Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch:2.19.1
opensearch-dashboards:2.19.1
Describe the issue:
Hello,
The SSO between OpenSearch and Dashboards worked with a Keycloak equipped with a public certificate. I had to migrate the Keycloak internally with a custom CA, and it no longer works. I entered the root-ca in my dashboard configuration, and it starts up fine, sending me to the Keycloak login. But after authentication, I get a 401 error in OpenSearch.
All the crt files are there and functional with curl “–cacert” to check the link with keycloak. But nothing works. I even tried to put all the crt files in the keystore and point to them: nothing either.
Thank’s in advance for your help, please !!
Configuration:
I did mention the CA in config.xml:
config.yml: |
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "internal"
oidc_auth_domain:
description: "Authenticate via OIDC (OpenID Connect)"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: "openid"
challenge: true
config:
enable_ssl: true
**pemtrustedcas_filepath: "/usr/share/opensearch/config/root-ca/keycloak.crt"**
subject_key: "preferred_username"
roles_key: "roles"
openid_connect_url: "https://iam.trucmuch.local/realms/env1/.well-known/openid-configuration"
client_id: "yyyyyyyyyyyyy"
client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
verify_hostnames: false
authentication_backend:
type: "noop"
---
opensearch_dashboards.yml: |
logging.verbose: true
server:
name: dashboards
host: 0.0.0.0
customResponseHeaders: { "Access-Control-Allow-Credentials": "true" }
ssl:
enabled: true
key: /usr/share/dashboards/certs/tls.key
certificate: /usr/share/dashboards/certs/tls.crt
opensearch_security:
cookie.secure: true
auth:
type: ["basicauth","openid"]
multiple_auth_enabled: true
ui:
openid.login.buttonname: "Login with Keycloak dataplatform"
openid:
connect_url: "https://iam.trucmuch.local/realms/env1/.well-known/openid-configuration"
base_redirect_url: "https://opensearch.trucmuch.local"
client_id: "yyyyyyyyyyyyy"
**root_ca: /usr/share/opensearch/root-ca/keycloak.crt**
client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
verify_hostnames: false
header: Authorization
scope: "openid profile email"
trust_dynamic_headers: "true"
refresh_tokens: false
multitenancy:
enabled: true
tenants.preferred: ["Private", "Global"]
opensearch:
requestHeadersWhitelist: [ "securitytenant", "Authorization" ]
hosts: [ "https://opensearch-database-coordinator.opensearch.svc.cluster.local:9200" ]
ssl:
verificationMode: none
certificateAuthorities: [ "/usr/share/opensearch/config/tls-http/ca.crt" ]
username: "zzzzz"
password: "zzzzz"
requestTimeout: 300000
shardTimeout: 300000
pingTimeout: 1500
Relevant Logs or Screenshots:
[2025-05-16T06:26:22,067][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-database-coordinator-0] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2025-05-16T06:26:22,113][DEBUG][c.a.d.a.h.j.k.SelfRefreshingKeySet] [opensearch-database-coordinator-0] performRefresh(SZpCKM8JgIv6xvwB-GXyQ78mqg0w8wBRG6xog479M6Q)
[2025-05-16T06:26:22,113][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [opensearch-database-coordinator-0] Performing refresh 1
[2025-05-16T06:26:22,227][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-database-coordinator-0] com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Authentication backend failed
[2025-05-16T06:26:22,228][WARN ][o.o.s.a.BackendRegistry ] [opensearch-database-coordinator-0] Authentication finally failed for null from 10.233.97.129:56564
[2025-05-16T06:26:22,227][WARN ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [opensearch-database-coordinator-0] KeySetProvider threw error
com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Error while getting https://iam.trucmuch.local/realms/env1/.well-known/openid-configuration: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazon.dlic.auth.http.jwt.keybyoidc.KeySetRetriever.getJwksUri(KeySetRetriever.java:167) ~[opensearch-security-2.19.1.0.jar:2.19.1.0]
at com.amazon.dlic.auth.http.jwt.keybyoidc.KeySetRetriever.get(KeySetRetriever.java:72) ~[opensearch-security-2.19.1.0.jar:2.19.1.0]
at com.amazon.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet$1.run(SelfRefreshingKeySet.java:213) [opensearch-security-2.19.1.0.jar:2.19.1.0]
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572) [?:?]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]