Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.5.0
Describe the issue: When opensearch is installed with security enabled, certificates are configured for nodes. When nodes communicate with each other for example data with manager, then do they present their certificates and perform a mutual authentication?
Is opensearch inter-node communication based on mtls? If not, then is there a way to configure it that way??
Configuration:
Relevant Logs or Screenshots:
@rharidas Thank you for the question. Yes, the mTLS is used in internode communication.
You can also enable strict host name verification, see further details here.
By default, transport layer TLS certificates need to be configured as both the client (TLS Web Client Authentication) and server (TLS Web Server Authentication) in the certificate’s Extended Key Usage section, because the nodes using the TLS certificates assume the responsibility of serving and receiving communication requests internally.
When OpenSearch Security needs to identify requests between the nodes in the cluster, it uses node certificates to secure these requests. The simplest way to configure node certificates is to list the Distinguished Names (DNs) of these certificates in opensearch.yml.
Also TLS is optional for the REST layer but mandatory for the transport layer.
Hope this helps.