When installing opensearch, am getting error like failed to load plugin class for securtiy plugin
[ERROR][o.o.b.Bootstrap ] [devqa-logs-2] Exception
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:790) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:726) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:528) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.plugins.PluginsService.(PluginsService.java:194) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.node.Node.(Node.java:396) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.node.Node.(Node.java:319) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-1.2.3.jar:1.2.3]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:412) [opensearch-1.2.3.jar:1.2.3]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:178) [opensearch-1.2.3.jar:1.2.3]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:169) [opensearch-1.2.3.jar:1.2.3]
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:100) [opensearch-1.2.3.jar:1.2.3]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) [opensearch-cli-1.2.3.jar:1.2.3]
at org.opensearch.cli.Command.main(Command.java:101) [opensearch-cli-1.2.3.jar:1.2.3]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:135) [opensearch-1.2.3.jar:1.2.3]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:101) [opensearch-1.2.3.jar:1.2.3]
Caused by: java.lang.reflect.InvocationTargetException
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:64) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:781) ~[opensearch-1.2.3.jar:1.2.3]
… 15 more
Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: java.security.cert.CertificateParsingException: signed fields invalid
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:419) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:258) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.(DefaultSecurityKeyStore.java:179) ~[?:?]
at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:218) ~[?:?]
Hey @pablo I used custom certs which is signed by Entrust Root CA cert. We dont have seperate certs for each node in our cluster as such but we use one general SSL cert for entire organization. And the CN would like this - CN = *.organization.com
@pablo Yes all certs are in supported format. That above error is resolved now. But I am getting new exceptions like certificate_unknown and unable to find valid certification path to the requested target.
We have 2 nodes opensearch cluster. Both nodes have the same configuration as below.
For Pemtrustedcas, I used Entrust Root CA cert but commented out that section in the config file, do you think i need to enable it ?
Exceptions:
[ERROR][o.o.s.s.t.SecuritySSLNettyTransport] [devqa-logs-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:369) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:307) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199) ~[?:?]
Exceptions:
[ERROR][o.o.s.s.t.SecuritySSLNettyTransport] [devqa-logs-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandsha
keException: Received fatal alert: certificate_unknown
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:356) ~[?:?]
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:202) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[?:?]
By disabling the security, everything is working fine. When I am security plugin and adding these certs, I am having these issues.
Ironically my master node is working fine when using the security plugin but the other node is not working. when I checked that node url in browser it is saying security index not initialized message.
@info2kool The other node is trying to connect to the existing cluster. It is failing to connect due to SLL handshake failure on the transport layer. That also produce the error OpenSearch Security not initialized as the new node can’t access the .opendistro_security index that holds the security plugin configuration.
The security plugin must be initialized once. That creates .opendistro_security index. All nodes that join the cluster can access the same security configuration. You don’t have to initialize the security plugin with every new node in the cluster.
Did you use the same root CA certificate for both nodes?
You can check that with the below command.
What about the cert defined in plugins.security.ssl.transport.pemcert_filepath in both nodes? - Yes it is the same cert which has CN value as CN=*.organizationname.ca
Are they signed by the same root CA (the same X509v3 Authority Key Identifier )? - Yes
Could you check the cert nodes with the same command and confirm that X509v3 Authority Key Identifier: is the same for all node certs and root CA? - Yes
Is there any intermediate root CA in the trust chain? - Yes
I have deployed it as a service. Below is the screenshot of the cert with root ca and intermediate ca.
Hi @pablo I resolved the issues and am able to use my certs to login to opensearch with default credentials. Here is my opensearch.yml looks like in both the nodes.
-cacert /etc/opensearch/config/entrustl1k.pem
-cert /etc/opensearch/config/node.pem
-key /etc/opensearch/config/node-key.pem
WARNING: JAVA_HOME not set, will use /usr/bin/java
Security Admin v7
Will connect to localhost:9300 … done
Connected as CN=.organization.ca,O=ORGNAME,L=Toronto,ST=Ontario,C=CA
ERR: CN=.organization.ca,O=ORGNAME=Toronto,ST=Ontario,C=CA is not an admin user
Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in opensearch.yml
I have entrust root and intermediate certs and node cert signed by the entrust. What cert and key I need to use in the configuration for -cert and -key value?
@info2kool You’re trying to use a node certificate to authenticate as an admin.
The admin_dn doesn’t contain the CN that was in the cert used with securityadmin.sh. You shouldn’t use node certificates as admin certs.
Also, as per the documentation, you can’t use wildcards or regular expressions with admin_dn, therefore CN of the admin certificate can’t be a wildcard.
How many certificates does your entrustl1k.pem contain? Is it just root CA?
@info2kool The certificate file in the plugins.security.ssl.http.pemtrustedcas_filepath: should contain RootCA and plugins.security.ssl.transport.pemcert_filepath
Intermediate RootCA and node certificates.
