当你需要通过RestClient连接Elasticsearch,此时提供的Elasticsearch服务处于安全考虑,需要通过提供的证书进行加密访问,也可以通过 HttpClientConfigCallback 配置使用 TLS 的加密通信。 作为参数接收的 org.apache.http.impl.nio.client.HttpAsyncClientBuilder 公开了多种配置加密通信的方法:setSSLContext、setSSLSessionStrategy 和 setConnectionManager,按优先级从最不重要的顺序排列。
访问在 HTTP 层上为 TLS 设置的 Elasticsearch 集群时,客户端需要信任 Elasticsearch 正在使用的证书。 以下是设置客户端以信任已签署 Elasticsearch 正在使用的证书的 CA 的示例,当该 CA 证书在 PKCS#12 密钥库中可用时:
Path trustStorePath = Paths.get("/path/to/truststore.p12");
KeyStore truststore = KeyStore.getInstance("pkcs12");
try (InputStream is = Files.newInputStream(trustStorePath)) {
truststore.load(is, keyStorePass.toCharArray());
}
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
RestClientBuilder builder = RestClient.builder(
new HttpHost("localhost", 9200, "https"))
.setHttpClientConfigCallback(new HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(
HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLContext(sslContext);
}
});
下面是我们需要提供Keystore和TrustStore的场景:
public static RestHighLevelClient initRestHighLevelClient() {
try {
KeyStore keyStore =KeyStore.getInstance("jceks"); //Depands on your keyStoreType
keyStore.load(new FileInputStream(keyStorePath), keyStorePwd.toCharArray());
SSLContextBuilder builder = new SSLContextBuilder();
builder.loadKeyMaterial(keyStore, keyStorePwd.toCharArray());
builder.loadTrustMaterial(new File(trustStorePath));
final SSLContext context = builder.build();
List<HttpHost> hostLists = new ArrayList<>();
String[] hostList = address.split(",");
for (String addr : hostList) {
String host = addr.split(":")[0];
String port = addr.split(":")[1];
hostLists.add(new HttpHost(host, Integer.parseInt(port), "https"));
}
HttpHost[] httpHost = hostLists.toArray(new HttpHost[]{});
final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(
AuthScope.ANY, new UsernamePasswordCredentials(userName, password));
RestClientBuilder restClientBuilder = RestClient
.builder(httpHost)
.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder) {
return httpAsyncClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(context);
}
});
return new RestHighLevelClient(restClientBuilder);
} catch (Exception e) {
log.error("=======init RestHighLevelClient faild : " + e.getMessage());
return null;
}
}
更多其他加密通信场景可参考官网:
https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_encrypted_communication.html
网友评论