본문 바로가기
반응형
Notice
Recent Posts
Link
Calendar
«   2024/11   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Total
Today
관리 메뉴

0과1

ELK Stack TLS 구성 본문

Elastic Stack

ELK Stack TLS 구성

BinaryNumber 2021. 7. 5. 14:13
반응형

**************** [ 인증서 파일 생성 ]  ****************

[pem 방식]
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --days 3650 --pem --pass "" --out  /etc/elasticsearch/certs/certs-root.zip
unzip /etc/elasticsearch/certs/certs-root.zip -d /etc/elasticsearch/certs/

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /etc/elasticsearch/certs/ca/ca.crt --ca-key /etc/elasticsearch/certs/ca/ca.key --pem --out /etc/elasticsearch/certs/certs-instance.zip
unzip /etc/elasticsearch/certs/certs-instance.zip -d /etc/elasticsearch/certs/

**************** [ ElasticSearch TLS Security 설정 ]  ****************

## 사전작업 : SSL 인증서 파일 준비 (/etc/elasticsearch/certs 폴더내에 ca.crt, instance.crt, instance.key)
# 모든 클러스터에 동일하게 셋팅
# cert 폴더내의 파일들은 모든 서버에 복사해야 함

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/instance/instance.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certs/instance/instance.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/instance/instance.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

****** [ Kibana - ElasticSearch 간 TLS 통신 설정 ] ******

#kibana.yml 설정 추가 (elasticsearch와 TLS 통신)

elasticsearch.hosts: ["https://ELK01-IP:9200", "https://ELK02-IP:9200", "https://ELK03-IP:9200"]
elasticsearch.ssl.certificate: /etc/elasticsearch/certs/instance/instance.crt
elasticsearch.ssl.key: /etc/elasticsearch/certs/instance/instance.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]
elasticsearch.ssl.verificationMode: certificate

****** [ Kibana - Browser 간 TLS 통신 설정 ] ******

server.ssl.enabled: true
server.ssl.certificate: /etc/elasticsearch/certs/instance/instance.crt
server.ssl.key: /etc/elasticsearch/certs/instance/instance.key
#server.ssl.certificateAuthorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

 

참고자료

https://www.elastic.co/guide/en/elasticsearch/reference/7.13/security-basic-setup.html#encrypt-internode-communication

반응형

'Elastic Stack' 카테고리의 다른 글

Elasticsearch 롤링 업그레이드  (0) 2021.05.26
'Elastic Stack' 관련글 더보기
Comments

티스토리툴바