Opensearch security is asking for plugins.security.ssl.transport.truststore_filepath property to be set

vanamvijay23 · February 6, 2022, 9:36am

As per documentation provided here;

It clearly says that “As an alternative” to the certs , we can use keystores and truststores. i have set my certs file paths correctly and yet it asks for the plugins.security.ssl.transport.truststore_filepath to be set resulting in below exception:

java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]

Likely root cause: OpenSearchException[Empty file path for plugins.security.ssl.transport.truststore_filepath] java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]

Is there any way to choose only certs route and not provide truststore ? if not, how can i create truststore using opensearch-keystore utility? is that even possible ?

Anthony · February 7, 2022, 9:00am

@vanamvijay23
I think you are looking for:
plugins.security.ssl.transport.pemtrustedcas_filepath: (for transport)
plugins.security.ssl.http.pemtrustedcas_filepath: (for http).

If this doesn’t work, can you provide your opensearrch.yml file with any sensitive details redacted if necessary.

vanamvijay23 · February 7, 2022, 2:53pm


cluster.name: opensearch-cluster
network.host: _site_
path.data: /usr/share/opensearch/data
bootstrap.memory_lock: false
http.compression: true
http.port: 9200

plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.keystore_filepath: opensearch.keystore


plugins.security.ssl.http.enabled: false
plugins.security.ssl.http.pemkey_filepath: node-key.pem
plugins.security.ssl.http.pemcert_filepath: node.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [ ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*" ]
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [ "all_access", "security_rest_api_access" ]

plugins.security.oles_mapping_resolution: MAPPING_ONLY
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true

plugins.security.authcz.admin_dn:
  - xxxxxx

plugins.security.nodes_dn:
  - xxxxxxxxxxx

Here is my opensearch.yml looks like

Anthony · February 7, 2022, 4:57pm

@vanamvijay23
What error are you getting if you comment out line:

plugins.security.ssl.transport.keystore_filepath: opensearch.keystore

I assume the certs are located in elasticsearch/config directory

(also typo in plugins.security.oles_mapping_resolution: MAPPING_ONLY)

vanamvijay23 · February 8, 2022, 8:24am

yes certs are under opensearch/config diredctory.

i have commented this line and now i am getting new exceptions:


	Suppressed: java.lang.IllegalArgumentException: unknown secure setting [root-ca.pem] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

	Suppressed: java.lang.IllegalArgumentException: unknown secure setting [node.pem] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

	Suppressed: java.lang.IllegalArgumentException: unknown secure setting [node-key.pem] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

openserch security plugins are installed by default. yet it throws above error, any pointers ? do i need to enable opensearch security plugin using some property ?

yeah i have fixed this. issue :

(also typo in plugins.security.oles_mapping_resolution: MAPPING_ONLY)

Anthony · February 8, 2022, 9:17am

@vanamvijay23 Thats very strange, it seems to think that “root-ca.pem, …” are settings.

This needs further investigation. Can you confirm how you are running opensearch? Binary? docker-compose? etc

Also, Do you see the error when you are starting opensearch or after some action?

vanamvijay23 · February 8, 2022, 9:41am

This needs further investigation. Can you confirm how you are running opensearch? Binary? docker-compose? etc
A. i am running opensearch in kubernetes , using docker image : opensearch:1.2.4

Also, Do you see the error when you are starting opensearch or after some action?

A. this is happening while opensearch master node pod is starting up , the pod is not restarting but giving this error continuously! i have tried generating different certs and having same issues!

can i try providing absolute path for the certs?

Anthony · February 8, 2022, 10:29am

@vanamvijay23 I assume you are using helm. If so have you tried with demo certs and it was working as expected?

How are you mounting certificates? can you show the values.yml file?

vanamvijay23 · February 8, 2022, 11:14am

@Anthony , are the demo certs built into helm charts and placed under /opensearch/config directory ?

vanamvijay23 · February 8, 2022, 12:27pm

@Anthony , even though i have set plugins.security.allow_unsafe_democertificates: true it stills complains. saying that

Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]

does this mean, default certs are not shipped in docker image ?

Anthony · February 8, 2022, 12:53pm

@vanamvijay23 The demo certificates are automatically generated at startup using script install_demo_configuration.sh in /usr/share/opensearch/plugins/opensearch-security/tools. This should be trigger automatically unless you have set the below:

extraEnvs:
 - name: DISABLE_INSTALL_DEMO_CONFIG
   value: "true"

If you follow the instructions on the docs here you should be able to start a cluster using default values.yaml file (helm install --values=values.yaml opensearch opensearch-1.7…) , from there you can extract the certificates that were generated and use them in the next deployment.
Naturally these are demo certificates and should never be used in prod, but for testing this approach is very straightforward

Topic		Replies	Views
OpenSearch ssl exception (tar) OpenDistro	2	7701	December 9, 2021
TLS configuration with organizational certs Security troubleshoot , configure	2	617	January 21, 2022
Tarball install security error OpenDistro	6	962	November 26, 2021
Need Support to use open search in windows OpenSearch troubleshoot , install	4	518	October 7, 2023
Opensearch security plugin with certificate chain Security	10	1619	June 12, 2024

Opensearch security is asking for plugins.security.ssl.transport.truststore_filepath property to be set

Related topics