Opensearch security not initialized; not running

Good afternoon,

I am trying to set up a 3-node opensearch cluster with transport and http enabled with self-signed certificates. I installed opensearch with tarball on three hosts and as described in the OpenSearch documentation I generated certificates and added them to each host and each opensearch.yml file. The only other modifications I did are the IPs and node names in the opensearch.yml files.
When I start all three nodes I get following error:

[ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, AUDIT] (index=.opendistro_security)

When I check the cluster health I get the message “OpenSearch Security not initialized.” So I assumed that I had to run
in order to initialize the security settings without terminating opensearch. This is what I did and got the output

** This tool will be deprecated in the next major release of OpenSearch **
** **


As I read in several other forums the console output has to be something more than this. I have also tried different parameters as in

but the output is always the same and the error message does not disappear, so I assume the script was somehow not executed correctly.
Maybe someone has an Idea where the problem could be?

I would be very grateful for a respond!

@user2111 In regards to the deprecation message, that’s correct and it is scheduled for version 3.0.

The WARNING message complains about missing environment variable that script will check during the startup. Path to java binary should be defined.

Did you install JDK on your client machine?

Could you share your command?

@pablo Thank you very much for your respond.
Yes I have JDK installed.
I am not sure if I understand you correctly but I can share how my file looks like:

This ist the whole command together with the output I used to run this file.
~/opensearch-2.0.0/plugins/opensearch-security/tools$ ./

** This tool will be deprecated in the next major release of OpenSearch **
** **


I am expecting as output something like

Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
OpenSearch Version: 1.2.0
OpenSearch Security Version:
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-search
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)

which I found in some other forum. So you think is not doing anything because the variables are not set?

@user2111 To be clear, you’ve executed on its own without any options?

@pablo I tried to execute with and without options, e.g. I tried

./ -cd ../../../config/opensearch-security/ -icl -nhnv \
  -cacert ../../../config/root-ca.pem \
  -cert ../../../config/admin.pem \
  -key ../../../config/admin-key.pem


./ some_nonsense_text

and also with and without the cluster running. It is always exactly the same output, as if this file is not doing anything. Unfortunatly I do not really understand how the code in the file works. I thought it somehow loads the config files and the certificates and adds them as plugins or that it creates the opendistro_security index.
My ideas where to maybe add the IP of the cluster in the file so that it can reach it but I do not know how this could work.

@user2111 I’ve noticed that you’re not using the demo admin certificate. Did you add DN from admin.pem certificate to opensearch.yml?
  - CN=kirk,OU=client,O=client,L=test, C=de

Yes, for example this is the relevant part of the opensearch.yml file for node1:

@pablo I generated the certificates and the keys for admin, node1, node2 and node3 on node1 and copied them to the other nodes.

Here I show what I mean by doing nothing no matter what options I add.

When I start the cluster again it shows the same error message “no such index [.opensdistro_security]” and when I check the cluster health again “OpenSearch Security not initialized.”

@user2111 Thanks for sharing the screenshot.
That takes this conversation back to the first question about Java. It seems that Java is not installed or Java binary is not placed in /usr/bin.

If you had it installed, you would get the output like in the below example.


Try typing in java in the command line. What response do you get?

1 Like

@pablo Oh yes, now I understand. I installed Java and now I get exactly that output. Thank you very much for your help!

1 Like