elasticsearch配置x-pack和SSL安全认证常见问题

最新推荐文章于 2026-06-21 09:00:04 发布
原创 最新推荐文章于 2026-06-21 09:00:04 发布 · 1.8w 阅读 · 3 ·
本内容遵循CC 4.0 BY-SA版权协议
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
标签
#sublime text #mozilla #entity #视频处理 #cloud
本文详细介绍了在配置Elasticsearch的X-Pack和SSL安全认证过程中遇到的异常情况,针对rest-high-level-client和transport两种客户端类型,分别提供了相应的解决方案,确保客户端与服务端的安全连接。

精选30+云产品,助力企业轻松上云!>>> hot3.png

异常

当客户端为rest-high-level-client时,客户端异常:
com.mamaqunaer.elasticsearch.ElasticSearchException: org.apache.http.ConnectionClosedException: Connection closed

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.springframework.test.context.junit4.statements.RunBeforeTestExecutionCallbacks.evaluate(RunBeforeTestExecutionCallbacks.java:73)
	at org.springframework.test.context.junit4.statements.RunAfterTestExecutionCallbacks.evaluate(RunAfterTestExecutionCallbacks.java:83)
	at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)
	at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)
	at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:251)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
	at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
	at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
	at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)
	at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
	at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)
Caused by: org.apache.http.ConnectionClosedException: Connection closed
	at org.elasticsearch.client.RestClient$SyncResponseListener.get(RestClient.java:718)
	at org.elasticsearch.client.RestClient.performRequest(RestClient.java:235)
	at org.elasticsearch.client.RestClient.performRequest(RestClient.java:198)
	at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:522)
	at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:508)
	at org.elasticsearch.client.RestHighLevelClient.get(RestHighLevelClient.java:293)
	... 34 more
Caused by: org.apache.http.ConnectionClosedException: Connection closed
	at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.endOfInput(HttpAsyncRequestExecutor.java:350)
	at org.apache.http.impl.nio.client.InternalRequestExecutor.endOfInput(InternalRequestExecutor.java:132)
	at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:261)
	at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
	at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
	at java.lang.Thread.run(Thread.java:745)
	Suppressed: org.apache.http.ConnectionClosedException: Connection closed
		... 13 more


Process finished with exit code 255
当客户端为rest-high-level-client时,服务端异常:
[2019-11-16T14:03:29,754][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection [id: 0x0eeb7730, L:0.0.0.0/0.0.0.0:9200 ! R:/127.0.0.1:60934]
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f6974656d2f6974656d2f383030303336383420485454502f312e310d0a436f6e74656e742d4c656e6774683a20300d0a486f73743a203132372e302e302e313a393230300d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a557365722d4167656e743a204170616368652d487474704173796e63436c69656e742f342e312e3320284a6176612f312e382e305f3932290d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a6f784d6a4d304e54593d0d0a0d0a
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
当客户端为transport时,客户端异常:
org.elasticsearch.transport.ConnectTransportException: [][127.0.0.1:9300] general node connection failure
	at org.elasticsearch.transport.TcpTransport.openConnection(TcpTransport.java:676) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.transport.TcpTransport.openConnection(TcpTransport.java:123) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.transport.TransportService.openConnection(TransportService.java:350) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.client.transport.TransportClientNodesService$SimpleNodeSampler.doSample(TransportClientNodesService.java:407) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.client.transport.TransportClientNodesService$NodeSampler.sample(TransportClientNodesService.java:357) [elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.client.transport.TransportClientNodesService.addTransportAddresses(TransportClientNodesService.java:198) [elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.client.transport.TransportClient.addTransportAddress(TransportClient.java:334) [elasticsearch-6.3.0.jar:6.3.0]
···
···
Caused by: java.lang.IllegalStateException: handshake failed
	at org.elasticsearch.transport.TcpTransport.executeHandshake(TcpTransport.java:1667) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.transport.TcpTransport.openConnection(TcpTransport.java:642) ~[elasticsearch-6.3.0.jar:6.3.0]
	... 43 common frames omitted
Caused by: org.elasticsearch.transport.TransportException: connection reset
	at org.elasticsearch.transport.TcpTransport.cancelHandshakeForChannel(TcpTransport.java:1709) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.transport.TcpTransport.lambda$openConnection$12(TcpTransport.java:639) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.action.ActionListener.lambda$wrap$0(ActionListener.java:82) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60) ~[elasticsearch-6.3.0.jar:6.3.0]
	at org.elasticsearch.action.ActionListener.lambda$toBiConsumer$2(ActionListener.java:96) ~[elasticsearch-6.3.0.jar:6.3.0]
	at java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:760) ~[na:1.8.0_92]
	at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:736) ~[na:1.8.0_92]
	at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) ~[na:1.8.0_92]
	at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) ~[na:1.8.0_92]
	at org.elasticsearch.transport.netty4.NettyTcpChannel.lambda$new$0(NettyTcpChannel.java:47) ~[transport-netty4-client-6.3.0.jar:6.3.0]
	at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:511) ~[netty-common-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:504) ~[netty-common-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:483) ~[netty-common-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:424) ~[netty-common-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.util.concurrent.DefaultPromise.trySuccess(DefaultPromise.java:103) ~[netty-common-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.DefaultChannelPromise.trySuccess(DefaultChannelPromise.java:84) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.AbstractChannel$CloseFuture.setClosed(AbstractChannel.java:1148) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.AbstractChannel$AbstractUnsafe.doClose0(AbstractChannel.java:764) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.AbstractChannel$AbstractUnsafe.close(AbstractChannel.java:740) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.AbstractChannel$AbstractUnsafe.close(AbstractChannel.java:611) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.closeOnRead(AbstractNioByteChannel.java:105) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:171) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:646) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:546) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:500) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:460) ~[netty-transport-4.1.27.Final.jar:4.1.27.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) ~[netty-common-4.1.27.Final.jar:4.1.27.Final]
	at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_92]
···
···
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{GRYd5RlYSquKxqKj-Of9gw}{127.0.0.1}{127.0.0.1:9300}, {#transport#-2}{8JKqHBmARb2gR6YdjMynKg}{127.0.0.1}{127.0.0.1:9301}]
]
	at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:347)
	at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:245)
	at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
	at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:378)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:405)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:394)
	at org.elasticsearch.action.ActionRequestBuilder.execute(ActionRequestBuilder.java:46)
	at org.elasticsearch.action.ActionRequestBuilder.get(ActionRequestBuilder.java:53)
当客户端为transport时,服务端异常:
[2019-11-16T14:13:04,859][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [node-1] exception caught on transport layer [NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:61256}], closing connection
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 455300000050000000000000000108004d3603010d417574686f72697a6174696f6e1a4261736963205a57786863335270597a6f784d6a4d304e54593d0016696e7465726e616c3a7463702f68616e647368616b6500
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 455300000050000000000000000108004d3603010d417574686f72697a6174696f6e1a4261736963205a57786863335270597a6f784d6a4d304e54593d0016696e7465726e616c3a7463702f68616e647368616b6500
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1106) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]
	... 15 more

解决方案

客户端是rest-high-level-client时

只需要配置settings参数(和服务端保持一致即可)

# 使用ssl时:
#es:
#  settings: {cluster.name: elasticsearch, xpack.security.user: 'elastic:123456', xpack.security.transport.ssl.enabled: true, xpack.security.transport.ssl.verification_mode: certificate, xpack.security.transport.ssl.keystore.path: '/Users/wangnan/workspace/es/es-spring-boot-starter/src/test/resources/certs/elastic-certificates.p12', xpack.security.transport.ssl.truststore.path: '/Users/wangnan/workspace/es/es-spring-boot-starter/src/test/resources/certs/elastic-certificates.p12'}
#  type: TRANSPORT
#  clusters:
#  - 127.0.0.1:9300
#  - 127.0.0.1:9301

# 不使用ssl时:
#es:
#  settings: {cluster.name: elasticsearch, xpack.security.user: 'elastic:123456'}
#  type: TRANSPORT
#  clusters:
#  - 127.0.0.1:9300
#  - 127.0.0.1:9301
客户端是transport时

配置文件:

# 使用ssl验证时
#es:
#  settings: {cluster.name: elasticsearch, xpack.security.user: 'elastic:123456', xpack.security.http.ssl.enabled: true, xpack.security.http.ssl.keystore.path: '/Users/wangnan/workspace/es/es-spring-boot-starter/src/test/resources/certs/elastic-certificates.p12', xpack.security.http.ssl.truststore.path: '/Users/wangnan/workspace/es/es-spring-boot-starter/src/test/resources/certs/elastic-certificates.p12'}
#  type: REST_HIGH_LEVEL
#  clusters:
#  - 127.0.0.1:9200
#  - 127.0.0.1:9201

# 不使用ssl验证时
es:
  settings: {cluster.name: elasticsearch, xpack.security.user: 'elastic:123456'}
  type: REST_HIGH_LEVEL
  clusters:
  - 127.0.0.1:9200
  - 127.0.0.1:9201

另外,java代码:

package com.caiya.elasticsearch.core;

import org.apache.commons.collections4.MapUtils;
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestHighLevelClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.SSLContext;
import java.io.InputStream;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.security.KeyStore;
import java.util.List;
import java.util.Map;
import java.util.Objects;

/**
 * Rest es client builder.
 *
 * @author wangnan
 * @since 1.0
 */
public final class RestElasticSearchClientBuilder {

    private static final Logger logger = LoggerFactory.getLogger(RestElasticSearchClientBuilder.class);

    private RestHighLevelClient client;

    private String refreshPolicy = "false";

    private boolean refresh = false;

    private static boolean isSslEnabled(Map<String, String> settings) {
        return settings != null && settings.containsKey("xpack.security.http.ssl.enabled") && Objects.equals("true", settings.get("xpack.security.http.ssl.enabled"));
    }

    public static RestElasticSearchClientBuilder create(List<String> clusters, Map<String, String> settings) {
        String schema = isSslEnabled(settings) ? "https" : HttpHost.DEFAULT_SCHEME_NAME;
        return new RestElasticSearchClientBuilder()
                .clustersAndSchema(clusters, schema, settings);
    }

    private RestElasticSearchClientBuilder clustersAndSchema(List<String> clusters, String schema, Map<String, String> settings) {
        try {
            HttpHost[] httpHosts = new HttpHost[clusters.size()];
            int index = 0;
            for (String cluster : clusters) {
                httpHosts[index++] = new HttpHost(cluster.split(":")[0], Integer.parseInt(cluster.split(":")[1]), schema);
            }

            SSLContext sslContext = null;
            if (isSslEnabled(settings)) {
                KeyStore truststore = KeyStore.getInstance("jks");
                try (InputStream is = Files.newInputStream(FileSystems.getDefault().getPath(settings.get("xpack.security.http.ssl.keystore.path")))) {
                    truststore.load(is, settings.containsKey("xpack.security.http.ssl.keystore.password") ? settings.get("xpack.security.http.ssl.keystore.path").toCharArray() : "".toCharArray());
                    SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
                    sslContext = sslBuilder.build();
                }
            }

            final SSLContext immutableSslContext = sslContext;
            this.client = new RestHighLevelClient(RestClient.builder(httpHosts).setHttpClientConfigCallback(httpClientBuilder -> {
                CredentialsProvider credentialsProvider = new BasicCredentialsProvider();

                if (MapUtils.isNotEmpty(settings) && settings.containsKey(ElasticSearchConstant.XPACK_AUTH_SETTING)) {
                    credentialsProvider.setCredentials(AuthScope.ANY,
                            new UsernamePasswordCredentials(settings.get(ElasticSearchConstant.XPACK_AUTH_SETTING).split(":")[0],
                                    settings.get(ElasticSearchConstant.XPACK_AUTH_SETTING).split(":")[1]));
                }
                httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);

                if (isSslEnabled(settings)) {
                    httpClientBuilder.setSSLContext(immutableSslContext).setSSLHostnameVerifier((s, sslSession) -> true);
                }

                return httpClientBuilder;
            }));
        } catch (Exception e) {
            logger.error("elasticsearch rest client init failed", e);
            if (client != null) {
                try {
                    client.close();
                    client = null;// help gc
                } catch (Exception e1) {
                    logger.error("elasticsearch rest client close failed", e);
                }
            }
        }
        return this;
    }

    public RestElasticSearchClientBuilder setRefreshPolicy(String refreshPolicy) {
        this.refreshPolicy = (refreshPolicy == null) ? "" : refreshPolicy;
        return this;
    }

    public RestElasticSearchClientBuilder setRefresh(boolean refresh) {
        this.refresh = refresh;
        return this;
    }

    public RestElasticSearchClient build() {
        return buildWithClientName(null);
    }

    public RestElasticSearchClient buildWithClientName(String name) {
        if (client == null) {
            logger.error("rest client cannot be null");
            throw new IllegalArgumentException("rest client cannot be null");
        }

        RestElasticSearchClient restElasticSearchClient = new RestElasticSearchClient(client);
        restElasticSearchClient.setName(name);
        restElasticSearchClient.setRefreshPolicy(refreshPolicy);
        restElasticSearchClient.setRefresh(refresh);
        return restElasticSearchClient;
    }

    /**
     * @return elasticsearch low-level client
     * @see <a href="https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/java-rest-low-usage-requests.html"/>low-level client usage</a>
     */
    public RestClient buildOriginalLowLevelClient() {
        if (client == null) {
            logger.error("rest client cannot be null");
            throw new IllegalArgumentException("rest client cannot be null");
        }

        return client.getLowLevelClient();
    }


}

参考资料

Security overview:
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/elasticsearch-security.html

License management:
https://www.elastic.co/guide/en/elastic-stack-overview/6.3/license-management.html
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/get-trial-status.html
Licensing APIs:
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/licensing-apis.html

Configuring security in Elasticsearch:
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/configuring-security.html

Setting Up TLS on a Cluster:
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/ssl-tls.html

Encrypting communications in Elasticsearch:
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/configuring-tls.html#configuring-tls

Security settings in Elasticsearch:
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/security-settings.html

Java client and security:
https://www.elastic.co/guide/en/elasticsearch/reference/6.3/java-clients.html
Encrypted communication:
https://www.elastic.co/guide/en/elasticsearch/client/java-rest/6.3/_encrypted_communication.html
ES系列:解决 handshake failed because connection reset
NIO4444
02-24 936
系统日志报错:
Elasticsearch7.6解决报错Connection reset by peer【刨根问底完美解决】
小王博客基地
02-06 5525
小编最近在生产上遇到一个问题,解决完后立马总结一下分享给大家,希望可以帮助到大家哈!事情是这样的,奇怪的现象,公司搭建的,本来是用来提高检索效率的,最近出现报错了!版本配置什么都没变,奇怪的很!每隔几个小时就会查询不到,与连接不上,刷新后查询正常拿着条件去kibana是可以查询到的;这是客户端是长链接,服务端过期后自动关闭链接,客户端继续用原来的链接导致错误的!
微信4.1.5.16升级后,你的自动化脚本失灵了?手把手教你用C#让UI树“复活”
weixin_30415113的博客
03-30 569
本文针对微信PC端4.1.5.16版本升级后自动化脚本失效问题,深入解析UI树重构技术本质,并提供C#实战解决方案。通过UIAutomation技术,手把手教你如何让微信UI树“复活”,适用于RPA开发自动化测试场景,帮助开发者快速恢复微信自动化流程。
elasticsearch加密xpack,java客户端访问xpack集群SSL
热门推荐
偶尔写些东西,意思一下我也参与了内卷
07-26 1万+
xpack已经在es6.3之后默认集成 开启xpack elasticsearch.yml 中加上: xpack.security.enabled: true 注::后空一个空格,如果是es集群请务必全部添加此配置 确保集群健康访问_xpack/license/start_trial?acknowledge=true 开启xpack功能,这时候集群会立马提示您输入用户名密码的弹窗进行...
logstash 开启ssl报错:Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record
just_a_sinner的博客
08-18 7947
logstash证书报错ssl/tls
elasticsearch org.apache.http.ConnectionClosedException: Connection closed
隐0士的博客
05-24 1万+
在使用restHighLevelClient连接es时出现这个问题,进行了以下情况排查: 1、先排查配置文件中的es服务器端口是否没问题 2、排查es连接的账号密码是否正确(在es开了密码校验的情况下),这个可通过直接在浏览器访问es的ip端口,会自动弹出账号密码校验框登陆,在此可校验账号密码是否正确。 3、restHighLevelClient配置文件中,HttpHost的设置是否正确,一般我们使用restHighLevelClient都会在配置文件中初始化restHighLevelClient pac
Logstash to ES 开启权限认证 (x-pack)
Mr.Bug的博客
07-31 1万+
应用场景阐述: 本文记录一次解决ElasticSearch开启x-pack安全认证后,logstash无法发送数据至 ES 存储的解决方法。 一、先决条件 首先我们需要 logstash es集群环境,且配置好了 hosts文件映射主机名 例如:vim etc/hosts #es三个节点 pc1 10.20.10.1 pc2 10.20.10.2 pc3 10.20.10.3 logstash-node-1 10.20.10.4 二、开启安全认证 在es主节点的配置文件中(elasticsearch.y
elasticsearch 配置安全认证X-pack
qq_43164571的博客
03-18 3055
实验环境: 主机 服务 172.16.3.225/21 Elasticsearch 172.16.3.226/21 Elasticsearch 172.16.3.227/21 Elasticsearch 实验步骤: 首选需要查看一下当前master是谁 [root@k8s-master01 ~]# curl 172.16.3.225:9200/_cat/master M6Uqfm0tQOOSu6rtTegEAw 172.16.3.226 172.16.3.226 elk02 1
Elasticsearch7.x.x开启X-pack鉴权,按步骤执行就能成功!
游语
04-28 5650
摘要 ElasticSearch是一个基于Lucene的分布式搜索分析引擎。Elasticsearch能够以快速有效的方式对各种数据进行存储索引。当前ES已经广泛应用于各个领域,包括应用程序搜索、网站搜索、企业搜索、日志处理分析、基础设施指标容器监测、应用程序性能监测、地理空间数据分析可视化、安全分析、业务分析等。由于大部分ES没有增加安全策略,导致数据可能被别人随意访问。简单放一则案例:在线交易经纪商FBS曝光20TB数据,160亿条记录。所以我们使用ES的时候要注意数据安全问题。一般来说我们的
Elasticsearch 安装 X-pack
Qynwang的博客
05-17 3456
X-Pack是Elastic Stack扩展功能,提供安全性,警报,监视,报告,机器学习许多其他功能。ES7.0+之后,默认情况下,当安装Elasticsearch时,会安装X-Pack,无需单独再安装。
Elasticsearch Docker 与 X-Pack 集成:如何快速开启安全、监控与机器学习功能
最新发布
gitblog_00363的博客
06-21 862
Elasticsearch Docker 镜像为开发者提供了便捷的容器化部署方案,而 **X-Pack** 集成则为企业级应用带来了完整的安全防护、实时监控智能机器学习功能。本文将详细介绍如何在 Docker 环境中配置启用这些强大的企业级特性,帮助您快速构建安全可靠的 Elasticsearch 集群。 ## 📦 X-Pack 核心功能概览 X-Pack 是 Elastic Stack
Elastic stack7.8.1启用安全认证,启用https,TLS,SSL 安全配置详解
h952520296的博客
12-31 8368
文章目录 简介 启用Elasticsearch安全特性 配置传输层TLS/SSL加密传输 设置内置用户密码 配置HTTP层TLS/SSL加密传输 配置Kibana到Elasticsearch的校验 生成PKI客户端证书 配置Kibana到Elasticsearch的校验 配置Kibana UI的SSL加密传输 简介 对生产环境的Elasticsearch集群开启安全特性是必要的,而Elastic Stack已经提供了基于X-PACK的安全能力。X-Pack是Elasticse
k8s部署Elasticsearch集群+Kibana方案--开启X-Pack 安全认证
YZEQIANG的博客
06-04 6039
本文中使用方式部署 Elasticsearch 集群,并且开启X-Pack 安全认证,存储使用的是NFS,属于一个初学者自己探索的方案,如果有比较好的方案,还请不吝评论赐教。需要安装好Kubernetes 集群,并且配置了存储类(
启用 X-Pack认证在Docker上设置ElasticsearchKibana
qq_34963264的博客
09-06 984
kibana设置密码
Elasticsearch 7.x 集群安全认证全流程:从证书生成到密码设置(避坑指南)
agile9scrum的博客
02-21 706
本文详细介绍了Elasticsearch 7.x集群安全认证的全流程,包括TLS证书生成、多节点安全通信配置密码策略实施。通过X-Pack实现用户安全认证,确保集群数据传输访问的安全性,并提供常见问题的解决方案避坑指南。
Elasticsearch SSL认证/证书制作
fj56355113的专栏
10-23 3243
制作目的 在上一篇《elasticsearch7.X x-pack破解》中,我们启用了x-pack模块,elasticsearch集群中,如果使用了x-pack,那么集群中的各节点之间通讯就必须安全认证。为了解决节点间通讯的认证问,我们需要制作证书。 内容简介 本文的主要内容是指导SSL制作过程。 步骤 生成证书 一、cd到es安装目录下,如:cd /data/platform/elasticsearch/elasticsearch-7.0.0 然后执行:bin/elasticsearch-c
Elasticsearch6.5.4破解x-pack
bankq的博客
10-21 2760
概要 我们常常用kibana界面化操作ES数据库,这样就使得任何人只要知道我们ES数据库的地址端口就可以任意操作我们的数据库,这样非常不安全,由此一个基于用户认证是否有权限访问操作我们的数据库的的需求就诞生了,然后我们找到了这个X-pack插件,它能做什么呢? X-Pack 提供以下几个级别保护elastic集群 1)用户验证 2)授权基于角色的访问控制 3)节点/客户端认证信道加密...
es配置xpack认证,生成ca证书
一只闪闪发光的少爷爷
08-24 2975
1 解压es,保证es单机启动成功。 2 进入es安装目录: cd /${ES_HOME} 3 生成ca证书 bin/elasticsearch-certutil ca 然后提示输入“输出文件名(证书名称)” 及 “密码” 4 此时你的安装目录下就会出现刚刚自定义名称生成得证书 5 编辑 config/elastic.yml 文件,加入一下信息 xpack.security.enabled: true xpack.security...
Elasticsearch6.8.0开启X-PACK服务以及开启客户端SSL
wyyanhxbl的博客
02-19 2428
Elasticsearch6.8.0以后免费开放部分安全认证服务 下载 Kibana版本 https://www.elastic.co/cn/downloads/past-releases/kibana-6-8-0 Elasticsearch版本 https://www.elastic.co/cn/downloads/past-releases/elasticsearch-6-8-0 ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值