SearchBlox for Opensearch Server
Below are the steps to enable SSL for the Opensearch server.
Prerequisites
- OpenSearch server installed and running
- OpenSSL installed on your system (Install OpenSSL to generate the certificates.)
- Administrative access to the SearchBlox server
Steps to Generate Self-Signed Elastic Server Certificate:
-
Navigate to Config Directory
cd <opensearch-installation-path>/config -
Generate Root CA Private Key
To generate a private key, run the following command (Note: Skip this step if you already have a CA certificate)openssl genrsa -out root-ca-key.pem 2048root-ca-key.pem file will be generated inside
<opensearch-installation-path>/.Note: It may ask for “desired output file” and “password for the same”. (Optional)
-
Create Root CA Certificate
Generate Root certificate for the OpenSearch node using the following command:openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730Note: Follow the prompts to specify details for your organization. You'll be prompted for:
- Country Name (2 letter code)
- State/Province Name
- Locality Name
- Organization Name
- Organizational Unit Name
- Common Name (domain name)
- Email Address
-
Move the generated file, inside the
<opensearch-installation path>/configfolder and provide full permissions. -
Generate admin certificates, First create admin-key (You need the CA certificate for this step)
openssl genrsa -out admin-key-temp.pem 2048 ######################################### `#Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):` openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem ######################################### `#Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:` openssl req -new -key admin-key.pem -out admin.csr ######################################### `#Follow the prompts to fill in the details. #Finally, generate the certificate itself:` openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730 -
You must specify the distinguished names (DNs) for all admin and node certificates in opensearch.yml on all nodes. Using the certificates from the sample script above, part of opensearch.yml might look like this:
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
Note: But if you look at the subject of the certificate after creating it, you might see different formatting.To get correct format run the following command:
openssl x509 -subject -nameopt RFC2253 -noout -in node.pem
- Go to
<opensearch-installation path>/configand add the following lines in “opensearch.yml” and save it.
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-
Restart Opensearch Server
-
Open the command prompt and from the same path
<opensearch-installation path>/plugins/opensearch-security/tools
Run the following command:./hash.sh -p <new_password>
Note: This command will generate the passwords for opensearch user.
- Go to
https://localhost:9200and check it.
Username: admin
Password:<newly-generated-password>
Updated about 1 month ago