commit
861644393d
|
@ -12,9 +12,9 @@ By default, for ease of testing and getting started, OpenSearch Dashboards runs
|
||||||
Setting | Description
|
Setting | Description
|
||||||
:--- | :---
|
:--- | :---
|
||||||
opensearch.ssl.verificationMode | This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are `full`, `certificate`, or `none`. We recommend `full` if you enable TLS, which enables hostname verification. `certificate` just checks the certificate, not the hostname, and `none` performs no checks (suitable for HTTP). Default is `full`.
|
opensearch.ssl.verificationMode | This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are `full`, `certificate`, or `none`. We recommend `full` if you enable TLS, which enables hostname verification. `certificate` just checks the certificate, not the hostname, and `none` performs no checks (suitable for HTTP). Default is `full`.
|
||||||
opensearch.ssl.certificateAuthorities | If `opensearch.ssl.verificationMode` is `full` or `certificate`, specify the full path (e.g. `[ "/usr/share/opensearch-dashboards-1.0.0/config/root-ca.pem" ]` to the certificate authority for your OpenSearch cluster.
|
opensearch.ssl.certificateAuthorities | If `opensearch.ssl.verificationMode` is `full` or `certificate`, specify the full path to one or more CA certificates that comprise a trusted chain for your OpenSearch cluster. For example, you might need to include a root CA _and_ an intermediate CA if you used the intermediate CA to issue your admin, client, and node certificates.
|
||||||
server.ssl.enabled | This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP.
|
server.ssl.enabled | This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP.
|
||||||
server.ssl.certificate | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert.pem` to a valid client certificate for your OpenSearch cluster. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
|
server.ssl.certificate | If `server.ssl.enabled` is true, specify the full path to a valid client certificate for your OpenSearch cluster. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
|
||||||
server.ssl.key | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem` to the key for your client certificate. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
|
server.ssl.key | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem` to the key for your client certificate. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority.
|
||||||
opensearch_security.cookie.secure | If you enable TLS for OpenSearch Dashboards, change this setting to `true`. For HTTP, set it to `false`.
|
opensearch_security.cookie.secure | If you enable TLS for OpenSearch Dashboards, change this setting to `true`. For HTTP, set it to `false`.
|
||||||
|
|
||||||
|
@ -27,9 +27,9 @@ opensearch.username: "kibanaserver"
|
||||||
opensearch.password: "kibanaserver"
|
opensearch.password: "kibanaserver"
|
||||||
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
|
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
|
||||||
server.ssl.enabled: true
|
server.ssl.enabled: true
|
||||||
server.ssl.certificate: /usr/share/opensearch-1.0.0/config/client-cert.pem
|
server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
|
||||||
server.ssl.key: /usr/share/opensearch-1.0.0/config/client-cert-key.pem
|
server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem
|
||||||
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-1.0.0/config/root-ca.pem" ]
|
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem", "/usr/share/opensearch-dashboards/config/intermediate-ca.pem" ]
|
||||||
opensearch_security.multitenancy.enabled: true
|
opensearch_security.multitenancy.enabled: true
|
||||||
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
|
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
|
||||||
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
|
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
|
||||||
|
|
|
@ -86,7 +86,7 @@ Just like the root certificate, use the `-days` option to specify an expiration
|
||||||
|
|
||||||
## (Optional) Generate node and client certificates
|
## (Optional) Generate node and client certificates
|
||||||
|
|
||||||
Follow the steps in [Generate an admin certificate](#generate-an-admin-certificate) with new file names to generate a new certificate for each node and as many client certificates as you need. Each certificate should use its own private key.
|
Follow the steps in [Generate an admin certificate](#generate-an-admin-certificate) with new file names to generate a new certificate for each node and as many client certificates as you need. For example, you might generate one client certificate for OpenSearch Dashboards and another for a Python client. Each certificate should use its own private key.
|
||||||
|
|
||||||
If you generate node certificates and have `plugins.security.ssl.transport.enforce_hostname_verification` set to `true` (default), be sure to specify a common name (CN) for the certificate that matches the hostname of the intended node. If you want to use the same node certificate on all nodes (not recommended), set hostname verification to `false`. For more information, see [Configure TLS certificates]({{site.url}}{{site.baseurl}}/security-plugin/configuration/tls#advanced-hostname-verification-and-dns-lookup).
|
If you generate node certificates and have `plugins.security.ssl.transport.enforce_hostname_verification` set to `true` (default), be sure to specify a common name (CN) for the certificate that matches the hostname of the intended node. If you want to use the same node certificate on all nodes (not recommended), set hostname verification to `false`. For more information, see [Configure TLS certificates]({{site.url}}{{site.baseurl}}/security-plugin/configuration/tls#advanced-hostname-verification-and-dns-lookup).
|
||||||
|
|
||||||
|
@ -197,17 +197,4 @@ After configuring your certificates and starting OpenSearch, run `securityadmin.
|
||||||
|
|
||||||
## OpenSearch Dashboards
|
## OpenSearch Dashboards
|
||||||
|
|
||||||
Depending on your settings in `opensearch_dashboards.yml`, you might need to add `root-ca.pem` to your OpenSearch Dashboards node. You have two options: disable SSL verification or add the root CA.
|
For information on using your root CA and a client certificate to enable TLS for OpenSearch Dashboards, see [Configure TLS for OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/dashboards/install/tls/).
|
||||||
|
|
||||||
- Disable SSL verification:
|
|
||||||
|
|
||||||
```yml
|
|
||||||
opensearch.ssl.verificationMode: none
|
|
||||||
```
|
|
||||||
|
|
||||||
- Add the root CA:
|
|
||||||
|
|
||||||
```yml
|
|
||||||
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]
|
|
||||||
opensearch.ssl.verificationMode: full
|
|
||||||
```
|
|
||||||
|
|
Loading…
Reference in New Issue