# elasticsearch7.0 Cluster Setup and x-pack crack ###### tags: `elasticsearch` [Refrence](https://www.codetd.com/en/article/7049729) ## surroundings Centos7 Elasticsearch-7.0.1 Kibana-7.0.1 ### Build source of elastic #### Creating packages To create a distribution without running the tests, simply run the following: ``` ./gradlew assemble ``` To create a platform-specific build including the x-pack modules, use the following depending on your operating system: ``` ./gradlew :distribution:archives:linux-tar:assemble ./gradlew :distribution:archives:darwin-tar:assemble ./gradlew :distribution:archives:windows-zip:assemble ```` ### Download, unzip es ``` wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.0.1-linux-x86_64.tar.gz 解压elasticsearch.tar.gz tar zxvf elasticsearch-7.0.1-linux-x86_64.tar.gz ``` ### Crack x-pack 1. Download java decompiler There are many decompilation tools, Luyten is recommended, download address: https://github.com/deathmarine/Luyten/releases Download the corresponding windows version to the local, and then install it. 2. Extract elasticsearch-7.0.1-linux-x86_64.tar.gz and copy `elasticsearch-7.0.1/modules/x-pack-core/x-pack-core-7.0.1.jar` file Go to the windows machine and use the decompiler tool to open it. 3. Find `org.elasticsearch.license.LicenseVerifier` and open and copy the contents. Then create a new `LicenseVerifier.java` file on our server and paste the copied content into. There are two static methods in `LicenseVerifier`. This is the method to verify whether the authorization file is valid. We modify it to `return true`. And comment out the unnecessary code. Use `/ * * /` to comment here. Here is the revised content: ```java= package org.elasticsearch.license; import java.nio.*; import org.elasticsearch.common.bytes.*; import java.security.*; import java.util.*; import org.elasticsearch.common.xcontent.*; import org.apache.lucene.util.*; import org.elasticsearch.core.internal.io.*; import java.io.*; public class LicenseVerifier { public static boolean verifyLicense(final License license, final byte[] publicKeyData) { /* #Add comment here byte[] signedContent = null; byte[] publicKeyFingerprint = null; try { final byte[] signatureBytes = Base64.getDecoder().decode(license.signature()); final ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes); final int version = byteBuffer.getInt(); final int magicLen = byteBuffer.getInt(); final byte[] magic = new byte[magicLen]; byteBuffer.get(magic); final int hashLen = byteBuffer.getInt(); publicKeyFingerprint = new byte[hashLen]; byteBuffer.get(publicKeyFingerprint); final int signedContentLen = byteBuffer.getInt(); signedContent = new byte[signedContentLen]; byteBuffer.get(signedContent); final XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON); license.toXContent(contentBuilder, (ToXContent.Params)new ToXContent.MapParams((Map)Collections.singletonMap("license_spec_view", "true"))); final Signature rsa = Signature.getInstance("SHA512withRSA"); rsa.initVerify(CryptUtils.readPublicKey(publicKeyData)); final BytesRefIterator iterator = BytesReference.bytes(contentBuilder).iterator(); BytesRef ref; while ((ref = iterator.next()) != null) { rsa.update(ref.bytes, ref.offset, ref.length); } return rsa.verify(signedContent); } catch (IOException ex) {} catch (NoSuchAlgorithmException ex2) {} catch (SignatureException ex3) {} catch (InvalidKeyException e) { throw new IllegalStateException(e); } finally { if (signedContent != null) { Arrays.fill(signedContent, (byte)0); } } */ ## Add comment here return true; #Add here returns true } public static boolean verifyLicense(final License license) { /* #Add comment here byte[] publicKeyBytes; try { final InputStream is = LicenseVerifier.class.getResourceAsStream("/public.key"); try { final ByteArrayOutputStream out = new ByteArrayOutputStream(); Streams.copy(is, (OutputStream)out); publicKeyBytes = out.toByteArray(); if (is != null) { is.close(); } } catch (Throwable t) { if (is != null) { try { is.close(); } catch (Throwable t2) { t.addSuppressed(t2); } } throw t; } } catch (IOException ex) { throw new IllegalStateException(ex); } return verifyLicense(license, publicKeyBytes); */ #Add comment here return true; #Add here returns true } } ``` 1. Find org.elasticsearch.xpack.core.XPackBuild open and copy the contents inside, and then create a XPackBuild.java files on our server, copy and paste the contents into it we will try in the final block of code in a static part XPackBuild delete all, here is a comment by the method of this chapter to verify that the jar package has been modified. the following is the modified content: ```java= package org.elasticsearch.xpack.core; import org.elasticsearch.common.io.*; import java.net.*; import org.elasticsearch.common.*; import java.nio.file.*; import java.io.*; import java.util.jar.*; public class XPackBuild { public static final XPackBuild CURRENT; private String shortHash; private String date; @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() { final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation(); try { return PathUtils.get(url.toURI()); } catch (URISyntaxException bogus) { throw new RuntimeException(bogus); } } XPackBuild(final String shortHash, final String date) { this.shortHash = shortHash; this.date = date; } public String shortHash() { return this.shortHash; } public String date() { return this.date; } static { final Path path = getElasticsearchCodebase(); String shortHash = null; String date = null; Label_0109: { /* #Add comment here if (path.toString().endsWith(".jar")) { try { final JarInputStream jar = new JarInputStream(Files.newInputStream(path, new OpenOption[0])); try { final Manifest manifest = jar.getManifest(); shortHash = manifest.getMainAttributes().getValue("Change"); date = manifest.getMainAttributes().getValue("Build-Date"); jar.close(); } catch (Throwable t) { try { jar.close(); } catch (Throwable t2) { t.addSuppressed(t2); } throw t; } break Label_0109; } catch (IOException e) { throw new RuntimeException(e); } } */ #Add comment here shortHash = "Unknown"; date = "Unknown"; } CURRENT = new XPackBuild(shortHash, date); } } ``` 5. Use javac to compile the `LicenseVerifier.java` and `XPackBuild.java` files just created into class files, here you need to pay attention to your own directory structure ```bash= javac -cp "/data/soft/elasticsearch-7.0.1/lib/elasticsearch-7.0.1.jar:/data/soft/elasticsearch-7.0.1/lib/lucene-core-8.0.0.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/x-pack-core-7.0.1.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/netty-common-4.1.32.Final.jar:/data/soft/elasticsearch-7.0.1/lib/elasticsearch-core-7.0.1.jar" ./LicenseVerifier.java javac -cp "/data/soft/elasticsearch-7.0.1/lib/elasticsearch-7.0.1.jar:/data/soft/elasticsearch-7.0.1/lib/lucene-core-8.0.0.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/x-pack-core-7.0.1.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/netty-common-4.1.32.Final.jar:/data/soft/elasticsearch-7.0.1/lib/elasticsearch-core-7.0.1.jar" ./XPackBuild.java ``` After execution, two class files will be generated in the current directory. ```bash= LicenseVerifier.class XPackBuild.class ``` 6. Copy `x-pack-core-7.0.1.jar` to an empty directory and decompress `x-pack-core-7.0.1.jar` `$ jar -xvf x-pack-core-7.0.1.jar` Then replace the class file ```bash= cp -a ../XPackBuild.class org/elasticsearch/xpack/core/ cp -a ../LicenseVerifier.class org/elasticsearch/license/ ``` 7. Pack the new `x-pack-core-7.0.1.jar` file Go to the directory where you just unpacked `x-pack-core-7.0.1.jar` and delete the `x-pack-core-7.0.1.jar` source file, then repack: ```bash= jar cvf x-pack-core-7.0.1.jar. ``` 8. Replace the newly generated `x-pack-core-7.0.1.jar` file into es ```bash= cp -a x-pack-core-7.0.1.jar /data/soft/elasticsearch-7.0.1/modules/x-pack-core/ ``` 9. Configure the elasticsearch security protocol Complete all the above operations. Before starting elasticsearch, we need to configure the SSL/TLS security protocol of elasticsearch. If it is not configured, we need to disable security to configure the license. After the license is configured, we need to enable security and enable SSL\TLS. #### Load License before elasticsearch ```bash= $ echo "xpack.security.enabled: false" >> /data/soft/elasticsearch-7.0.1/config/elasticsearch.yml $ ./bin/elasticsearch -d # Start elasticsearch in the background ``` 10. Apply for a license Log in to the elastic official website to apply for a license, [License application address] (https://license.elastic.co/registration). After the application is completed, the downloaded license format is json format. Modify the `type`,` expiry_date_in_millis`, and `max_nodes` of the license to` platinum`, `2524579200999`, and` 1000`, respectively. as follows: There is no 7 option, it is also possible to downloa 6. The time conversion is milliseconds. The contents of the license are as follows: ```bash= { "license": { "uid": "10bdea8f-f3fc-421d-9354-b47315d5ba47", "type": "platinum", "issue_date_in_millis": 1565481600000, "expiry_date_in_millis": 2524579200999, "max_nodes": 1000, "issued_to": "wang xiao (???????)", "issuer": "Web Form", "Signature": "AAAAAwAAAA1nyWcAXdBAA2klkzrZAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAGLq3NLsOn2u1mkOfdXR6oyixJl8 / kZu / godGNtR1F6fvutn4mMKdvPPB4n8pQxa4kAFJn731D5I5kUwNqxmuTsGlvf + V8G4bj1O3nyMK7p3vxy0TzO0vEb + WskvGoJr8axPOPU7h8xh4POTYJVplaABtjqaR + 1SGS5ki422xIhXCNah99YuY8fct83M0U1iEJaSST26Ew3PCQ6n5yKrht8zk + yBIG32hgOhbhzgPOa4cVy1rQr7Z7ZxJIY8OyN6sfqItt8dzB2m + G8Eu / xP6Z9nmpG6y + Ty9BpJhre7TExrgObTju313IcFo1ZAkY70UscLamYbpRDJuS2EY7Qmow", "start_date_in_millis": 1565481600000 } } ``` We will write the expiration date to 2050 and change the type to platinum, so that we will have all the x-pack features. 11. Load License into elasticsearch ```bash= $ curl -XPUT -u elastic 'http://10.0.0.4:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json Enter host password for user 'elastic': # Prompt for elastic user password, there is no password currently, so press enter directly {"acknowledged": true, "license_status": "valid"} # License was written successfully ``` 12. Modify the configuration and restart es ```bash= echo "xpack.security.transport.ssl.enabled: true" >> /data/soft/elasticsearch-7.0.1/config/elasticsearch.yml sed -i 's/xpack.security.enabled: false/xpack.security.enabled: true/g' /data/soft/elasticsearch-7.0.1/config/elasticsearch.yml kill -9 13023 && ./bin/elasticsearch -d # restart elasticsearch ``` **The configuration at this time is as follows:** ```bash= [root @ heaven-01 soft] # cat elasticsearch-7.0.1 / config / elasticsearch.yml path.data: /data/soft/elasticsearch-7.0.1/data path.logs: /data/soft/elasticsearch-7.0.1/logs xpack.security.enabled: true xpack.security.transport.ssl.enabled: true ``` **View License** ```bash= [root @ heaven-01 soft] # curl -XGET -u elastic http://10.0.0.4:9200/_license #Prompt for elastic user password, there is currently no password, so just press enter { "license" : { "status" : "active", "uid" : "10bdea8f-f3fc-421d-9354-b47315d5ba47", "type" : "platinum", "issue_date" : "2019-08-11T00:00:00.000Z", "issue_date_in_millis" : 1565481600000, "expiry_date" : "2049-12-31T16:00:00.999Z", "expiry_date_in_millis" : 2524579200999, "max_nodes" : 100, "issued_to" : "wang xiao (???????)", "issuer" : "Web Form", "start_date_in_millis" : 1565481600000 } } ``` Cracked successfully 13. Set password Run the following commands to set other accounts and passwords required to establish a connection: ```bash= bin/elasticsearch-setup-passwords interactive ``` ---------- ## es cluster deployment and kibana (es here to three nodes for example): If we deploy es is the above configuration to a single node, if it is es cluster will also need the following operations: 1. In the es cluster, if you use the x-pack security function, you must use TLS/SSL for secure transmission, so you need to configure an authentication file ```bash= bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass "" ``` At this time, the `elastic-certificates.p12` file is generated in the config directory, and the file permissions are modified. ```bash= chown elk:elk config/elastic-certificates.p12 ``` 2. Copy the cracked `es-01` and name them `es-02` and `es-03` respectively, and then clear the data and logs directories in `es-02` and `es-03` **(very important, especially the data directory, otherwise an error will be reported)** 3. Modify the es configuration The configuration of es-01 is as follows: ```bash= [root@heaven-01 soft]# cat es-01/config/elasticsearch.yml | grep -v "#" cluster.name: es-cluster node.name: node-master-01 node.master: true node.data: true path.data: /data/soft/es-01/data path.logs: /data/soft/es-01/logs network.host: 10.0.0.4 http.port: 9200 transport.tcp.compress: true http.cors.enabled: true http.cors.allow-origin: "*" bootstrap.memory_lock: true discovery.seed_hosts: ["10.0.0.4:9300","10.0.0.4:9301","10.0.0.4:9302"] cluster.initial_master_nodes: ["10.0.0.4:9300"] xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /data/soft/es-01/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /data/soft/es-01/config/elastic-certificates.p12 ``` The configuration of es-02 is as follows: ```bash= [root@heaven-01 soft]# cat es-02/config/elasticsearch.yml | grep -v "#" cluster.name: es-cluster node.name: node-data-01 node.master: false node.data: true path.data: /data/soft/es-02/data path.logs: /data/soft/es-02/logs network.host: 10.0.0.4 http.port: 9201 transport.tcp.compress: true http.cors.enabled: true http.cors.allow-origin: "*" bootstrap.memory_lock: true discovery.seed_hosts: ["10.0.0.4:9300","10.0.0.4:9301","10.0.0.4:9302"] cluster.initial_master_nodes: ["10.0.0.4:9300"] xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /data/soft/es-02/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /data/soft/es-02/config/elastic-certificates.p12 ``` The configuration of es-03 is as follows: ```bash= [root@heaven-01 soft]# cat es-03/config/elasticsearch.yml | grep -v "#" cluster.name: es-cluster node.name: node-data-02 node.master: false node.data: true path.data: /data/soft/es-03/data path.logs: /data/soft/es-03/logs network.host: 10.0.0.4 http.port: 9202 transport.tcp.compress: true http.cors.enabled: true http.cors.allow-origin: "*" bootstrap.memory_lock: true discovery.seed_hosts: ["10.0.0.4:9300","10.0.0.4:9301","10.0.0.4:9302"] cluster.initial_master_nodes: ["10.0.0.4:9300"] xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /data/soft/es-03/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /data/soft/es-03/config/elastic-certificates.p12 ``` 4. Start three es separately ```bash= sudo -u elk /data/soft/es-01/bin/elasticsearch -d sudo -u elk /data/soft/es-02/bin/elasticsearch -d sudo -u elk /data/soft/es-03/bin/elasticsearch -d ``` 5. Download configuration kibana ```bash= wget https://artifacts.elastic.co/downloads/kibana/kibana-7.0.1-x86_64.rpm rpm -ivh kibana-7.0.1-x86_64.rpm ``` Modify the configuration as follows: ```bash= cat /etc/kibana/kibana.yml server.port: 5601 server.host: "10.0.0.4" elasticsearch.hosts: ["http://10.0.0.4:9200"] elasticsearch.username: "elastic" elasticsearch.password: "123456" xpack.security.encryptionKey: "something_at_least_32_characters" ``` Start kibana ```bash= /etc/init.d/kibana start ``` 6. Access (login using the set elastic user and password) http://10.0.0.4:5601