What is "Client" in OpenSearch Dashboards SSL?

OpenSearch Dashboards
1

I am confused and perhaps @pablo can help.

What is meant with “client” in the OpenSearch Dashboards security configuration?

Depending on where I look, and I looked almost everywhere (OpenSearch GitHub, OpenSearch website, OpenSearch Forum, StackOverflow), the terms “server” and “client” are used interchangeably.

Here with more detail:

Transport Layer Security Settings

server.ssl.enabled: true
server.ssl.certificate: ${DASHBOARDS_CERTIFICATE_PEM}
server.ssl.key: ${DASHBOARDS_KEY_PEM}
server.ssl.certificateAuthorities: ${ROOT_CA_PEM}

Client Security Settings

opensearch.ssl.verificationMode: full
opensearch.ssl.certificate: ${CLIENT_CERTIFICATE_PEM}
opensearch.ssl.key: ${CLIENT_KEY_PEM}
opensearch.ssl.certificateAuthorities: ${ROOT_CA_PEM}

Is the server.ssl.certificate the certificate I created for my Dashboard? IP address (or DNS with hostname) as SAN and DN? In some places this is called “client certificate” and in other places “server certificate”?!?

Then what is opensearch.ssl.certificate? In some places this is called “client certificate” as well? Is this a node certificates?

I am confused. A plain English explanation is missing somewhere, I think. Perhaps a summary page with a simple graph in the OpenSearch documentation would make it easier for everyone. You know, an example with let’s say 3 nodes, dashboard, and some other machines. Certificates and keys, perhaps even with an AES256 password, and then sample yml files for OpenSearch and OpenSearch Dashboards? All of that for the most common deployment scenarios, which I would guess are Docker, Docker Compose, and Kubernetes manifests? With examples for self-signed certificates as well, because AKS Kubernetes for example makes it tough to have a domain for hostname verification and IP seems to be the way to go?

Just thinking out loud…

2

@Laszlo First client and server certificates.

The “client” means the side that initiates the connection. For example, if you use a browser to connect to the web server then the “client” is your web browser.

The “server” means the target i.e. web service, database service, OpenSearch (9200), LDAP (389 or 636).

In regards to the opensearch_dashboards.yml file. The server.ssl refers to the OpenSearch Dashboards service (5601). Whenever your browser (client) connects to OpenSearch Dashboards (server), OpenSearch Dashboards will present the certificate defined in server.ssl.certificate and the web browser will validate it. This option is mandatory to secure a connection between the web browser (client) and OpenSearch Dashboards (server).

The OpenSearch Dashboards service can also act as a client. opensearch.ssl.certificate is used to connect with the OpenSearch node using SSL certificate. This type of connection is called mTLS authentication.
In this scenario, OpenSearch Dashboards(client) initiates a connection with the OpenSearch node (server). OpenSearch Dashboards validates the server’s SSL certificate (OpenSearch port 9200) and OpenSearch validates the SSL certificate of the OpenSearch Dashboards that was used to initiate the connection (opensearch.ssl.certificate).

I hope this will help.

3

Super! That is now clear. Thank you!