SearchBlox for Opensearch Server

Below are the steps to enable SSL for the Opensearch server.

📘

Prerequisites

  • OpenSearch server installed and running
  • OpenSSL installed on your system(Install OpenSSL to generate the certificates.)
  • Administrative access to the SearchBlox server

Steps to Generate Self-Signed Elastic Server Certificate:

  1. Navigate to Config Directory

    cd <opensearch-installation-path>/config
    
  2. Generate Root CA Private Key

    To generate a private key, run the following command.

    Note: Skip this step if you already have a CA certificate.

    openssl genrsa -out root-ca-key.pem 2048 
    

    root-ca-key.pem file will be generated inside <opensearch-installation-path>/.

    Note: It may be prompted for a “desired output file” and a password for it. (Optional)

  3. Create Root CA Certificate
    Generate a Root CA certificate for the OpenSearch node using the following command:

       openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730
    

    Note: Follow the prompts to specify details for your organization. You'll be prompted for:

    • Country Name (2 letter code)
    • State/Province Name
    • Locality Name
    • Organization Name
    • Organizational Unit Name
    • Common Name (domain name)
    • Email Address
  4. Move the generated file into the /config folder and set full permissions.

  5. Generate admin certificates: first create the admin key (you will need the CA certificate for this step)

openssl genrsa -out admin-key-temp.pem 2048
#########################################
`#Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):`
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
#########################################
`#Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:`
openssl req -new -key admin-key.pem -out admin.csr
#########################################
`#Follow the prompts to fill in the details.
#Finally, generate the certificate itself:`
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
  1. Specify the distinguished names (DNs) for all admin and node certificates in opensearch.yml on every node.
    Using the certificates generated from the sample script above, a section of opensearch.yml might look like this:
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
  - 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

Note: After creating the certificate, the subject may appear in a different format. To get the correct format, run:

openssl x509 -subject -nameopt RFC2253 -noout -in node.pem

  1. Next, go to /config and add the required lines to opensearch.yml, then save the file.
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
  - 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'8
  1. Restart the OpenSearch server.
  2. Open the command prompt, navigate to /plugins/opensearch-security/tools, and run the following command:
      ./hash.sh -p <new_password>

Note: This command will generate passwords for the OpenSearch users.

  1. Verify the OpenSearch server is running with SSL enabled by opening the following URL in your browser: https://localhost:9200
    Log in with:
    • Username: admin
    • Password: the newly generated password from the previous step