SearchBlox for Opensearch Server

Below are the steps to enable SSL for the Opensearch server.

Prerequisites:

To configure SSL in Opensearch, install OpenSSL to generate the certificates.

Steps to Generate Self-Signed Elastic Server Certificate:

  1. Open the command prompt and navigate to folder /config

  2. To generate a private key, run the following command(If you have your own CA certificate you can skip this and next step):

           openssl genrsa -out root-ca-key.pem 2048 
    

    root-ca-key.pem file will be generated inside <opensearch-installation-path>/.
    Note: It may ask for “desired output file” and “password for the same”. (Optional)

  3. Generate Root certificate for the OpenSearch node using the following command:

       openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730
    

    Note: Follow the prompts to specify details for your organization. Together, these details form the distinguished name (DN) of your CA.

  4. Move the generated file, inside the <opensearch-installation path>/config folder and provide full permissions.

  5. Generate admin certificates, First create admin-key (You need the CA certificate for this step)

    openssl genrsa -out admin-key-temp.pem 2048
    #########################################
    `#Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):`
    openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
    #########################################
    `#Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:`
    openssl req -new -key admin-key.pem -out admin.csr
    #########################################
    `#Follow the prompts to fill in the details.
    #Finally, generate the certificate itself:`
    openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
    
  6. You must specify the distinguished names (DNs) for all admin and node certificates in opensearch.yml on all nodes. Using the certificates from the sample script above, part of opensearch.yml might look like this:

plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
  - 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

Note: But if you look at the subject of the certificate after creating it, you might see different formatting.To get correct format run the following command:

openssl x509 -subject -nameopt RFC2253 -noout -in node.pem

  1. Go to <opensearch-installation path>/config and add the following lines in “opensearch.yml” and save it.
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
  - 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  1. Restart Opensearch Server

  2. Open the command prompt and from the same path <opensearch-installation path>/plugins/opensearch-security/tools
    Run the following command:

          ./hash.sh -p <new_password>
    

Note: This command will generate the passwords for opensearch user.

  1. Go to https://localhost:9200 and check it.
    Username: admin
    Password:<newly-generated-password>