---
title: Elasticsearch-oss security設定
tags: Elasticsearch
description: View the slide with "Slide Mode".
---
# Elasticsearch-oss security設定
<!-- Put the link to this slide here so people can follow -->
## [Get started](https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/#get-started)
>[name=昱齊]`curl -XGET https://192.168.8.34:9200 -u admin:admin --insecure` 參數說明
- `-k`, `--insecure` Allow connections to SSL sites without certs (H)
### 流程
1. Replace the demo certificates
1. Reconfigure elasticsearch.yml to use your certificates [Configure TLS certificates](#Configure TLS certificates)
1. Reconfigure config.yml to use your authentication backend (if you don’t plan to use the internal user database)
1. Modify the configuration YAML files
1. Apply changes using securityadmin.sh
1. Start Elasticsearch.
1. Add users, roles, role mappings, and tenants
---
# Configure TLS certificates
## [官方文件](https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/tls/#transport-layer-tls)
TLS is configured in `elasticsearch.yml`. There are two main configuration sections: <font color=blue>the transport layer and the REST layer.</font> TLS is optional for the REST layer and mandatory for the transport layer.
## X.509 PEM certificates and PKCS #8 keys
The following tables contain the settings you can use to configure the location of your PEM certificates and private keys.
### Transport layer TLS
| Name| Description |
|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| `opendistro_security.ssl.transport.pemkey_filepath` | Path to the certificate’s key file (PKCS #8), <font color=red>which must be under the `config` directory</font>, specified using a relative path. Required.|
|`opendistro_security.ssl.transport.pemkey_password` | Key password. Omit this setting if the key has no password. ==Optional==. |
|`opendistro_security.ssl.transport.pemcert_filepath ` | Path to the X.509 node certificate chain (PEM format), <font color=red>which must be under the `config` directory</font>, specified using a relative path. Required. |
|`opendistro_security.ssl.transport.pemtrustedcas_filepath` | Path to the root CAs (PEM format), <font color=red>which must be under the `config` directory</font>, specified using a relative path. Required. |
>[name=昱齊]`pemkey_password`為`pemkey_filepath`的密碼,有設定密碼才需要寫
- 即`certificate`跟`private key`,還有`ca`
### REST layer TLS
- 同上,差在參數名稱不同
| Name | Description |
|-----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| `opendistro_security.ssl.http.pemkey_filepath` | Path to the certificate’s key file (PKCS #8), which must be under the config directory, specified using a relative path. Required. |
| `opendistro_security.ssl.http.pemkey_password` | Key password. Omit this setting if the key has no password. Optional. |
| `opendistro_security.ssl.http.pemcert_filepath` | Path to the X.509 node certificate chain (PEM format), which must be under the config directory, specified using a relative path. Required. |
| `opendistro_security.ssl.http.pemtrustedcas_filepath` | Path to the root CAs (PEM format), which must be under the config directory, specified using a relative path. Required. |
## Keystore and truststore files
<font color=blue>As an alternative to certificates and private keys in PEM format, you can instead use keystore and truststore files in JKS or PKCS12/PFX format.</font> The following settings configure the location and password of your keystore and truststore files. If you want, you can use different keystore and truststore files for the REST and the transport layer.
### Transport layer TLS
### REST layer TLS
---
## Configure node certificates
The Security plugin needs to <font color=blue>identify inter-cluster requests (i.e. requests between the nodes).</font> The simplest way of configuring node certificates is to <font color=blue>list the Distinguished Names (DNs) of these certificates</font> in elasticsearch.yml. All DNs must be included in elasticsearch.yml on all nodes. The Security plugin supports wildcards and regular expressions:
```yaml=
opendistro_security.nodes_dn:
- 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
- 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
- 'CN=elk-devcluster*'
- '/CN=.*regex/'
```
If your node certificates have an OID identifier in the SAN section, you can omit this configuration.
## Configure admin certificates
Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. <font color=blue>You need an admin certificate</font> to change the the Security plugin configuration using `plugins/opendistro_security/tools/securityadmin.sh` or the REST API. Admin certificates are configured in elasticsearch.yml by stating their DN(s):
```yaml=
opendistro_security.authcz.admin_dn:
- CN=admin,OU=SSL,O=Test,L=Test,C=DE
```
For security reasons, you can’t use wildcards or regular expressions here.
# Backend configuration
Sign in with Wallet
Connect another wallet