OpenSearch OpenID Connect Integration with Azure AD not working

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Helm Chart version: opensearch-2.17.3 and opensearch-dashboards-2.15.1

OpenSearch version: 2.11.1

Describe the issue:

I am trying to do Opensearch integration with Azure AD but getting below error.

meta":{“affectedServices”:{“opensearch”:{“level”:“critical”,“summary”:“Unable to retrieve version information from OpenSearch nodes.”,“meta”:{“warningNodes”:,“incompatibleNodes”:}}}},“detail”:“See the status page for more information”}}}},“message”:“Recalculated overall status”}

{“type”:“log”,“@timestamp”:“2024-03-26T11:26:59Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: socket hang up”}

Configuration:

I followed below link for configuration.

Relevant Logs or Screenshots:

2

Hi @nawaz,

Could you share your config.yml and opensearch_dashboards.yml?

Thanks,
mj

3

Hi @Mantas

Config.yml

      config.yml: |-
        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
            http:
              anonymous_auth_enabled: false
              xff:
                enabled: false
                internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
                remoteIpHeader:  'x-forwarded-for'
            authc:
              basic_internal_auth_domain:
                description: "Authenticate via HTTP Basic against internal users database"
                http_enabled: true
                transport_enabled: true
                order: 1 # Must set to 1 to prevent logs flooding with warnings
                http_authenticator:
                  type: basic
                  challenge: false
                authentication_backend:
                  type: internal
              openid_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 0 # Must set to 0 to precede basic authentication or logs will flood with warnings
                http_authenticator:
                  type: openid
                  challenge: false
                  config:
                    openid_connect_idp:
                      enable_ssl: true # Without this JWT cookie will fail and token won't be passed to engine
                      pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca.pem # Full chain pem file for you HTTPS certificate
                      verify_hostnames: false # If SNI certificate is used and hostnames match, set to true
                      subject_key: email # Users will be able to login with email and show it as username
                      roles_key: roles # Use roles from App registrations, do not set to groups.
                    openid_connect_url: https://login.microsoftonline.com/<OPENSEARCH_TENANT_ID>/v2.0/.well-known/openid-configuration # App registration IDP metadata file URL
                authentication_backend:
                  type: noop # Here we disable authentication backend since we will be using Azure AD for that

dashboard config

  opensearch_dashboards.yml: |
    server:
      name: opensearch-dashboards
      host: "0.0.0.0"
      ssl:
        enabled: false
          opensearch_security:
      cookie:
        secure: false
      readonly_mode:
        roles: ["kibana_read_only"]
      multitenancy:
        enabled: true
        tenants:
          preferred: ["Private", "Global"]            
      auth:
        multiple_auth_enabled: true
        type: ["openid", "basicauth"]
      openid:
        connect_url: "https://login.microsoftonline.com/<OPENSEARCH_TENANT_ID>/v2.0/.well-known/openid-configuration"
        client_id: "123"
        client_secret: "123"
        base_redirect_url: "https://dashboard-url/"

    opensearch:
      ssl:
        verificationMode: certificate
        certificateAuthorities: /usr/share/opensearch-dashboards/config/root-ca.pem
      hosts: ["https://master-cluster-ip:9200"]
      username: "admin"
      password: "password"
      requestHeadersWhitelist: ["Authorization", "securitytenant"]

    logging:
      verbose: true

  root-ca.pem: |
    -----BEGIN CERTIFICATE-----
  
    -----END CERTIFICATE-----
4

Hi @Mantas and @pablo,

I have created a my own ssl certificate following below URL.

I am getting below error while executing “./securityadmin.sh -f /usr/share/opensearch/config/opensearch-security/config.yml -icl -nhnv -cert …/…/…/config/admin.pem -cacert …/…/…/config/root-ca.pem -key …/…/…/config/admin-key.pem -t config”
command.

Error:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

See Java high-level REST client - OpenSearch Documentation for troubleshooting.

at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:948)

at org.opensearch.client.RestClient.performRequest(RestClient.java:333)

at org.opensearch.client.RestClient.performRequest(RestClient.java:321)

at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:573)

at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:163)

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)

at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)

at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)

at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)

at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)

at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)

at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)

at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)

at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)

at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)

at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:289)

at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:357)

at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:545)

at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)

at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)

FYI, I added root-ca.pem admin.pemadmin-key.pem in java Keystore.

5

Hi @nawaz,

This indicates that there is a connection problem in your cluster.

You will need to you svc as opensearch.hosts something like: opensearch.hosts: ["https://master-cluster-ip.default.svc:9200"] or "https://master-cluster-ip.default.svc.cluster.local:9200"
You can find more info here: DNS for Services and Pods | Kubernetes

Please let me know if this helped to resolve the error.

Best,
mj

6

To generate a new self-signed admin certificate you will need to generate a new root ca (and key) this means that you will have to replace all the certificates on your cluster with new generated using the new root ca/key. (note: once you generate new certs, please check kubernetes docs on how to create a TLS secret from the given public/private key pair)
Alternatively, you can find admin certificates in your OpenSearch node ../../../config directory to use with securityadmin.sh.

If you would like to discuss this topic in more detail please create a new forum as this is an unrelated issue to the original one, so it is more beneficial to the rest of the community.

best,
mj

1 Like