Add hot reload TLS certificate section #433 (#6875)

* adding hot reload TLS certificate section #433 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * fixing issues on hot reload #433 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update tls.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update tls.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> --------- Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com> (cherry picked from commit fa38567) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-project · Apr 18, 2024 · 80088f6 · 80088f6
1 parent 28efa24
commit 80088f6
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/_api-reference/index.md b/_api-reference/index.md
@@ -61,6 +61,7 @@ This reference includes the REST APIs supported by OpenSearch. If a REST API is
 - [Supported units]({{site.url}}{{site.baseurl}}/api-reference/units/)
 - [Tasks]({{site.url}}{{site.baseurl}}/api-reference/tasks/)
 - [Transforms API]({{site.url}}{{site.baseurl}}/im-plugin/index-transforms/transforms-apis/)
+- [Hot reload TLS certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#hot-reloading-tls-certificates)
 
 
 
diff --git a/_security/configuration/tls.md b/_security/configuration/tls.md
@@ -260,3 +260,43 @@ The default insecure SSL password settings have been deprecated. In order to use
 * plugins.security.ssl.transport.truststore_password_secure
 
 These settings allow for the use of encrypted passwords in the settings.
+
+## Hot reloading TLS certificates
+
+Updating expired or nearly expired TLS certificates does not require restarting the cluster. Instead, enable hot reloading of TLS cerificates by adding the following line to `opensearch.yml`:
+
+
+`plugins.security.ssl_cert_reload_enabled: true`
+
+This setting is `false` by default.
+{: .note }
+
+After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. The new certificates also need be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file. 
+
+Only a [superadmin]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates) can use the Reload Certificates API.
+{: .note }
+
+### Reload TLS certificates on the transport layer
+ The following command reloads TLS certificates on the transport layer:
+
+  ```json
+  curl --cacert <ca.pem> --cert <admin.pem> --key <admin.key> -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts
+  ```
+  {% include copy.html %}
+
+You should receive the following response:
+```{ "message": "successfully updated transport certs"}```
+
+### Reload TLS certificates on the http layer
+
+The following command reloads TLS certificates on the `http` layer:
+
+  ```json
+  curl --cacert <ca.pem> --cert <admin.pem> --key <admin.key> -XPUT https://localhost:9200/_plugins/_security/api/ssl/http/reloadcerts
+  ```
+  {% include copy.html %}
+
+You should receive the following response:
+
+```{ "message": "successfully updated http certs"}```
+