Add separate certificates section #433 #6881
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
AntonEliatra
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
AMoo-Miki,
natebower,
dlvenable,
stephen-crawford and
epugh
as code owners
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Naarcha-AWS
added
3 - Tech review
hdhalter
changed the title
|
@scrawfor99 - Can you please review? @AntonEliatra - please ignore the Vale errors for now. **update: this is now fixed and truststore is accepted as a valid term. Thanks! |
stephen-crawford
approved these changes
Apr 9, 2024
_security/configuration/tls.md
Outdated
| ## Separate client and server certificates for transport layer TLS | ||
|
|
||
| By default, transport layer TLS certificates need to be configured as both client (`TLS Web Client Authentication`) and server (`TLS Web Server Authentication`) in the certificate's `Extended Key Usage` section, as they take responsibility as server and client in internal communication between nodes. | ||
| If you want to use separate certificates as client and server, you need to add following line to `opensearch.yml` and settings outlined in [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files) |
There was a problem hiding this comment.
Suggested change
| If you want to use separate certificates as client and server, you need to add following line to `opensearch.yml` and settings outlined in [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files) | |
| If you want to use separate certificates as client and server, you need to add following line to `opensearch.yml` and settings outlined in [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files) |
Suggested change
| If you want to use separate certificates as client and server, you need to add following line to `opensearch.yml` and settings outlined in [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files) | |
| If you want to use separate client and server certificates, you need to add following line and settings to `opensearch.yml`. You can also find steps on creating [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files) by following the hotlinks. |
There was a problem hiding this comment.
@scrawfor99 Thanks for the above, this part is a bit tricky, as main opensearch.yml line is common in both cases, and the two options that follow are different.
Do you think below is more clear
If you want to use separate certificates as client and server, you need to add plugins.security.ssl.transport.extended_key_usage_enabled: truetoopensearch.yml, then configure settings outlined in [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files)
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Naarcha-AWS
added
4 - Doc review
Naarcha-AWS
reviewed
Apr 12, 2024
_security/configuration/tls.md
Outdated
| @@ -77,6 +76,41 @@ Name | Description | |||
| `plugins.security.ssl.http.truststore_password` | Truststore password. Default is `changeit`. | |||
|
|
|||
|
|
|||
| ## Separate client and server certificates for transport layer TLS | |||
|
|
|||
| By default, transport layer TLS certificates need to be configured as both client (`TLS Web Client Authentication`) and server (`TLS Web Server Authentication`) in the certificate's `Extended Key Usage` section, as they take responsibility as server and client in internal communication between nodes. | |||
There was a problem hiding this comment.
Suggested change
| By default, transport layer TLS certificates need to be configured as both client (`TLS Web Client Authentication`) and server (`TLS Web Server Authentication`) in the certificate's `Extended Key Usage` section, as they take responsibility as server and client in internal communication between nodes. | |
| By default, transport layer TLS certificates need to be configured as both client (`TLS Web Client Authentication`) and server (`TLS Web Server Authentication`) in the certificate's `Extended Key Usage` section, because the certificates are responsible for the server's and client's internal communication between nodes. |
There was a problem hiding this comment.
@Naarcha-AWS would it be a better explanation to say instead of:
-because the certificates are responsible for the server's and client's internal communication between nodes.
+bacause the nodes using the TLS certificates take on the responsibility of serving and receiving the communication requests internally.
Naarcha-AWS
requested changes
Apr 12, 2024
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Naarcha-AWS
added
5 - Editorial review
Naarcha-AWS
approved these changes
Apr 17, 2024
Naarcha-AWS
reviewed
Apr 17, 2024
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Naarcha-AWS
reviewed
Apr 17, 2024
Naarcha-AWS
reviewed
Apr 17, 2024
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
natebower
reviewed
Apr 17, 2024
There was a problem hiding this comment.
@AntonEliatra @Naarcha-AWS Please see my changes and let me know if you have any questions. Thanks!
Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Apr 18, 2024
* adding separate certificates section #433 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update tls.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update tls.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update tls.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update tls.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> --------- Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Heather Halter <HDHALTER@AMAZON.COM> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com> (cherry picked from commit 77fb6ce) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adding section on separate certificates for client and server on transport TLS layer
Issues Resolved
Part of issue here #433
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.