Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch version 2.8.0
Describe the issue:
Hi Team, Hope you are all doing good
Can you please give me a overall step by step process on how to implement a self signed certificate within the opensearch cluster and opensearch dashboard.
Currently its running with http set to false and I want to enable it.
Thank you for the help
hi @Mantas Thank you for the documentation
I’m new to concept of configuring TLS on cluster level.
My cluster consists of 4 hot node and 1 warm and 1 master node
Scenario :
I have an scenario where I have to receive logs from Logstash ( which is at different AWS account ) and send it directly to our opensearch cluster with TLS
So I have copied the root certificate to logstash output and to receive in one of the hot nodes in cluster
for that hot node ( example hot node 2 ) to receive encrypted logs, this setting must be true
plugins.security.ssl.http.enabled: true.
if this setting is enabled only on hot node 2 sometimes the cluster formation fails.
and I presume this setting activates both REST and Transport layer as well
I want one of the hot node to receive from logstash securely and is it possible to run the cluster without encrypted node to node communication ?
if its not possible, I have certain doubts while creating and configuring certificates
in all nodes
Lets say
I have 4 nodes
Hot node 1 - host name : node1.example.com
hot node 2 - host name : node2.example.com
Hot node 3 - host name : node3.example.com
hot node 4 - host name : node4.example.com
I am using openssl to generate certificates of root, node and client certificate.
on hot node 1, I have been generating all this certificate as shown in documentation.
Step 1: This command generates root-ca-key.pem
openssl genrsa -out root-ca-key.pem 2048
Step 2 : This command generates root CA
openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730
Q1 : While executing this command its ask for a CN , should I give the hot node1 host name ( node1.example.com ) since I’m generating these certifcates on that node ???
Above command generates root certificate “” root-ca.pem
Step 3: Generate an admin csr
Below commands generate admin-key.pem
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
While creating a CSR with below command
openssl req -new -key admin-key.pem -out admin.csr
Q2) it asks for CN ( common Name ) ? , What should I put it here, the same hot node1 hostname or juts any random name which I have to remember ??? or is it like a common name for nodes to communicate within
Step 4: Generate admin certificate
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
Step 5 : Generate node certificate
In node certificate
Q3 ) For all host and client certificates, you should specify a subject alternative name (SAN) to ensure compliance with RFC 2818 (HTTP Over TLS). The SAN should match the corresponding CN so that both refer to the same DNS A record.
I did not understand, above statement
**while generating a node or client certificates, **
SAN will be the node hostnames and how does that corresponsing CN will match ???
I know this is a lot of questions, it would really helpful for me to understand and set up whole without any questions in mind
Thank you for reading this whole bunch of question and thanks for your patience
Please help me out on this
Hi Team, please do help me on this
Thank you
One thing to keep in mind when dealing with CN(s)/DN(s) you will have to match DN(s) in your opensearch.yml as per Generating self-signed certificates - OpenSearch documentation
plugins.security.authcz.admin_dn:
- 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
You can find steps on how to generate self-signed certificates with a sample script (that references distinguished names in the opensearch.yml section called " Add distinguished names to opensearch.yml" )
Please see it here: Generating self-signed certificates - OpenSearch documentation