Unable to configure ./securityadmin.sh with TLS certificate

Opensearch Version: 2.19.1

I’m unable to run ./securityadmin.sh, i get error as:

Security Admin v7
Will connect to CCCC.fmr.com:9200 ... done
ERR: An unexpected ResponseException occured: method [GET], host [https://XXXX.XXX.com:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 403 Forbidden]
{"error":"GET /_plugins/_security/whoami API not whitelisted","status":"FORBIDDEN"}
# curl -k --cert /etc/opensearch/openssl/admin.pem --key /etc/opensearch/openssl/admin-key.pem https://XX.XX.com:9200/_plugins/_security/authinfo?pretty
{
  "user" : "User [name=CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA, backend_roles=[], requestedTenant=null]",
  "user_name" : "CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA",
  "user_requested_tenant" : null,
  "remote_address" : null,
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA" : true
  },
  "principal" : "CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA",
  "peer_certificates" : "2",
  "sso_logout_url" : null
}

plugins.security.authcz.admin_dn:

  • ‘CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA’
# openssl x509 -text -noout -in /etc/opensearch/openssl/admin.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            XX:XX:XX:XX:XX:X:XX:X:X:X:XX:XX:XX
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = State, L = City, O = Organization, OU = Unit, CN = RootCA
        Validity
            Not Before: Apr 23 13:28:02 2025 GMT
            Not After : Apr 23 13:28:02 2026 GMT
        Subject: C = CA, ST = ONTARIO, L = TORONTO, O = ORG, OU = UNIT, CN = A

Hi @rehanpfmr ,

Can you share your /config/opensearch.yml and /config/opensearch-security/allowlist.yml ?

opensearch.yml
cluster.name: opensearch-dev
node.name: XXXX.XX.com
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: XX.XX.XX.XX
http.port: 9200
discovery.seed_hosts: [“XX.XX.XX.XX”]
cluster.initial_cluster_manager_nodes: [“opensearch-cluster_manager”]
#================================= New certificates ======================
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/openssl/node.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/ssl.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/openssl/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
#-------------------------------------------------------------------------
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/openssl/node.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/ssl.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/openssl/root-ca.pem
plugins.security.ssl.http.clientauth_mode: OPTIONAL
#-------------------------------------------------------------------------
plugins.security.ssl_cert_reload_enabled: true
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

  • ‘CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA’
    plugins.security.nodes_dn:
  • ‘C=US,OU=Venafi Provisioned,O=FMR LLC,CN=opensearch-dev.fmr.com
    Plugins.security.restapi.admin.enabled: true
    plugins.security.audit.type: internal_opensearch
    plugins.security.nodes_dn_dynamic_config_enabled: true
    plugins.security.enable_snapshot_restore_privilege: true
    plugins.security.check_snapshot_restore_write_privileges: true
    plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
    plugins.security.system_indices.enabled: true

allowlist.yml

---
_meta:
  type: "allowlist"
  config_version: 2

config:
  enabled: true
  requests:
    /_cluster/settings:
      - GET
    /_cat/nodes:
      - GET
    /:
      - GET

Could you please share the command you used to run securityadmin.sh, including all parameters?

OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -cd ../config/ -icl -key /etc/opensearch/openssl/admin-key.pem -cert /etc/opensearch/openssl/admin.pem -cacert /etc/opensearch/openssl/root-ca.pem -nhnv -h XXXXX

OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -cacert /etc/opensearch/certs/FICAChain.pem -cert /home/srvelt/new1/appcertificate.pem -key /home/srvelt/new1/ssl.pem -cd /usr/share/opensearch/config/opensearch-security/ -icl -nhnv -h XXX.fmr.com

Security Admin v7
Will connect to XXX.fmr.com:9200 … done
ERR: An unexpected ResponseException occured: method [GET], host [https://XXX.fmr.com:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 403 Forbidden]
{“error”:“GET /_plugins/_security/whoami API not whitelisted”,“status”:“FORBIDDEN”}
Trace:
org.opensearch.client.ResponseException: method [GET], host [https://XXX.fmr.com:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 403 Forbidden]
{“error”:“GET /_plugins/_security/whoami API not whitelisted”,“status”:“FORBIDDEN”}
at org.opensearch.client.RestClient.convertResponse(RestClient.java:479)
at org.opensearch.client.RestClient.performRequest(RestClient.java:371)
at org.opensearch.client.RestClient.performRequest(RestClient.java:346)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:575)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:165)

This is not resolving, my node certificates are connecting successfully and returning cat/nodes however i’m unable to set my admin password.

> Blockquote
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
10.136.66.59 6 85 3 0.07 0.11 0.09 dimr cluster_manager,data,ingest,remote_cluster_client * XXXX.fmr.com

Blockquote
https://XXXX.fmr.com:9200/
{
“error”: “GET / API not whitelisted”,
“status”: “FORBIDDEN”
}

Please try running the following command:

curl --insecure --cert ./config/kirk.pem --key ./config/kirk-key.pem -XPUT "https://localhost:9200/_plugins/_security/api/allowlist" -H 'Content-Type: application/json' -d'
{
  "enabled": true,
  "requests": {
    "/_cluster/settings": ["GET"],
    "/_cat/nodes": ["GET"],
    "/_plugins/_security/whoami": ["GET"]
  }
}
'

Please change the certificate paths to your super admin certificate path. You might also need to change the hostname.