elastic Q&A(updating)

elastic Q&A(updating)

文章目录

• elasticsearch
• • java client
• kibana

elasticsearch

版本7.16.2

java client

java client连接带基础安全ES

  URI uri = ElasticSearchClient.class.getClassLoader().getResource("http.p12").toURI();

  Path trustStorePath = Paths.get(uri);
  KeyStore truststore = KeyStore.getInstance("pkcs12");

  RestClientBuilder builder = null;

  try (InputStream is = Files.newInputStream(trustStorePath)) {
      truststore.load(is, "http123".toCharArray());

      SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
      SSLContext sslContext = sslBuilder.build();

      final CredentialsProvider credentialsProvider =
              new BasicCredentialsProvider();
      credentialsProvider.setCredentials(AuthScope.ANY,
              new UsernamePasswordCredentials("elastic", "password"));

      builder = RestClient.builder(
                      new HttpHost("hostname1", 9200, "https"),
                      new HttpHost("hostname2", 9200, "https"),
                      new HttpHost("hostname3", 9200, "https")
              )
              .setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
                  @Override
                  public HttpAsyncClientBuilder customizeHttpClient(
                          HttpAsyncClientBuilder httpClientBuilder) {
                      return httpClientBuilder
                              .setSSLContext(sslContext)
                              .setDefaultCredentialsProvider(credentialsProvider);
                  }
              });


  } catch (Exception e) {
      e.printStackTrace();
      throw new RuntimeException(e);
  }
  RestClient client = builder.build();

ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)]; nested: IOException[ObjectIdentifier() -- data isn't an object ID (tag = 48)];

是由于ES集群jdk版本与开发jdk版本不同

kibana

配置基础安全kibana时出现hostname和 cert's CN匹配不上问题

[17:58:03.050] [error][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. Hostname/IP does not match certificate's altnames: Host: sit-201-128-10-12-20-03. is not cert's CN: SIT-201-128-10-12-20-*

实际上配置文件

...
elasticsearch.hosts: "https://SIT-201-128-10-12-20-03:9200"
...

运行仍出来上边问题.

又测试直接通过命令修改
先注释配置文件中elasticsearch.hosts
再启动命令中传入

 bin/kibana -H SIT-201-128-10-12-20-03 -e 'https://SIT-201-128-10-12-20-03:9200'

结果仍出来如上错误. 实际上和在配置trino安全认证时遇到的类似问题一样,在生成CA相关 *** 作时相关的hostname一定要小写,不然就会出现这样问题