Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue :
Hi Team,
Opensearch throws an error like unable to load the pemtrustedcas_filepath: /usr/share/opensearch/config/data/openid-certs.
Configuration :
authc:https://195.xxx.xxx.xxx.sslip.io/auth/realms/realm/.well-known/openid-configuration Relevant Logs or Screenshots :challenge=false, type=openid, config={openid_connect_idp={enable_ssl=true, verify_hostnames=false, pemtrustedcas_filepath=/usr/share/opensearch/config/certs/openid-certs}, subject_key=preferred_username, roles_key=roles, openid_connect_url=[https://xxx.xxx.xxx.xxx.sslip.io/auth/realms/nha/.well-known/openid-configuration}] , authentication_backend=AuthcBackend [type=noop, config={}], description=null] due to OpenSearchException[java.lang.reflect.InvocationTargetException]; nested: InvocationTargetException; nested: RuntimeException[com.amazon.dlic.util.SettingsBasedSSLConfigurator$SSLConfigException: Error loading PEM from /usr/share/opensearch/config/certs/openid-certs (openid_connect_idp.pemtrustedcas_filepath) for openid_connect_idp.]; nested: SSLConfigException[Error loading PEM from /usr/share/opensearch/config/certs/openid-certs (openid_connect_idp.pemtrustedcas_filepath) for openid_connect_idp.]; nested: CertificateException[No certificate data found];
pablo
September 5, 2023, 10:21pm
2
You must provide a file name and not a folder name. If you have more than one CA then you must concatenate them in one single file.
Hi @pablo
The file path ending with openid-certs is a file which has PEM, Certificate and keys which is concatenated into one file. Still the issue persists.
Note: Am using opensearch operator in the k8s environment.
pablo
September 6, 2023, 8:24am
4
@Tamilkumar How did you mount that certificate?
jaboo
September 6, 2023, 9:03am
5
My understanding is that ‘pemtrustedcas_filepath’ only needs to contain your trusted CA cert (or concatenate more than one if you have many), but you don’t need to concatenate any other certs or keys into it.
Hi @pablo
Openid-certs mentioned in the file path has been fetched from the keycloak .(wget https://xxx.xxx.xxx.xxx.sslip.io/auth/realms/ /protocol/openid-connect/certs) Since its a n operator i have created a configmap and appended as additional volume sections in opensearch.yaml file.
config.yaml
opensearch.yaml
kind: OpenSearchCluster
name: openid-certs
pablo
September 6, 2023, 10:34pm
7
@Tamilkumar The mapping in the OpenSearch cluster object looks correct.
I’ve tested Opster deployment with configmap containing the keycloak certificate and all worked.
Your configmap should look similar to the below one.
kubectl get configmap keycloak-cert -o yaml
apiVersion: v1
data:
keycloak.crt: |
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIEOa2AUjANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJJ
RTENMAsGA1UECBMEQ29yazENMAsGA1UEBxMEQ29yazENMAsGA1UEChMEQ29yazER
...
U/JlUrz+Ht8MOSsJtIeo/bntvoHqSYJvV5GNSzRZs19VMeIgip3+qLM6sH9i70lU
EW0ylLohWz3rwwF0U5D5wEBfqZnv
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
creationTimestamp: "2023-09-06T22:01:42Z"
name: keycloak-cert
namespace: default
resourceVersion: "125660"
uid: 1f06d842-9ede-4f01-bd7b-a631b95f046a
I’ve created my configmap with the following command.
kubectl create configmap keycloak-cert --from-file ./keycloak.crt
This is my OpenSearch cluster yaml.
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
name: my-cluster1
namespace: default
spec:
security:
config:
adminCredentialsSecret:
name: a-admin-credentials-secret
securityConfigSecret:
name: a-securityconfig-secret
tls:
transport:
generate: true
http:
generate: true
general:
serviceName: my-cluster1
version: 2.9.0
pluginsList: ["repository-s3"]
drainDataNodes: true
setVMMaxMapCount: true
additionalVolumes:
- name: keycloak-cert-os-secret
path: /usr/share/opensearch/config/certs/
configMap:
name: keycloak-cert
pablo
September 6, 2023, 10:55pm
8
@Tamilkumar pemtrustedcas_filepath in openid configuration in config.yml must contain either signing certificate of the IDP (keycloak) or IDP certificate.
@pablo
Even my folder structure certs worked out the thing i missed is the mapper section. which sorted out the issue.
@pablo ,
I wanted my opensearch dashboard to configure in ssl mode authentication . To achieve this i’ve add the tls configs in the dashboard.yml but its not working as expected.
opensearch-keycloak authentication works out but from keycloak to opensearch dashboard its not working out. pls help what am i missing?
I’ve mentioned th e yaml file below:
dashboards:https://xx.xxx.xxx.xx.sslip.io/auth/realms/xxx/.well-known/openid-configuration opensearch_security.openid.base_redirect_url:https://xxx.dev26.xxx.com/
Hi @pablo
Your suggestion will help me to move fwd.
pablo
October 6, 2023, 1:49am
12
@Tamilkumar What exactly do you see? Are you getting redirected to the Keycloak’s login page?
You need to point OpenSearch Dashboards to Keycloak’s self-signed certificate in opensearch_dashboards.yml
opensearch_security.openid.root_ca: "/usr/share/opensearch-dashboards/config/keycloak.crt"
HI @pablo ,
Would like to thank you for the solutions and discussions provided to me during my deployments.
Am trying to setup key Cloak saml federation with OpenID authorization in the OpenSearch level but am facing an issue at the opensearch dashboard end like
Error Failed to obtain the endpoints from IDP.
Set up details
central-key Cloak is the one which needs to authorize the user when an user access from local-Key Cloak
The parameters required to achieve the setup is IDP at key Cloak-local end and Client id at key Cloak-central end. with saml authentication.
The parameters needed for the above task is IDP URL, ClientID and OpenSearch dashboard url for redirection.
dashboard config:https://xx.xxx.xxx.xx.sslip.io/auth/realms/xxx/.well-known/openid-configuration opensearch_security.openid.base_redirect_url:https://xxx.dev26.xxx.com/
Please share me the documents or configs or suggestions from ur end on how to achieve this or solve the dasjboard error(unable to find endpoint from idp)
pablo
December 14, 2023, 10:14am
14
@Tamilkumar Just to clarify.
@pablo
say for example in my scenario when i access the OpenSearch dashboard it should redirect to key Cloak-local first(idp)for authentication and then it should redirect to key Cloak-central (Client-id)for authorization.
Meaning two single sign on redirections has to happen
pablo
December 14, 2023, 3:17pm
17
@Tamilkumar Unfortunately OpenSearch and OpenSearch Dashboards don’t have such functionality.
@pablo ,
I tried configuring multiple sign on with the order 0 order 1 and so on but its not meeting my requirements.
Thats bad luck for me that OpenSearch doesn’t have this functionality.
pablo
December 14, 2023, 6:34pm
19
@Tamilkumar I can only suggest opening a feature request in the OpenSearch security GitHub .
@pablo