opensearch-docs-cn/_dashboards/install/tls.md

---
layout: default
title: Configure SSL
parent: Install OpenSearch Dashboards
nav_order: 40
---

# Configure TLS for OpenSearch Dashboards

By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable TLS for HTTPS, update the following settings in `opensearch_dashboards.yml`.

Setting | Description
:--- | :---
opensearch.ssl.verificationMode | This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are `full`, `certificate`, or `none`. We recommend `full` if you enable TLS, which enables hostname verification. `certificate` just checks the certificate, not the hostname, and `none` performs no checks (suitable for HTTP). Default is `full`.
opensearch.ssl.certificateAuthorities | If `opensearch.ssl.verificationMode` is `full` or `certificate`, specify the full path (e.g. `[ "/usr/share/opensearch-dashboards-1.0.0/config/root-ca.pem" ]` to the certificate authority for your OpenSearch cluster.
server.ssl.enabled | This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP.
server.ssl.certificate | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert.pem` to a valid client certificate for your OpenSearch cluster. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
server.ssl.key | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem` to the key for your client certificate. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
opensearch_security.cookie.secure | If you enable TLS for OpenSearch Dashboards, change this setting to `true`. For HTTP, set it to `false`.

This `opensearch_dashboards.yml` configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration:

```yml
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-1.0.0/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-1.0.0/config/client-cert-key.pem
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-1.0.0/config/root-ca.pem" ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true
```

If you use the Docker install, you can pass a custom `opensearch_dashboards.yml` to the container. To learn more, see the [Docker installation page]({{site.url}}{{site.baseurl}}/opensearch/install/docker/).

After enabling these settings and starting OpenSearch Dashboards, you can connect to it at `https://localhost:5601`. You might have to acknowledge a browser warning if your certificates are self-signed. To avoid this sort of warning (or outright browser incompatibility), best practice is to use certificates from trusted certificate authority.
Add SSL configuration for Dashboards 2021-07-09 18:33:35 -04:00			`---`
			`layout: default`
			`title: Configure SSL`
			`parent: Install OpenSearch Dashboards`
			`nav_order: 40`
			`---`

Change file name, add some extra bits 2021-07-09 18:59:42 -04:00			`# Configure TLS for OpenSearch Dashboards`
Add SSL configuration for Dashboards 2021-07-09 18:33:35 -04:00
Change file name, add some extra bits 2021-07-09 18:59:42 -04:00			By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable TLS for HTTPS, update the following settings in `opensearch_dashboards.yml`.
Add SSL configuration for Dashboards 2021-07-09 18:33:35 -04:00
			`Setting \| Description`
			`:--- \| :---`
Change file name, add some extra bits 2021-07-09 18:59:42 -04:00			opensearch.ssl.verificationMode \| This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are `full`, `certificate`, or `none`. We recommend `full` if you enable TLS, which enables hostname verification. `certificate` just checks the certificate, not the hostname, and `none` performs no checks (suitable for HTTP). Default is `full`.
Add SSL configuration for Dashboards 2021-07-09 18:33:35 -04:00			opensearch.ssl.certificateAuthorities \| If `opensearch.ssl.verificationMode` is `full` or `certificate`, specify the full path (e.g. `[ "/usr/share/opensearch-dashboards-1.0.0/config/root-ca.pem" ]` to the certificate authority for your OpenSearch cluster.
			`server.ssl.enabled \| This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP.`
			server.ssl.certificate \| If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert.pem` to a valid client certificate for your OpenSearch cluster. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
			server.ssl.key \| If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem` to the key for your client certificate. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
Change file name, add some extra bits 2021-07-09 18:59:42 -04:00			opensearch_security.cookie.secure \| If you enable TLS for OpenSearch Dashboards, change this setting to `true`. For HTTP, set it to `false`.
Add SSL configuration for Dashboards 2021-07-09 18:33:35 -04:00
			This `opensearch_dashboards.yml` configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration:

			```yml
			`opensearch.hosts: ["https://localhost:9200"]`
			`opensearch.ssl.verificationMode: full`
			`opensearch.username: "kibanaserver"`
			`opensearch.password: "kibanaserver"`
			`opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]`
			`server.ssl.enabled: true`
			`server.ssl.certificate: /usr/share/opensearch-1.0.0/config/client-cert.pem`
			`server.ssl.key: /usr/share/opensearch-1.0.0/config/client-cert-key.pem`
			`opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-1.0.0/config/root-ca.pem" ]`
			`opensearch_security.multitenancy.enabled: true`
			`opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]`
			`opensearch_security.readonly_mode.roles: ["kibana_read_only"]`
			`opensearch_security.cookie.secure: true`
			```

			If you use the Docker install, you can pass a custom `opensearch_dashboards.yml` to the container. To learn more, see the [Docker installation page]({{site.url}}{{site.baseurl}}/opensearch/install/docker/).

Change file name, add some extra bits 2021-07-09 18:59:42 -04:00			After enabling these settings and starting OpenSearch Dashboards, you can connect to it at `https://localhost:5601`. You might have to acknowledge a browser warning if your certificates are self-signed. To avoid this sort of warning (or outright browser incompatibility), best practice is to use certificates from trusted certificate authority.