SSLconfigException Error

@pablo ,

Recently when i tried integrating OpenSearch with key Cloak facing 401 unauthorized error. The config part of opensearch follows

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: my-cluster1
  namespace: opensearch
spec:
  initHelper:
    image: "public.ecr.aws/opsterio/busybox"
  security:
    config:
      adminCredentialsSecret:
        name: a-admin-credentials-secret
      securityConfigSecret:
        name: a-securityconfig-secret
    tls:
      transport:
        generate: true
      http:
        generate: true
  general:
    serviceName: my-cluster1
    version: 2.8.0
    pluginsList: ["repository-s3"]
    drainDataNodes: true
    setVMMaxMapCount: true
    image: docker.io/opensearchproject/opensearch:2.7.0
    imagePullPolicy: IfNotPresent
    additionalVolumes:
    - name: openid-certs
      path: /usr/share/opensearch/config/certs/
      configMap:
        name: openid-certs
      restartPods: true
      #additionalConfig:
      #plugins.security.allow_default_init_securityindex: "true"
      #plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/openid-certs
  dashboards:
    additionalConfig:
      logging.verbose: "true"
      opensearch_security.auth.type: '["basicauth","openid"]'
      opensearch_security.auth.multiple_auth_enabled: "True"
      opensearch_security.openid.connect_url: https://xxx.xxx.xxx.xxx.sslip.io/auth/realms/nha/.well-known/openid-configuration
      opensearch_security.openid.base_redirect_url: https://osdashs.iks-xxx.com/
      opensearch_security.openid.client_id: grafana
      opensearch_security.openid.client_secret: 4zQdkx7ZSvHxpuiw4SCNTLibmGPElHhr
      opensearch_security.openid.scope: openid profile email
      opensearch_security.openid.header: Authorization
      opensearch_security.openid.trust_dynamic_headers: "true"
      opensearch.optimizedHealthcheckId: "my-cluster1"
      opensearch_security.openid.verify_hostnames: "false"
      opensearch.ssl.verificationMode: none
      opensearch_security.cookie.secure: "false"
      opensearch.requestHeadersWhitelist:  |
        ["securitytenant","Authorization","security_tenant"]
      opensearch_security.readonly_mode.roles: '[ "kibana_user", "readall" ]'
    image: docker.io/opensearchproject/opensearch-dashboards:2.7.0

Security config:

authc:
              basic_internal_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 0
                http_authenticator:
                  type: basic
                  challenge: false
                authentication_backend:
                  type: internal
        
              openid_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 1
                http_authenticator:
                  type: openid
                  challenge: false
                  config:
                    openid_connect_idp:
                      enable_ssl: true
                      verify_hostnames: false
                      pemtrustedcas_filepath: /usr/share/opensearch/config/certs/openid-certs
                    subject_key: preferred_username
                    roles_key: roles
                    openid_connect_url: "https://xxx.xxx.xxx.xxx.sslip.io/auth/realms/master/.well-known/openid-configuration"
                authentication_backend:
                  type: noop
      roles_mapping.yml: |-
        _meta:
          type: "rolesmapping"
          config_version: 2

On the keycloak side the mappers are added mapping the roles given in the security config part of roles_key: roles

Please help

Hi @pablo

Suggestions from your side is appreciated. pls provide us some clues.

Note: We have went through the issue in forums and tried to do the same . eventhough no luck. Attached the configurations abv.

Does this point to the folder or a file?

Hi @pablo ,

This is the complete path of a file. (openid-certs is a pem file without extension)

Downloaded source would be : https://keycloak.opensearch.xxx.com/realms/settings/

will get a realms xml page and we will download the certs from there.(searching a keyword certs)

@Tamilkumar Are you getting redirected to Keycloak and then back to OpenSearch Dashboards or you’re getting "Unauthorized" error straight away?

What is the Keycloak version?
Have you configured the User Realm Role in Keycloak? If yes, could you share the screenshot?

HI @pablo,

The Opensearch config version is 2.0

keycloak version is jboss/keycloak: 15.0.2

Am getting unauthorized when it backs to opensearch Dashboard afer the keycloak -redirections.

My client is grafana and the client scope available to the client has attached :

image1361×337 48.4 KB

Client grafana associated roles and realm roles:

image958×357 51.2 KB

@Tamilkumar You need to configure the User Realm Role that will include the roles in the JWT token.

Navigate to Clients → Grafana → Mappers and create a User Realm Role.

image808×631 22.8 KB

The Token Claim Name must match the value of roles_key in config.yml.
The Multivalued and Add to ID token must be ON