Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
What I’ve Tried:
Verified the keystore and truststore files are correctly generated and placed in the /usr/share/opensearch/config/certs/
directory of the container.
Confirmed the Subject Alternative Names (SANs) for all node hostnames are correctly included in the certificates.
Ensured that transport client
authentication settings were removed from the opensearch.yml
file.
Tried restarting the containers to apply the new configurations.
Questions:
Is there any additional configuration needed to ensure that SSL/TLS is correctly applied for node-to-node communication without relying on the transport client authentication?
Does anyone have experience configuring SSL/TLS in OpenSearch clusters with Docker? Any help or suggestions would be appreciated!
Thanks in advance for your support!
Describe the issue :
Hi all,
I’m in the process of setting up an OpenSearch cluster using Docker containers. I’m using the same keystore.jks
and truststore.jks
files for all the nodes in the cluster to handle SSL/TLS encryption for secure communication. However, after configuring SSL/TLS and restarting the nodes, I’m running into the following error:
[2024-11-06T10:17:36,262][ERROR][o.o.s.t.SecurityRequestHandler] [opensearch-master1] OpenSearchException[Transport client authentication no longer supported.]
[2024-11-06T10:17:36,099][WARN ][o.o.d.HandshakingTransportAddressConnector] [opensearch-master1] handshake failed for [connectToRemoteMasterNode[172.19.0.5:9300]]
Configuration :
Context of the Setup:
I’m deploying the cluster with multiple nodes (master, data, and client).
I’m using keystore-modified.jks
for the keystore and truststore-complete.jks
for the truststore, which I’ve shared across all the nodes.
I have configured plugins.security.ssl.transport
settings in opensearch.yml
for SSL/TLS communication between the node
Key SSL/TLS Configuration in opensearch.yml
:
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.keystore_type: JKS
plugins.security.ssl.transport.keystore_filepath: certs/keystore-modified.jks
plugins.security.ssl.transport.keystore_password: your-keystore-password
plugins.security.ssl.transport.truststore_type: JKS
plugins.security.ssl.transport.truststore_filepath: certs/truststore-complete.jks
plugins.security.ssl.transport.truststore_password: your-truststore-password
Relevant Logs or Screenshots :
Mantas
November 6, 2024, 12:07pm
2
Hi @Govind12 , try changing the port to 9200.
Could you share your a full opensearch.yml
?
Best,
mj
I have’nt defined ports, its using default port for it
Here is the opensearch.yml :
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.keystore_type: “JKS”
plugins.security.ssl.transport.keystore_filepath: “certs/keystore-modified.jks”
Plugins .security.ssl.transport.keystore_alias: “first-alias” # Replace with the actual alias if applicable
plugins.security.ssl.transport.keystore_password: “changeit”
plugins.security.ssl.transport.truststore_type: “JKS”
plugins.security.ssl.transport.truststore_filepath: “certs/truststore-complete.jks”
Plugins .security.ssl.transport.truststore_alias: “” # Replace with the actual alias if applicable
plugins.security.ssl.transport.truststore_password: “changeit”
Here is opensearch-docker-compose file:
version: '3'
services:
opensearch-master1:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-master1
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-master1
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false" # Disable security plugin
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./opensearch-data/opensearch_opensearch-master-data1:/usr/share/opensearch/data:rw
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9201:9200
- 9601:9600
networks:
- opensearch-net
opensearch-master2:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-master2
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-master2
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false" # Disable security plugin
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./opensearch-data/opensearch_opensearch-master-data2:/usr/share/opensearch/data:rw
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9202:9200
- 9602:9600
networks:
- opensearch-net
opensearch-master3:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-master3
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-master3
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false" # Disable security plugin
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./opensearch-data/opensearch_opensearch-master-data3:/usr/share/opensearch/data:rw
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9203:9200
- 9603:9600
networks:
- opensearch-net
# Data Nodes
opensearch-data1:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-data1
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-data1
- node.roles=data
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false"
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./opensearch-data/opensearch_opensearch-data1:/usr/share/opensearch/data:rw
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9204:9200
- 9604:9600
networks:
- opensearch-net
opensearch-data2:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-data2
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-data2
- node.roles=data
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false"
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./opensearch-data/opensearch_opensearch-data2:/usr/share/opensearch/data:rw
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9205:9200
- 9605:9600
networks:
- opensearch-net
opensearch-data3:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-data3
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-data3
- node.roles=data
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false"
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./opensearch-data/opensearch_opensearch-data3:/usr/share/opensearch/data:rw
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9206:9200
- 9606:9600
networks:
- opensearch-net
opensearch-client1:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-client1
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-client1
- node.roles=ingest,remote_cluster_client
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false" # Disable security plugin
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9207:9200
- 9607:9600
networks:
- opensearch-net
opensearch-client2:
image: opensearchproject/opensearch:2.17.1
container_name: opensearch-client2
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-client2
- node.roles=ingest,remote_cluster_client
- discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
- cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
- network.host= 0.0.0.0
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=false" # Disable security plugin
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
# - opensearch-client-data2:/usr/share/opensearch/data
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./certs:/usr/share/opensearch/config/certs
ports:
- 9208:9200
- 9608:9600
networks:
- opensearch-net
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:2.17.1
container_name: opensearch-dashboards
environment:
- 'OPENSEARCH_HOSTS=["http://opensearch-master1:9200","http://opensearch-master2:9200","http://opensearch-master3:9200"]'
- "DISABLE_SECURITY_DASHBOARDS_PLUGIN=false" # Disable security plugin
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ports:
- 5601:5601
networks:
- opensearch-net
volumes:
- ./opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch-dashboards.yml
volumes:
opensearch_opensearch-master-data1:
opensearch_opensearch-master-data2:
opensearch_opensearch-master-data3:
opensearch_opensearch-data1:
opensearch_opensearch-data2:
opensearch_opensearch-data3:
networks:
opensearch-net:
Mantas
November 8, 2024, 1:49pm
5
Hi @Govind12 ,
Could you please confirm values in your opensearch.yml
for plugins.security.nodes_dn:
, and the DNs for your node certs?
best,
mj
1 Like