文章目录
- elasticsearch
-
- java client
- kibana
elasticsearch
版本7.16.2
java client
java client连接带基础安全ES
URI uri = ElasticSearchClient.class.getClassLoader().getResource("http.p12").toURI();Path trustStorePath = Paths.get(uri);KeyStore truststore = KeyStore.getInstance("pkcs12");RestClientBuilder builder = null;try (InputStream is = Files.newInputStream(trustStorePath)) {
truststore.load(is, "http123".toCharArray());SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);SSLContext sslContext = sslBuilder.build();final CredentialsProvider credentialsProvider =new BasicCredentialsProvider();credentialsProvider.setCredentials(AuthScope.ANY,new UsernamePasswordCredentials("elastic", "password"));builder = RestClient.builder(new HttpHost("hostname1", 9200, "https"),new HttpHost("hostname2", 9200, "https"),new HttpHost("hostname3", 9200, "https")).setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Overridepublic HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLContext(sslContext).setDefaultCredentialsProvider(credentialsProvider);}});} catch (Exception e) {
e.printStackTrace();throw new RuntimeException(e);}RestClient client = builder.build();ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)]; nested: IOException[ObjectIdentifier() -- data isn't an object ID (tag = 48)];
是由于ES集群jdk版本与开发jdk版本不同
kibana
配置基础安全kibana时出现hostname和 cert's CN匹配不上问题
[17:58:03.050] [error][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. Hostname/IP does not match certificate's altnames: Host: sit-201-128-10-12-20-03. is not cert's CN: SIT-201-128-10-12-20-*
实际上配置文件
...
elasticsearch.hosts: "https://SIT-201-128-10-12-20-03:9200"
...
运行仍出来上边问题.
又测试直接通过命令修改
先注释配置文件中elasticsearch.hosts
再启动命令中传入
bin/kibana -H SIT-201-128-10-12-20-03 -e 'https://SIT-201-128-10-12-20-03:9200'
结果仍出来如上错误. 实际上和在配置trino安全认证时遇到的类似问题一样,在生成CA相关操作时相关的hostname一定要小写,不然就会出现这样问题