SearchBlox for Opensearch Server
Below are the steps to enable SSL for the Opensearch server.
Prerequisites
- OpenSearch server installed and running
- OpenSSL installed on your system(Install OpenSSL to generate the certificates.)
- Administrative access to the SearchBlox server
Steps to Generate Self-Signed Elastic Server Certificate:
-
Navigate to Config Directory
cd <opensearch-installation-path>/config -
Generate Root CA Private Key
To generate a private key, run the following command.
Note: Skip this step if you already have a CA certificate.
openssl genrsa -out root-ca-key.pem 2048root-ca-key.pem file will be generated inside
<opensearch-installation-path>/.Note: It may be prompted for a “desired output file” and a password for it. (Optional)
-
Create Root CA Certificate
Generate a Root CA certificate for the OpenSearch node using the following command:openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730Note: Follow the prompts to specify details for your organization. You'll be prompted for:
- Country Name (2 letter code)
- State/Province Name
- Locality Name
- Organization Name
- Organizational Unit Name
- Common Name (domain name)
- Email Address
-
Move the generated file into the /config folder and set full permissions.
-
Generate admin certificates: first create the admin key (you will need the CA certificate for this step).
-
openssl genrsa -out admin-key-temp.pem 2048 ######################################### `#Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):` openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem ######################################### `#Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:` openssl req -new -key admin-key.pem -out admin.csr ######################################### `#Follow the prompts to fill in the details. #Finally, generate the certificate itself:` openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730 -
Specify the distinguished names (DNs) for all admin and node certificates in opensearch.yml on every node.
Using the certificates generated from the sample script above, a section of opensearch.yml might look like this:
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
Note: After creating the certificate, the subject may appear in a different format. To get the correct format, run:
openssl x509 -subject -nameopt RFC2253 -noout -in node.pem
- Next, go to /config and add the required lines to opensearch.yml, then save the file.
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-
Restart the OpenSearch server.
-
Open the command prompt, navigate to /plugins/opensearch-security/tools, and run the following command:
-
./hash.sh -p <new_password>
Note: This command will generate passwords for the OpenSearch users.
- Go to
https://localhost:9200and check it.
Username: admin
Password:<newly-generated-password>
Updated 19 days ago