m"
 xpack.security.session.lifespan: "7h"

 ===

 tukarkan nama kibana adalah nama server kibana dalam /etc/hosts
 node-1 adalah server pertama elasticsearch
 fail elasticsearch-ca.pem disalin dari server elasticsearch /etc/elasticsearch

 ===
 kibana adalah nama kibana dalam /etc/hosts
 Letak kibana2 untuk kibana2

 ===


 timedatectl set-timezone "Asia/Kuala_Lumpur"


 ===

 =======

 Generate selfsign SSL untuk Kibana



 https://medium.com/query-ai/encrypted-communication-on-elastic-server-by-setting-up-tsl-and-adjusting-cors-permissions-c569c2d1c352

 cd /etc/kibana

 openssl pkcs12 -in /etc/elasticsearch/elastic-certificates.p12 -out kibana.crt.pem -clcerts -nokeys

 openssl pkcs12 -in /etc/elasticsearch/elastic-certificates.p12 -out kibana.key.pem -nocerts -nodes


 server.ssl.enabled: true
 server.ssl.key: /etc/kibana/kibana.key.pem
 server.ssl.certificate: /etc/kibana/kibana.crt.pem

 =========
	1. Create SSL

	Please adjust IP and domain name as per site.

	=========

	Rujukan

	https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html

	1.1 Step pertama di node pertama

	https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html

	No password untuk semua certs

	/usr/share/elasticsearch/bin/elasticsearch-certutil ca

	cp /usr/share/elasticsearch/elastic-stack-ca.p12 /etc/elasticsearch


	/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

	cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/

	/usr/share/elasticsearch/bin/elasticsearch-certutil http

	path to our ca /etc/elasticsearch/elastic-stack-ca.p12

	Senarai IP (Please adjust IP and domain name as per site)


	es-1
	localhost
	*.domainame

	192.168.0.10
	127.0.0.1


	=== Edit config elasticsearch

	######

	edit Elasticsearch config /etc/elasticsearch/elasticsearch.yml

	#cluster.name: yoursite
	#node.name: node-1
	#path.data: /var/lib/elasticsearch
	#path.logs: /var/log/elasticsearch
	#bootstrap.memory_lock: true
	#network.host: _eth0_
	#network.bind_host: ["_eth0_","_lo_"]
	#network.publish_host: _eth0_
	#discovery.seed_hosts: ["node-1", "node-2", "node-3","node-4", "node-5"]

	xpack.monitoring.enabled: true
	xpack.monitoring.collection.enabled: true
	xpack.security.enabled: true

	transport.tcp.compress: true

	node.master: true

	xpack.security.transport.ssl.enabled: true
	xpack.security.transport.ssl.verification_mode: certificate
	xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
	xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

	xpack.security.http.ssl.enabled: true
	xpack.security.http.ssl.keystore.path: "http.p12"

	===

	Pastikan permission fail seperti http.p12 owner adalah elasticsearch

	====

	password contohpassword

	curl --user elastic:contohpassword -H 'Content-Type: application/json' -XGET https://es-1:9200/_cluster/health?pretty

	=== Pastikan IP tu tukar kepada IP semua nodes Elasticsearch

	cp /usr/share/elasticsearch/elasticsearch-ssl-http.zip /etc/elasticsearch

	Dan salin semua ke semua nodes dalam elastic ke dir /etc/elasticsearch setiap nodes

	=====

	Update /etc/hosts tukar ip yang ikut vm vm dan namanya juga

	192.168.0.10 node-1


	===

	Up kan semua nodes

	dan pada node pertama rujuk semula

	https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html

	/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

	Start dulu kibana periksa pada vm kibana /etc/kibana/kibana.yml

	=== Kibana

	server.host: "kibana"
	elasticsearch.hosts: ["https://node-1:9200"]
	elasticsearch.username: "kibana_system"
	elasticsearch.password: "masukkan password"
	server.ssl.enabled: true
	server.ssl.key: /etc/kibana/kibana.key.pem
	server.ssl.certificate: /etc/kibana/kibana.crt.pem
	elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
	elasticsearch.ssl.verificationMode: none
	xpack.security.encryptionKey: "in1adalahuntukk4tsael4sticse@rch"
	xpack.encryptedSavedObjects.encryptionKey: "in14da4lahuntukk4tsaelasticse@rch"

	xpack.security.session.idleTimeout: "9m"
	xpack.security.session.lifespan: "7h"

	===

	tukarkan nama kibana adalah nama server kibana dalam /etc/hosts
	node-1 adalah server pertama elasticsearch
	fail elasticsearch-ca.pem disalin dari server elasticsearch /etc/elasticsearch

	===
	kibana adalah nama kibana dalam /etc/hosts
	Letak kibana2 untuk kibana2

	===


	timedatectl set-timezone "Asia/Kuala_Lumpur"


	===

	=======

	Generate selfsign SSL untuk Kibana



	https://medium.com/query-ai/encrypted-communication-on-elastic-server-by-setting-up-tsl-and-adjusting-cors-permissions-c569c2d1c352

	cd /etc/kibana

	openssl pkcs12 -in /etc/elasticsearch/elastic-certificates.p12 -out kibana.crt.pem -clcerts -nokeys

	openssl pkcs12 -in /etc/elasticsearch/elastic-certificates.p12 -out kibana.key.pem -nocerts -nodes


	server.ssl.enabled: true
	server.ssl.key: /etc/kibana/kibana.key.pem
	server.ssl.certificate: /etc/kibana/kibana.crt.pem

	=========
No results found