SearchBlox for Opensearch Server
Below are the steps to enable SSL for the Opensearch server.
Prerequisites
- Make sure the OpenSearch server is installed and running.
- OpenSSL installed on your system (Install OpenSSL to generate the certificates.)
- Make sure you have administrator access to the SearchBlox server.
Steps to Generate Self-Signed Elastic Server Certificate:
-
Navigate to Config Directory
cd <opensearch-installation-path>/config -
Generate Root CA Private Key
To create a private key, run the command below. (You can skip this step if you already have a CA certificate.)openssl genrsa -out root-ca-key.pem 2048root-ca-key.pem file will be generated inside
<opensearch-installation-path>/.Note: You may be asked to enter an output file name and a password. (This step is optional.)
-
Create Root CA Certificate
Use the command below to generate a root certificate for the OpenSearch node.openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730Note: Enter your organization details when prompted, such as:
- Country (2-letter code)
- State or Province
- City
- Organization name
- Department or Team name
- Domain name (Common Name)
- Email address
-
Move the generated file to this folder:
/config
Then give it full permissions. -
Create admin certificates:
First, generate the admin key (you will need the CA certificate for this step).openssl genrsa -out admin-key-temp.pem 2048 ######################################### `#Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):` openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem ######################################### `#Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:` openssl req -new -key admin-key.pem -out admin.csr ######################################### `#Follow the prompts to fill in the details. #Finally, generate the certificate itself:` openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730 -
You need to add the Distinguished Names (DNs) for all admin and node certificates in the opensearch.yml file on every node. If you use the certificates created from the sample script above, your opensearch.yml file may look like this:
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
Note: After creating the certificate, the subject format may look different. To get the correct format, run the command below.
openssl x509 -subject -nameopt RFC2253 -noout -in node.pem
- Go to
<opensearch-installation path>/configand add the following lines in “opensearch.yml” and save it.
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-
Restart the OpenSearch server.
-
Open the command prompt and go to this folder:
/plugins/opensearch-security/tools
Then run the command shown below. -
./hash.sh -p <new_password>
Note:
This command will create passwords for the OpenSearch user.
- Open your browser and go to:
https://localhost:9200
Use these login details:
Username: admin
Password: (the newly generated password)
Updated 11 days ago