forked from docs/doc-exports
Su, Xiaomeng
89b6bedc33
Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com> Co-authored-by: Su, Xiaomeng <suxiaomeng1@huawei.com> Co-committed-by: Su, Xiaomeng <suxiaomeng1@huawei.com>
34 lines
6.5 KiB
HTML
34 lines
6.5 KiB
HTML
<a name="dli_09_0189"></a><a name="dli_09_0189"></a>
|
|
|
|
<h1 class="topictitle1">CSS Security Cluster Configuration</h1>
|
|
<div id="body0000001176841789"><div class="section" id="dli_09_0189__section4741546145716"><a name="dli_09_0189__section4741546145716"></a><a name="section4741546145716"></a><h4 class="sectiontitle">Preparations</h4><div class="p" id="dli_09_0189__p069412508715">The Elasticsearch 6.5.4 and later versions provided by CSS provides the security settings. Once the function is enabled, CSS provides identity authentication, authorization, and encryption for users. Before connecting DLI to the CSS security cluster, you need to perform certain preparations.<ol id="dli_09_0189__en-us_topic_0187816933_ol49786475133"><li id="dli_09_0189__en-us_topic_0187816933_li597994741317">Select CSS Elasticsearch 6.5.4 or a later cluster version, create a CSS security cluster, and download the security cluster certificate (<strong id="dli_09_0189__b275418161816">CloudSearchService.cer</strong>).<ol type="a" id="dli_09_0189__ol8292184610810"><li id="dli_09_0189__li155144317815">Log in to the CSS management console, click <strong id="dli_09_0189__b5229153411246">Clusters</strong>, and select the cluster for which you want to create a datasource connection.</li><li id="dli_09_0189__li4854722557">Click <strong id="dli_09_0189__b118851194514">Download Certificate</strong> next to <strong id="dli_09_0189__b7984115654514">Security Mode</strong> to download the security certificate.</li></ol>
|
|
</li><li id="dli_09_0189__en-us_topic_0187816933_li134485398277">Use keytool to generate the <strong id="dli_09_0189__b588826121820">keystore</strong> and <strong id="dli_09_0189__b58912266184">truststore</strong> files.<ol type="a" id="dli_09_0189__en-us_topic_0187816933_ol109907252012"><li id="dli_09_0189__en-us_topic_0187816933_li98171803111">Security certificate <strong id="dli_09_0189__b197414288316">CloudSearchService.cer</strong> of the security cluster is required when you use keytool to generate the keystore and truststore files. You can set other keytool parameters as required. <ol class="substepthirdol" id="dli_09_0189__ol14277547984"><li id="dli_09_0189__li18137642584">Open the cmd command window and run the following command to generate a <strong id="dli_09_0189__b20357151393610">keystore</strong> file that contains a private key:<pre class="screen" id="dli_09_0189__screen8137114210815">keytool -genkeypair -alias certificatekey -keyalg RSA -keystore transport-keystore.jks</pre>
|
|
</li><li id="dli_09_0189__li167285179144">After the <strong id="dli_09_0189__b14146822173619">keystore</strong> and <strong id="dli_09_0189__b15722112510365">truststore</strong> files are generated using keytool, you can view the <strong id="dli_09_0189__b786833719362">transport-keystore.jks</strong> file in the folder. Run the following command to verify the <strong id="dli_09_0189__b81221551143612">keystore</strong> file and certificate information:<pre class="screen" id="dli_09_0189__screen580294821510">keytool -list -v -keystore transport-keystore.jks</pre>
|
|
<p id="dli_09_0189__p152305130218">After you enter the correct keystore password, the corresponding information is displayed.</p>
|
|
</li><li id="dli_09_0189__li443814292204">Run the following commands to create the <strong id="dli_09_0189__b68999428373">truststore.jks</strong> file and verify it:<pre class="screen" id="dli_09_0189__screen15853194132114">keytool -import -alias certificatekey -file CloudSearchService.cer -keystore truststore.jks
|
|
keytool -list -v -keystore truststore.jks</pre>
|
|
</li></ol>
|
|
</li><li id="dli_09_0189__en-us_topic_0187816933_li16497195513192">Upload the generated <strong id="dli_09_0189__b999220467187">keystore</strong> and <strong id="dli_09_0189__b12998144631816">truststore</strong> files to an OBS bucket.</li></ol>
|
|
</li></ol>
|
|
</div>
|
|
</div>
|
|
<div class="section" id="dli_09_0189__section9153123472618"><h4 class="sectiontitle">CSS Security Cluster Parameter Configuration</h4><p id="dli_09_0189__p8690185717279">For details about the parameters, see <a href="dli_09_0061.html#dli_09_0061__en-us_topic_0190067468_table569314388144">Table 1</a>. This part describes the precautions for configuring the connection parameters of the CSS security cluster.</p>
|
|
<pre class="screen" id="dli_09_0189__screen1769035752714">.option("es.net.http.auth.user", "admin") .option("es.net.http.auth.pass", "***")</pre>
|
|
<p id="dli_09_0189__p1469112572277">The parameters are the identity authentication account and password, which are also the account and password for logging in to Kibana.</p>
|
|
<pre class="screen" id="dli_09_0189__screen146911557202714">.option("es.net.ssl", "true")</pre>
|
|
<ul id="dli_09_0189__ul152118151162"><li id="dli_09_0189__li18521131519619">If HTTPS access is enabled for the CSS security cluster, set this parameter to <strong id="dli_09_0189__b1457512540398">true</strong> and then set parameters such as the security certificate and file address.</li><li id="dli_09_0189__li5521191512618">If HTTPS access is not enabled for the CSS security cluster, set this parameter to <strong id="dli_09_0189__b855682114011">false</strong>. In this case, you do not need to set parameters such as the security certificate and file address.</li></ul>
|
|
<pre class="screen" id="dli_09_0189__screen8691175732718">.option("es.net.ssl.keystore.location", "obs://Bucket name/path/transport-keystore.jks")
|
|
.option("es.net.ssl.keystore.pass", "***")</pre>
|
|
<p id="dli_09_0189__p1569135772711">Set the location of the <strong id="dli_09_0189__b1958118499426">keystore.jks</strong> file and the key for accessing the file. Place the <strong id="dli_09_0189__b887811516433">keystore.jks</strong> file generated in <a href="#dli_09_0189__section4741546145716">Preparations</a> in the OBS bucket, and then enter the AK, SK, and location of the <strong id="dli_09_0189__b117101130164314">keystore.jks</strong> file. Enter the key for accessing the file in <strong id="dli_09_0189__b650824615432">es.net.ssl.keystore.pass</strong>.</p>
|
|
<pre class="screen" id="dli_09_0189__screen969195742710">.option("es.net.ssl.truststore.location", "obs://Bucket name/path/truststore.jks")
|
|
.option("es.net.ssl.truststore.pass", "***")</pre>
|
|
<p id="dli_09_0189__p3692175792714">The parameters in the <strong id="dli_09_0189__b89251332526">truststore.jks</strong> file are basically the same as those in the <strong id="dli_09_0189__b1194785045216">keystore.jks</strong> file. You can refer to the preceding procedure to set parameters.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="dli_09_0089.html">Connecting to CSS</a></div>
|
|
</div>
|
|
</div>
|
|
|