Client cert auth

hhees · May 26, 2023, 7:20am

Hello,

currently I run opensearch version 2.9.0 as a helm chart with 3 pods.

additionally I configured ldap based authentication, which works fine.

but I’m not able to get certificate based client authentication working.

here is the related part of my opensearch.yml

            security:
              ssl:
                transport:
                  pemcert_filepath: esnode.pem
                  pemkey_filepath: esnode-key.pem
                  pemtrustedcas_filepath: root-ca.pem
                  enforce_hostname_verification: false
                  truststore_filepath: truststore
                  truststore_password: truststore
                http:
                  enabled: true
                  pemcert_filepath: esnode.pem
                  pemkey_filepath: esnode-key.pem
                  pemtrustedcas_filepath: root-ca.pem
                  truststore_filepath: truststore
                  truststore_password: truststore
                  clientauth_mode: OPTIONAL
              allow_unsafe_democertificates: true
              allow_default_init_securityindex: true
              authcz:
                admin_dn:
                  - CN=kirk,OU=client,O=client,L=test,C=de

In my truststore I have 2 certificate chains. 1. the one from my ldap server. 2. the second one from my external certificate authority (vault pki store) where I create the client certificates.

the related part of my clientcert_auth_domain in config.yml looks like

          clientcert_auth_domain:
            description: "Authenticate via SSL client certificates"
            http_enabled: true
            transport_enabled: true
            order: 2
            http_authenticator:
              type: clientcert
              config:
                username_attribute: cn #optional, if omitted DN becomes username
              challenge: false
            authentication_backend:
              type: noop

as I said, LDAP works fine. so it looks like the truststore works.

I also added a user role mapping for the username which is similar to the cn field from the certificate.

but still, it does not work.

the following test works

curl -u admin:admin -XGET -k https://<myserver>/<myindex>/_doc/

the following test gives me the expected “unauthorized”

curl -u admin:admin1 -XGET -k https://<myserver>/<myindex>/_doc/

the following test gives me the “unauthorized” too

curl --cacert <myclientcert>.pem --key <myclientcert>.key --cert <myclientcert>.crt -XGET -k https://<myserver>/<myindex>/_doc/

strange thing here is that I see in my security audit logs only the requests for the user admin. One time as a success. And the second time as FAILED_LOGIN

But for the third time with the certificate, I see nothing.

I hope that there is someone here who can help me or at least give a tip on how I can further narrow down the problem

— UPDATE —

one additional thing I found out is

the “unauthorized” with username password gaves me a

{"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"}

and the “unauthorized” with the certificate gaves me a

{"statusCode":401,"error":"Unauthorized","message":"Authentication required"}

looks like opensearch is not recognize the certificate

pablo · May 26, 2023, 8:04am

@hhees When you enable multiple authentication domains, the security plugin will try to authenticate against each of them.
For example, if basicauth and client cert authentication are enabled, the plugin will try to authenticate in the order configured in config.yml.
In your example, you have the same user for basicauth and cert auth (admin). The security plugin will try to authenticate against basicauth and it will return an incorrect username/password. At this point, it will not move to the next auth domain as it already found the user in basicauth.

Try using a different username for cert auth.

hhees · May 26, 2023, 8:10am

Hello, thanks for the fast response.

my client cert is using a complete different username (taken from cn field in the certificate)

and the challenge flag for basic auth is false (means basic auth is not responding with a WWW-Authenticate header)

pablo · May 26, 2023, 8:20am

@hhees Did you include myclientcert.pem in root-ca.pem of http.pemtrustedcas_filepath?

hhees · May 26, 2023, 8:27am

I added the root certificate to the truststore, because it came from an external CA.

the certificate in http.pemtrustedcas_filepath is the one which was created during the deployment from opensearch itself. If I replace theese, the cluster notes are not able to talk to eachother anymore.

as I mention in my UPDATe statement, the only difference I found so far is.

If I use a wrong username:password, I get “Authentication Exception” as a json result
I I use the client certificate, I get “Authentication required” as a json result

So my guess is that opensearch is not using/checking the certificate to authenticate the client.

pablo · May 26, 2023, 8:35am

@hhees You can define multiple CAs in http.pemtrustedcas_filepath. Just edit the file and add CA of that user. This will not brake communication between the nodes as they simply don’t use it.
OpenSearch nodes use transport layer to communicate with each other. http is a REST API endpoint.

hhees · May 26, 2023, 8:39am

thanks, I will try

Topic		Replies	Views
Opensearch certificate Security	1	930	May 23, 2023
Integration with AD/LDAP Security troubleshoot , configure	1	378	February 10, 2023
Opensearch LDAPs certificate Security	1	409	May 23, 2023
How to protect truststore_password deploying with Helm Security	1	21	October 15, 2024
Unable to connect to ldapserver due to OpenSearchException[Empty file path for plugins.security.ssl.transport.truststore_filepath]. Try next Security	1	631	April 7, 2023

Client cert auth

Related topics