小生博客：http://xsboke.blog.51cto.com -------谢谢您的参考，如有疑问，欢迎交流 --- 目录 * 破解流程. * 使用`docker`启动`elk`. * 重新编译和生成文件：`LicenseVerifier.class`、`XPackBuild.class`. * 替换旧的`x-pack-core-6.6.1.jar`. * 修改`elastcsearch.yml`,然后重启`elk`,否则上传不了证书. * 申请、修改、上传证书. * 开启ES的登录功能. * 验证. --- ## 需求 ``````shell 开启elk的认证功能. `````` ## 环境 ``````shell 使用docker运行的6.6.1版本的elk容器. `````` ## 破解流程 ``````shell 1. 重新编译并且替换x-pack-core-6.6.1.jar中的文件LicenseVerifier.class 和 XPackBuild.class. 2. 申请基础许可证书,修改内容成为白金许可证书. 3. 上传证书并且开启ES的登录功能. `````` ## 使用`docker`启动`elk` ``````shell # 版本使用的是6.6.1 docker run -d --name elk -v /etc/localtime:/etc/localtime -e ES_MIN_MEM=128m -e ES_MAX_MEM=4096m -e ES_JAVA_OPTS="-Xms4096m -Xmx4096m" -v /data_volume/elasticsearch-indices-test:/var/lib/elasticsearch --restart=always -e "LANG=C.UTF-8" -p 15601:5601 -p 19200:9200 -p 19300:9300 -p 15044:5044 -it sebp/elk:661 `````` ## 重新编译和生成文件：`LicenseVerifier.class`、`XPackBuild.class` ### 下载`x-pack-core-6.6.1.ja`r使用`winrar`打开,找到文件`LicenseVerifier.class`和`XPackBuild.class` ``````shell # /opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar 1. x-pack-core-6.6.1.jar\org\elasticsearch\license\LicenseVerifier.class 2. x-pack-core-6.6.1.jar\org\elasticsearch\xpack\core\XPackBuild.class `````` ### 下载`luyten`反编译软件,反编译两个文件,然后参考下方的两个文件去修改 ``````shell 反编译软件下载地址: https://github.com/deathmarine/Luyten/releases/tag/v0.5.4_Rebuilt_with_Latest_depenencies `````` ``````java /* LicenseVerifier.java */ package org.elasticsearch.license; import java.nio.*; import org.elasticsearch.common.bytes.*; import java.security.*; import java.util.*; import org.elasticsearch.common.xcontent.*; import org.apache.lucene.util.*; import org.elasticsearch.core.internal.io.*; import java.io.*; public class LicenseVerifier { public static boolean verifyLicense(final License license, final byte[] publicKeyData) { byte[] signedContent = null; byte[] publicKeyFingerprint = null; return true; } public static boolean verifyLicense(final License license) { return true; } } `````` ``````java /* XPackBuild.java */ package org.elasticsearch.xpack.core; import org.elasticsearch.common.io.*; import java.net.*; import org.elasticsearch.common.*; import java.nio.file.*; import java.io.*; import java.util.jar.*; public class XPackBuild { public static final XPackBuild CURRENT; private String shortHash; private String date; @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() { final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation(); try { return PathUtils.get(url.toURI()); } catch (URISyntaxException bogus) { throw new RuntimeException(bogus); } } XPackBuild(final String shortHash, final String date) { this.shortHash = shortHash; this.date = date; } public String shortHash() { return this.shortHash; } public String date() { return this.date; } static { final Path path = getElasticsearchCodebase(); String shortHash = null; String date = null; Label_0109: { shortHash = "Unknown"; date = "Unknown"; } CURRENT = new XPackBuild(shortHash, date); } } `````` ### 将两个`java`文件重新打包成`class`文件 ``````shell # javac -cp "/opt/elasticsearch/lib/elasticsearch-6.6.1.jar:/opt/elasticsearch/lib/elasticsearch-core-6.6.1.jar:/opt/elasticsearch/lib/lucene-core-7.6.0.jar:/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar" LicenseVerifier.java # javac -cp "/opt/elasticsearch/lib/elasticsearch-6.6.1.jar:/opt/elasticsearch/lib/elasticsearch-core-6.6.1.jar:/opt/elasticsearch/lib/lucene-core-7.6.0.jar:/opt/elasticsearch/modules/x-pack-core/x-pack-core-6.6.1.jar" XPackBuild.java `````` ### 将两个新的`class`文件放入到`x-pack-core-6.6.1.jar`中 ``````shell 1. x-pack-core-6.6.1.jar\org\elasticsearch\license\LicenseVerifier.class 2. x-pack-core-6.6.1.jar\org\elasticsearch\xpack\core\XPackBuild.class `````` ## 替换旧的`x-pack-core-6.6.1.jar` ``````shell # mv x-pack-core-6.6.1.jar /opt/elasticsearch/modules/x-pack-core/ `````` ## 修改`elastcsearch.yml`,然后重启`elk`,否则上传不了证书 ``````shell # vim /etc/elasticsearch/elasticsearch.yml xpack.security.enabled: false # docker restart elk `````` ## 申请、修改、上传证书 ``````shell 1. 申请证书 https://license.elastic.co/registration 2. 下载并且,修改证书,证书可以保留,通用 主要修改： 证书类型修改为 "type":"platinum" 到期时间修改为 "expiry_date_in_millis":2524579200999 # cat license.json {"license":{"uid":"......","type":"platinum","issue_date_in_millis":1625097600000,"expiry_date_in_millis":2524579200999,"max_nodes":100,"issued_to":"xxx xxx (xxx)","issuer":"Web Form","signature":"......","start_date_in_millis":1625097600000}} 3. 上传证书 访问：http://<你的kibanaIP>:5601/app/kibana#/management/elasticsearch/license_management/home. 点击：Upload license,然后将证书文件放入即可. `````` ## 开启`ES`的登录功能 ``````shell 1. 启动安全功能并且重启elk # vim /etc/elasticsearch/elasticsearch.yml xpack.security.enabled: true xpack.security.transport.ssl.enabled: true # docker restart elk 2. 设置密码,根据提示输入Y,和密码,此例密码为：mA&m39jizV # /opt/elasticsearch/bin/elasticsearch-setup-passwords interactive 3. 修改kibana配置文件,添加认证选项 # cat /opt/kibana/config/kibana.yml i18n.locale: "zh-CN" kibana.index: ".kibana" elasticsearch.username: "elastic" elasticsearch.password: "mA&m39jizV" 4. 修改logstash配置文件 # cat /opt/logstash/config/logstash.yml xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.password: mA&m39jizV 5. 修改 02-beats-input.conf # cat /etc/logstash/conf.d/02-beats-input.conf cat /etc/logstash/conf.d/02-beats-input.conf input { beats { port => 5044 ssl => true ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt" ssl_key => "/etc/pki/tls/private/logstash-beats.key" } } output{ elasticsearch { hosts => ["localhost:9200"] index => "ruizhi-log-%{+YYYY.MM.dd}" user => "elastic" password => "mA&m39jizV" } } 6. 修改 30-output.conf # cat /etc/logstash/conf.d/30-output.conf output { elasticsearch { hosts => ["localhost"] manage_template => false index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" user => "elastic" password => "mA&m39jizV" } } 7. 重启elk # docker restart elk `````` ## 验证 ``````shell # 访问kibana,输入用户名:elastic,密码:mA&m39jizV,登陆成功,可以看到当前许可版本和过期时间. ``````