I just upgraded to opensearch v2.0.0.
When I tried to initialize security using securityadmin.sh, I came across the following error message.
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
[opensearch@ertergergedpo7 config]$ /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh
> -h 10.136.136.37
> -icl -nhnv -cert /usr/share/opensearch/config/admin.pem
> -cacert /usr/share/opensearch/config/root-ca.pem
> -key /usr/share/opensearch/config/admin-key.pem
> -cd /usr/share/opensearch/config/opensearch-security/
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
Security Admin v7
Will connect to 10.136.136.37:9200 ... done
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace: java.io.IOException: Unrecognized SSL message, plaintext connection?
at org.opensearch.client.RestClient.extractAndWrapCause (RestClient.java:927),
at org.opensearch.client.Restclient.performRequest(RestClient.java:307),
at org.opensearch.client.Restclient.performRequest(RestClient.java:295)
at org.opensearch.security.tools.SecurityAdmin.execute(Security Admin.java:464),
at org.opensearch.security.tools.SecurityAdmin.main(Security Admin.java:161)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java: 145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord (SSLEngineImpl.java:612),
at java.base/sun.security.ssl.SSLEngineImpl.unwrap (SSLEngineImpl.java:506),
at java.base/sun.security.ssl.SSLEngineImpl.unwrap (SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap (SSLEngine.java:679)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap (SSLIOSession.java:275)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake (SSLIOSession.java:321)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isApp InputReady (SSLIOSession.java:523
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseloReactor.readable(BaseloReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIoReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseloReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworker IOReactor $Worker.run(AbstractMultiworkerIOReactor.java:591),
at java.base/java.lang.Thread.run(Thread.java:833)
Here is my opensearch.yml
When I uncomment plugins.security.ssl.http settings, securityadmin will work well.
But I want to use http for my REST layer, not https.
network.host: 10.135.136.37
cluster.name: opensearch-cluster-staging
node.name: opensearch-node1
node.roles: [master]
discovery.seed_hosts: ["10.136.136.37"]
cluster.initial_cluster_manager_nodes: ["10.136.136.37"]
bootstrap.memory_lock: true # along with the memlock settings below, disables swapping
path.repo: ["/usr/share/opensearch/snapshot"]
node.attr.data: none
plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
#plugins.security.ssl.http.enabled: true
#plugins.security.ssl.http.pemcert_filepath: node.pem
#plugins.security.ssl.http.pemkey_filepath: node-key.pem
#plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=AA,O=SS,L=BB,ST=CC,C=DD'
plugins.security.nodes_dn:
- 'CN=NODE,OU=AA,O=SS,L=BB,ST=CC,C=DD'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
Thanks.
I appreciate your help.