Client cert auth


currently I run opensearch version 2.9.0 as a helm chart with 3 pods.

additionally I configured ldap based authentication, which works fine.

but I’m not able to get certificate based client authentication working.

here is the related part of my opensearch.yml

                  pemcert_filepath: esnode.pem
                  pemkey_filepath: esnode-key.pem
                  pemtrustedcas_filepath: root-ca.pem
                  enforce_hostname_verification: false
                  truststore_filepath: truststore
                  truststore_password: truststore
                  enabled: true
                  pemcert_filepath: esnode.pem
                  pemkey_filepath: esnode-key.pem
                  pemtrustedcas_filepath: root-ca.pem
                  truststore_filepath: truststore
                  truststore_password: truststore
                  clientauth_mode: OPTIONAL
              allow_unsafe_democertificates: true
              allow_default_init_securityindex: true
                  - CN=kirk,OU=client,O=client,L=test,C=de

In my truststore I have 2 certificate chains. 1. the one from my ldap server. 2. the second one from my external certificate authority (vault pki store) where I create the client certificates.

the related part of my clientcert_auth_domain in config.yml looks like

            description: "Authenticate via SSL client certificates"
            http_enabled: true
            transport_enabled: true
            order: 2
              type: clientcert
                username_attribute: cn #optional, if omitted DN becomes username
              challenge: false
              type: noop

as I said, LDAP works fine. so it looks like the truststore works.

I also added a user role mapping for the username which is similar to the cn field from the certificate.

but still, it does not work.

the following test works

curl -u admin:admin -XGET -k https://<myserver>/<myindex>/_doc/

the following test gives me the expected “unauthorized”

curl -u admin:admin1 -XGET -k https://<myserver>/<myindex>/_doc/

the following test gives me the “unauthorized” too

curl --cacert <myclientcert>.pem --key <myclientcert>.key --cert <myclientcert>.crt -XGET -k https://<myserver>/<myindex>/_doc/

strange thing here is that I see in my security audit logs only the requests for the user admin. One time as a success. And the second time as FAILED_LOGIN

But for the third time with the certificate, I see nothing.

I hope that there is someone here who can help me or at least give a tip on how I can further narrow down the problem


one additional thing I found out is

the “unauthorized” with username password gaves me a

{"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"}

and the “unauthorized” with the certificate gaves me a

{"statusCode":401,"error":"Unauthorized","message":"Authentication required"}

looks like opensearch is not recognize the certificate

@hhees When you enable multiple authentication domains, the security plugin will try to authenticate against each of them.
For example, if basicauth and client cert authentication are enabled, the plugin will try to authenticate in the order configured in config.yml.
In your example, you have the same user for basicauth and cert auth (admin). The security plugin will try to authenticate against basicauth and it will return an incorrect username/password. At this point, it will not move to the next auth domain as it already found the user in basicauth.

Try using a different username for cert auth.

Hello, thanks for the fast response.

my client cert is using a complete different username (taken from cn field in the certificate)

and the challenge flag for basic auth is false (means basic auth is not responding with a WWW-Authenticate header)

@hhees Did you include myclientcert.pem in root-ca.pem of http.pemtrustedcas_filepath?

I added the root certificate to the truststore, because it came from an external CA.

the certificate in http.pemtrustedcas_filepath is the one which was created during the deployment from opensearch itself. If I replace theese, the cluster notes are not able to talk to eachother anymore.

as I mention in my UPDATe statement, the only difference I found so far is.

  • If I use a wrong username:password, I get “Authentication Exception” as a json result

  • I I use the client certificate, I get “Authentication required” as a json result

So my guess is that opensearch is not using/checking the certificate to authenticate the client.

@hhees You can define multiple CAs in http.pemtrustedcas_filepath. Just edit the file and add CA of that user. This will not brake communication between the nodes as they simply don’t use it.
OpenSearch nodes use transport layer to communicate with each other. http is a REST API endpoint.

thanks, I will try :slight_smile: