How can i authenticate my Opensearch users with client certificate


Can i configure Opensearch Dashboards to use client cert auth ? I don’t know if i have understand the documentation, because no certificate is required on the Opensearch dashboard and no user works.


Opensearch Dashbord config.yml ""
server.port: 5601 "os-node-02"
opensearch.hosts: ["https://os-node-03:9200", "https://os-node-01:9200", "https://os-node-02:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "XXX"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/node.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/node-key.pem
opensearch.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
opensearch.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"] true

Opensearch Node config.yml

network.publish_host: os-cluster os-node-01
discovery.seed_hosts: ["", "", ""]
cluster.initial_master_nodes: ["os-node-01", "os-node-02", "os-node-03"]
bootstrap.memory_lock: true # along with the memlock settings below, disables swapping
action.auto_create_index: true
compatibility.override_main_response_version: true

### Security true node.pem node-key.pem root-ca.pem true true REQUIRE node.pem node-key.pem root-ca.pem
  - 'CN=ADMIN,O=Org,L=Paris,ST=Ile de France,C=FR'
  - 'CN=os-node-01,O=Org,L=Paris,ST=Ile de France,C=FR'
  - 'CN=os-node-02,O=Org,L=Paris,ST=Ile de France,C=FR'
  - 'CN=os-node-03,O=Org,L=Paris,ST=Ile de France,C=FR' internal_opensearch true true ["all_access", "security_rest_api_access"] true [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]

Opensearch securityplugin config.yml


  type: "config"
  config_version: 2

      anonymous_auth_enabled: false
        enabled: false
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 1
          type: clientcert
            username_attribute: cn
          challenge: false
          type: noop

Moved to security category.

What errors are you seeing?
There are a couple of things to note here:
I see you disabled basic_auth in config.yml, yet listed username and password in Dashboard.yml, which wouldn’t be necessary if you are using client_auth.

Have you mapped the client cn to appropriate security role via roles_mapping.yml file?

Also, since basic_auth is disabled which way will users sign in once the opensearchDashboards is up and running?
I would recommend to enable basic_auth to enable users to login and be assigned the relevant permissions.

Once you share the errors you are seeing, will be clearer where to go next.

Hello @Anthony,

I haven’t got any errors, i juste want to configure Opensearch Dashboard to authenticate User with client certificate like PKI user authentication | Elasticsearch Guide [8.4] | Elastic but i don’t know if it possible.

I already enabled mTLS authentication between Elasticsearch and Kibana.

When i set server.ssl.clientAuthentication to true, the request is cancelled and nothing works.

When i set opensearch.ssl.alwaysPresentCertificate to true, opensearch dashboard accept any login/password and authenticate User with certificate defined in variable opensearch.ssl.certificate but this is the same variable use to communicate with Elasticsearch and is not possible to overridden this variable by the browser.

Do you understand what i want to do ? But i’m not sure it was possible.


@acamilleri This does not seem to be currently supported by opensearch. The users can directly connect to elasticsearch using certificates, or opensearchDashboards can authenticate via certificate with opensearch.

I would recommend to raise a feature request

Hope this helps

Ok, thank you for your help :wink:

I opened a feature request :

Have a nice day !