DownloadsDocumentationAPI ReferenceChangelogOpen A TicketContact
HomeGuidesAPI ReferenceChangelog
DownloadsDocumentationAPI ReferenceChangelogOpen A TicketContactLog In
Guides

SSL Certificate in Opensearch

Setting up SSL in OpenSearch ensures that all communication between nodes and clients is encrypted and secure. To complete this configuration, you will need three types of certificates prepared and ready before you begin:

  • CA Certificate
  • Admin Certificate
  • Node Certificate

Prerequisites:

Before starting the SSL configuration process, make sure you have a CA Certificate and a CA Key available. These two files are required and the setup cannot proceed without them.

👍

Note

Contact your organization for a third-party CA Certificate and CA Key, or use the steps below to generate an SSL Certificate.
To run Openssl, go to extracted path and run exe file as an Administrator
Example : C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin\openssl.exe

Steps to generate self-signed CA Certificate

  1. To generate a private key using the genrsa command. As the name suggests, you should keep this file private.
  2. Private keys need to be of sufficient length in order to be secure, so specify 2048:
openssl genrsa -out root-ca-key.pem 2048

If desired, add the -aes256 option to encrypt the key using the AES-256 standard. This option requires a password.

  1. Next, use the key to generate a self-signed certificate for the root CA:
openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem

 * The `-x509` option specifies that you want a self-signed certificate rather than a certificate request.
 * The `-sha256` option sets the hash algorithm to SHA-256. SHA-256 is the default in newer versions of OpenSSL, 
    but older versions might use SHA-1.
 * Optionally, add` -days 3650` (10 years) or some other number of days to set an expiration date.
  1. Specify details for your organization as prompted. Together, these details form the Distinguished Name (DN) of your CA.

Steps to generate self-signed Admin certificates:

Follow the commands below in sequence to generate the certificates. Once all commands have been executed successfully, the generated certificate files will be saved inside the bin folder at the path shown below:
(Eg: C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin)

  1. To Generate Admin/Node certificate
    openssl> genrsa -out admin-key-temp.pem 2048
    openssl> pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

  2. To Generate csr file from admin-key.pem file
    openssl> req -new -key adminkey.pem -out admin.csr

  3. To Generate admin.pem file
    openssl> x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

👍

Note:

root-ca.pem - You can use your CA cert or rename your CA cert file to root-ca.pem
root-ca-key - You can use your CA key file or rename your CA key file to
root-ca-key.pem

  1. Using the following command you can find DN
    openssl>x509 -subject -nameopt RFC2253 -noout -in admin.pem
    Example : subject= CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA
    Note : You can configure the above DN value in elasticsearch.yml
    Example : plugins.security.authcz.admin_dn:
    -CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA

  2. Copy all generated certificates [admin.pem, admin-key.pem] to
    C:\SearchBloxServer\opensearch\config.

  3. Provide full permissions for certificates in C:\SearchBloxServer\opensearch\config

👍

Note:

Right click on PEM file-properties-security-edit(give full permissions)

  1. Go to C:\SearchBloxServer\opensearch\config and edit opensearch.yml and make
    sure the pem certificate names are properly given.

Example:
plugins.security.ssl.transport.pemcert_filepath: admin.pem
plugins.security.ssl.transport.pemkey_filepath: admin_key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: admin.pem
plugins.security.ssl.http.pemkey_filepath: admin_key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

plugins.security.allow_default_init_securiotyindex: true
plugins.security.authcz.admin_dn:
-CN=elastic,OU=it,O=searchblox,L=V, C=US
plugins.security.nodes_dn:
-CN=node1.test.com,OU=dev,O=searchblox,L=chennai,ST=tamilnadu,C=in

  1. Restart the Opensearch service and check for SSL updates.

  2. To Check cluster health
    https://localhost:9200/_cluster/health?pretty

  3. Open command prompt and navigate to
    C:\SearchBloxServer\opensearch\plugins\opensearch_security\tools and run the following
    command to initialize the security plugins:
    securityadmin.bat -cd ../securityconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/admin.pem -key ../../../config/admin-key.pem

  4. Start searchblox service.

Updated 7 days ago