How to migrate .opendistro_security from OpenSearch 1.x to 2.x with HTTP TLS disabled?

mrMigles · February 17, 2026, 4:14pm

Hi,

We are facing an issue while upgrading OpenSearch from 1.x to 2.x.

Our cluster was originally created on OpenSearch 1.x and later upgraded to 2.x without problems. However, when preparing for further upgrades, we found that the .opendistro_security index is still created with a 1.x version.

We understand that this index should ideally be recreated to be compatible with newer versions.

The recommended approach is to use securityadmin.sh, but it requires HTTPS/TLS on the REST layer.

Problem:
Our cluster runs with:

http.tls disabled (HTTP only on port 9200)
TLS is enabled only on the transport layer (port 9300)

We cannot enable TLS on HTTP because existing clients are not prepared for it.

When running securityadmin.sh, we get:

Unrecognized SSL message, plaintext connection?

We also tried to reinitialize or delete .opendistro_security via REST API, but:

the REST management API is restricted
permissions are insufficient to manage the security index

Questions:

Is there a supported way to migrate or recreate .opendistro_security from 1.x to 2.x without enabling HTTP TLS?
Can securityadmin.sh be safely used over plain HTTP in this scenario?
Is there any recommended workaround for clusters that cannot enable TLS on the REST layer?

Any guidance or best practices would be greatly appreciated.

Thanks!

Anthony · February 18, 2026, 12:12pm

@mrMigles As .opendistro_security is a protected index, admin user (although with full access) doesn’t have permission to modify it. You would need to enable TLS on http temporarily, while you recreate the security index (either using curl with admin certificates and key or using securityadmin.sh command with -dci parameter).

Once the index is recreated you can then remove the TLS on http later.

Anthony · February 18, 2026, 1:09pm

@mrMigles also note, that you only need to enable the TLS on http layer on one of the nodes, so that you can run the securityadmin.sh script against that node

mrMigles · February 18, 2026, 4:05pm

@Anthony, thanks for answer.
Initiating TLS on HTTP requires generating certificates which must be signed the same CA as admin’s certificate for transport I suppose, what imposes some complications during usual Maintenance operation, but we will think about that.

Now we have think about more crazy option with fully security reinitialization via disabling security, removing index, enabling security. Fortunately, we have our own declarative approach that allows us to restore security configurations.

Topic		Replies	Views
Migration es7.10.2 opensearch 2.4.0 Security upgrade	9	1440	December 19, 2023
Migration from Elastic Search 7.10 with xpack.security to Opensearch 2x OpenSearch	1	480	July 27, 2023
How to configure .opendistro_security index with HTTP Open Source Elasticsearch and Kibana	1	793	November 13, 2020
Rolling upgrade - opendistro_security 0.X to 1.X Security	2	660	June 25, 2021
Migration of config data from .opendistro_security to .opensearch_security index? Security	4	915	June 18, 2021

How to migrate .opendistro_security from OpenSearch 1.x to 2.x with HTTP TLS disabled?

Related topics