-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add separate certificates section #433 #6881
Changes from 3 commits
7174c2b
1a37ccc
053aecf
f1e01af
a1e2640
5d1e965
ac9fb6c
5aabc0f
a5158d1
c7a5011
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -54,14 +54,13 @@ Name | Description | |||||||||
:--- | :--- | ||||||||||
`plugins.security.ssl.transport.keystore_type` | The type of the keystore file, JKS or PKCS12/PFX. Optional. Default is JKS. | ||||||||||
`plugins.security.ssl.transport.keystore_filepath` | Path to the keystore file, which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
`plugins.security.ssl.transport.keystore_alias: my_alias` | Alias name. Optional. Default is the first alias. | ||||||||||
`plugins.security.ssl.transport.keystore_alias` | Alias name. Optional. Default is the first alias. | ||||||||||
`plugins.security.ssl.transport.keystore_password` | Keystore password. Default is `changeit`. | ||||||||||
`plugins.security.ssl.transport.truststore_type` | The type of the truststore file, JKS or PKCS12/PFX. Default is JKS. | ||||||||||
`plugins.security.ssl.transport.truststore_filepath` | Path to the truststore file, which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
`plugins.security.ssl.transport.truststore_alias` | Alias name. Optional. Default is all certificates. | ||||||||||
`plugins.security.ssl.transport.truststore_password` | Truststore password. Default is `changeit`. | ||||||||||
|
||||||||||
|
||||||||||
### REST layer TLS | ||||||||||
|
||||||||||
Name | Description | ||||||||||
|
@@ -77,6 +76,43 @@ Name | Description | |||||||||
`plugins.security.ssl.http.truststore_password` | Truststore password. Default is `changeit`. | ||||||||||
|
||||||||||
|
||||||||||
## Separate client and server certificates for transport layer TLS | ||||||||||
|
||||||||||
By default, transport layer TLS certificates need to be configured as both client (`TLS Web Client Authentication`) and server (`TLS Web Server Authentication`) in the certificate's `Extended Key Usage` section, as they take responsibility as server and client in internal communication between nodes. | ||||||||||
If you want to use separate certificates as client and server, you need to add following line to `opensearch.yml` and settings outlined in [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files) | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @scrawfor99 Thanks for the above, this part is a bit tricky, as main opensearch.yml line is common in both cases, and the two options that follow are different. Do you think below is more clear
|
||||||||||
|
||||||||||
`plugins.security.ssl.transport.extended_key_usage_enabled: true` | ||||||||||
|
||||||||||
### Separate client and server X.509 PEM certificates and PKCS #8 keys | ||||||||||
|
||||||||||
Name | Description | ||||||||||
:--- | :--- | ||||||||||
`plugins.security.ssl.transport.server.pemkey_filepath` | Path to the server certificate's key file (PKCS \#8), which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.server.pemkey_password` | Server key password. Omit this setting if the key has no password. Optional. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.server.pemcert_filepath` | Path to the X.509 node server certificate chain (PEM format), which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.server.pemtrustedcas_filepath` | Path to the root CAs (PEM format), which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.client.pemkey_filepath` | Path to the client certificate's key file (PKCS \#8), which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.client.pemkey_password` | Client key password. Omit this setting if the key has no password. Optional. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.client.pemcert_filepath` | Path to the X.509 node client certificate chain (PEM format), which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.client.pemtrustedcas_filepath` | Path to the root CAs (PEM format), which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
|
||||||||||
### Separate client and server keystore and truststore files | ||||||||||
|
||||||||||
Name | Description | ||||||||||
:--- | :--- | ||||||||||
`plugins.security.ssl.transport.keystore_type` | The type of the keystore file, JKS or PKCS12/PFX. Optional. Default is JKS. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.keystore_filepath` | Path to the keystore file, which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.server.keystore_alias` | Alias name for server key. Optional. Default is the first alias. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.client.keystore_alias` | Alias name for client key. Optional. Default is the first alias. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.server.keystore_keypassword` | Keystore password for server. Default is `changeit`. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.client.keystore_keypassword` | Keystore password for client. Default is `changeit`. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.server.truststore_alias` | Alias name for server. Optional. Default is all certificates. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.client.truststore_alias` | Alias name for client. Optional. Default is all certificates. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.truststore_filepath` | Path to the truststore file, which must be under the `config` directory, specified using a relative path. Required. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.truststore_type` | The type of the truststore file, JKS or PKCS12/PFX. Default is JKS. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
`plugins.security.ssl.transport.truststore_password` | Truststore password. Default is `changeit`. | ||||||||||
AntonEliatra marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||
|
||||||||||
|
||||||||||
## Configuring node certificates | ||||||||||
|
||||||||||
OpenSearch Security needs to identify requests between the nodes in the cluster. It uses node certificates to secure these requests. The simplest way to configure node certificates is to list the Distinguished Names (DNs) of these certificates in `opensearch.yml`. All DNs must be included in `opensearch.yml` on all nodes. Keep in mind that the Security plugin supports wildcards and regular expressions: | ||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Naarcha-AWS would it be a better explanation to say instead of: