currently I run opensearch version 2.9.0 as a helm chart with 3 pods.
additionally I configured ldap based authentication, which works fine.
but I’m not able to get certificate based client authentication working.
here is the related part of my opensearch.yml
security: ssl: transport: pemcert_filepath: esnode.pem pemkey_filepath: esnode-key.pem pemtrustedcas_filepath: root-ca.pem enforce_hostname_verification: false truststore_filepath: truststore truststore_password: truststore http: enabled: true pemcert_filepath: esnode.pem pemkey_filepath: esnode-key.pem pemtrustedcas_filepath: root-ca.pem truststore_filepath: truststore truststore_password: truststore clientauth_mode: OPTIONAL allow_unsafe_democertificates: true allow_default_init_securityindex: true authcz: admin_dn: - CN=kirk,OU=client,O=client,L=test,C=de
In my truststore I have 2 certificate chains. 1. the one from my ldap server. 2. the second one from my external certificate authority (vault pki store) where I create the client certificates.
the related part of my clientcert_auth_domain in config.yml looks like
clientcert_auth_domain: description: "Authenticate via SSL client certificates" http_enabled: true transport_enabled: true order: 2 http_authenticator: type: clientcert config: username_attribute: cn #optional, if omitted DN becomes username challenge: false authentication_backend: type: noop
as I said, LDAP works fine. so it looks like the truststore works.
I also added a user role mapping for the username which is similar to the cn field from the certificate.
but still, it does not work.
the following test works
curl -u admin:admin -XGET -k https://<myserver>/<myindex>/_doc/
the following test gives me the expected “unauthorized”
curl -u admin:admin1 -XGET -k https://<myserver>/<myindex>/_doc/
the following test gives me the “unauthorized” too
curl --cacert <myclientcert>.pem --key <myclientcert>.key --cert <myclientcert>.crt -XGET -k https://<myserver>/<myindex>/_doc/
strange thing here is that I see in my security audit logs only the requests for the user admin. One time as a success. And the second time as FAILED_LOGIN
But for the third time with the certificate, I see nothing.
I hope that there is someone here who can help me or at least give a tip on how I can further narrow down the problem
— UPDATE —
one additional thing I found out is
the “unauthorized” with username password gaves me a
and the “unauthorized” with the certificate gaves me a
looks like opensearch is not recognize the certificate