@shaimoh you can follow the documentation to generate the certs. Openssl can be also used in Windows environment.
Hi @pablo , Im still going in rounds.
Im not able to understand what exactly is the admin_dn part is
opendistro_security.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
what exactly is this CN and how is admin certificate different from node certificate
Am I supposed to give the elasticsearch url in the place of âkirkâ here ? How to generate and define a CN here ?
Anything I should do in config.yml for the same ? Currently I havent done any changes in config.yml
Pls helpâŚIt would be a great help for me
Hi @pablo , Hope youâre doing well
I tried with single node and it seems to be working and elasticsearch is coming up using HTTPS and shows secured however now the issue is with Kibana.
Im using the same certificates and root_ca.pem and it says âError: [config validation of [server].ssl.cert]: definition for this key is missingâ
Below is my Kibana yml file . Can you check and advise if im doing anything wrong ? Im using the node certificates path
elasticsearch.hosts: https://CZASMV-MSELK003:9200
server.host: "CZASMV-MSELK003"
server.port: 5601
elasticsearch.ssl.verificationMode: none
server.ssl.cert: C:\opendistroforelasticsearch_kibana\config\CZASMV-MSELK003.pem
server.ssl.key: C:\opendistroforelasticsearch_kibana\config\CZASMV-MSELK003_key_pkcs8.pem
elasticsearch.ssl.certificateAuthorities: C:\OpenDistroForElasticsearchKibana\config\root_ca.pem
elasticsearch.username: admin
elasticsearch.password: admin
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
# Use this setting if you are running kibana without https
opendistro_security.cookie.secure: false
newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false
# To configure a WMS map server for use with Kibana, see:
# https://opendistro.github.io/for-elasticsearch-docs/docs/kibana/maptiles/
map.includeElasticMapsService: false
Thanks for your help
Hi @shaimoh
According to the provided error, definition for server.ssl.cert key doesnât exist and that is correct. As per documentation, the valid key name is server.ssl.certificate.
@shaimoh in regards to yoru previous questions.
opendistro_security.authcz.admin_dn lists all users who are allowed to execute admin tasks in the cluster using API requests (i.e. restore .opendistro_security index)
curl -k --cert ./kirk.pem --key ./kirk-key.pem -XPOST 'https://localhost:9200/_snapshot/my-repository/3/_restore?pretty'
To execute above command youâll need client SSL certificate which will have following in settings.
- CN=kirk,OU=client,O=client,L=test, C=de
Furhter information in regards to DNameâs elements you can find here
The admin certificate is a client certificate. The main difference between client and node (server) certificate is that the client cert is used to authenticate the user/client (API calls to server) and server certificate validates server identity.
Both certificates have different CN and SAN (subject alternative names) to match the server/client name.
You can compare the node and admin demo certs content by using the below commands.
openssl x509 -in <path_to_admin.cert> -text -noout
openssl x509 -in <path_to_server.cert> -text -noout
Hope this helps.
Hi @pablo
Thanks a lot for the clear information. Now I understood the difference.
Can this be added in the opendistro documentation. It would clearly solve lot of questions.
Thanks again for your help. Let me try getting a client certificate for my server