Query: To run securityadmin.sh when TLS is disabled on Rest layer

Pratiksha · July 18, 2022, 7:04am

I am trying to set up an OpenSearch cluster with security with TLS being disabled on Rest layer as TLS is optional for Rest layer in OpenSearch. However, As of Opensearch v2.0, securityadmin.sh can be run on http port of opensearch cluster. I am getting below error when trying to run security admin:

ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace:
java.io.IOException: Unrecognized SSL message, plaintext connection?
        at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:927)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:307)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:295)
        at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:462)
        at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:159)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:146)
        at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
        at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:557)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:275)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:321)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:523)
        at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
        at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
        at java.base/java.lang.Thread.run(Thread.java:829)

Kindly Provide a way to run above use case where we have disabled TLS on Rest layer and need to run securityadmin.sh.
As per the error message, looks like it is a BUG as the setting “plugins.security.ssl.http.enabled” is of no use as it cannot be disabled, because securityadmin.sh will not be able to run.

pablo · July 18, 2022, 10:39am

@Pratiksha As per security plugin design, the admin tasks in plugin config can be taken only by the admin user defined in plugins.security.authcz.admin_dn.

This requires a secured connection to OpenSearch with admin user certificates.
The securityadmin.sh, only follows this logic.

Topic		Replies	Views
Securityadmin.sh errors when connecting opensearch through http Security troubleshoot	4	3839	June 2, 2022
./securityadmin.sh ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection? Security install	9	955	September 22, 2023
When trying to install and configure opensearch getting the below error Security troubleshoot , configure	6	61	August 16, 2024
How to change admin password with ssl disabled? Security	3	359	January 22, 2024
Integration of Opensearch security with istio Security	6	1516	May 17, 2023

Query: To run securityadmin.sh when TLS is disabled on Rest layer

Related topics