Hey @pablo
Yes, it is internal one. May be a keycloak.
I am sure bout not the Azure, PingID or OKTA.
Thanks.
@sabil If the Keycloak is using a self-signed certificate then you’re missing the below lines.
opensearch_dashboards.yml
opensearch_security.openid.root_ca: <idp_certificate>
config.yml
openid_connect_idp.pemtrustedcas_filepath: <idp_certificate>
Hello @pablo
Thank you for your response.
Yes, I am using following in config.yml and I have provided the content of root_ca idp certificate.
pemtrustedcas_content: |-
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
About opensearch_dashboards.yml for the following do I need to use the same root_ca of IDP certificate?
opensearch_security.openid.root_ca: <idp_certificate>
Thanks.
@sabil You’re correct.
Hello @pablo ,
Just wanted to know that can I use the content of idp_certificate in opensearch_security.openid.root_ca: section in opensearch_dashbaords.yml?
As I am using the default config and root-ca.pem is already exists under /usr/share/opensarch/config/root-ca.pem?
I tried it in the opensearch_dashboard.yml as follows. However, it is not working.
opensearch_security.openid.root_ca: /usr/share/opensearch/config/root-ca.pem
Kindly suggest.
Thanks.
@sabil As per my previous comment.
It requires the IDP certificate or IDP’s root CA, not the OpenSearch root CA.
You must provide a file path.
The openid_connect_idp.pemtrustedcas_filepath or openid_connect_idp.pemtrustedcas_content in config.yml also requires IDP certificate and not root-ca of the OpenSearch.
To use openid_connect_idp.pemtrustedcas_filepath in the config.yml you have to place the IDP’s certificate in the /usr/share/opensearch/config/.
The valid path for OpenSearch Dashboards is /usr/share/opensearch-dashboards/config/.
Hello @pablo,
Thank you for your response.
What I have done now is.
1 openid_connect_idp.pemtrustedcas_content I have content of a IDPs root-ca. which is in config.yml.
2 I have added opensearch_security.openid.root_ca: in the opensearch_dashboards.yml and e same content i have stored in a file and mount the same file under /usr/share/opensearch-dashboards/config/
Now I am getting error message 401 unauthorized.
Kindly suggest.
Thanks.
@sabil Could you share your mapping and your current opensearch_dashboards.yml?
@sabil As per my previous comment, your redirect url in opensearch_dashboards.yml is incorrect.
It must be as follows.
Hello @pablo ,
Thank you for your response.
It is working fine with /opensearch in redirecte_url parameter.
Can you please just suggest anything related to below error message?
X509 certificate authentication's failed.
Thanks.
Hello @pablo ,
Since I add the following entry in the opensearch_dashabords.yml file, I am getting 401 access forbidden or authorization issue.
if I remove the below entry it is giving X509 certificate authentication's failed. this error.
opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/idp-root-ca.pem --> Here I am using the same content of pemtrustedcas_content in a file and mounted here.
kindly suggest.
Thanks.
@sabil Could you try removing server.rewriteBasePath: true or setting it to false?
Hello @pablo ,
I have tried the above recomended option. However, I am still getting the following error.
The IDP is working fine, but unable to access the Opensearch-dashboard using the URL.
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
Kindly suggest if you have any clues.
I read that there was an issue with security plugins in kibana…
Can you please check and suggest?
When i try explicitly executing the securityadmin.sh by login in to the docker getting the following error messaage.
ERR: An unexpected SSLHandshakeException occured: Extended key usage does not permit use for TLS server authentication
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
Trace:
javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS server authentication
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:947)
at org.opensearch.client.RestClient.performRequest(RestClient.java:332)
at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:462)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:159)
Caused by: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS server authentication
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
Kindly suggest.
Thanks.
Hello @joshblease,
I have checked your issue in github.
I am also facing similar issue with Opensearch + OpenID connect integration.
Getting the smilliar message 401 unauthrized on opensearch-dashboard.
Can you please suggest what changes needs to be done to fix that issue?
Hello @pablo,
Kindly suggest if you have any suggestion on this.
Thanks.