From cf769012cadebcd00c12454c50d9b1e032b8ce4e Mon Sep 17 00:00:00 2001 From: aetter Date: Fri, 9 Jul 2021 15:59:42 -0700 Subject: [PATCH] Change file name, add some extra bits --- _dashboards/install/{ssl.md => tls.md} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename _dashboards/install/{ssl.md => tls.md} (87%) diff --git a/_dashboards/install/ssl.md b/_dashboards/install/tls.md similarity index 87% rename from _dashboards/install/ssl.md rename to _dashboards/install/tls.md index 412a5e7b..52cc0502 100644 --- a/_dashboards/install/ssl.md +++ b/_dashboards/install/tls.md @@ -5,18 +5,18 @@ parent: Install OpenSearch Dashboards nav_order: 40 --- -# Configure SSL for OpenSearch Dashboards +# Configure TLS for OpenSearch Dashboards -By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable SSL, update the following settings in `opensearch_dashboards.yml`. +By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable TLS for HTTPS, update the following settings in `opensearch_dashboards.yml`. Setting | Description :--- | :--- -opensearch.ssl.verificationMode | This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are `full`, `certificate`, or `none`. We recommend `full` if you enable SSL, which enables hostname verification. `certificate` just checks the certificate, not the hostname, and `none` performs no checks (suitable for HTTP). Default is `full`. +opensearch.ssl.verificationMode | This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are `full`, `certificate`, or `none`. We recommend `full` if you enable TLS, which enables hostname verification. `certificate` just checks the certificate, not the hostname, and `none` performs no checks (suitable for HTTP). Default is `full`. opensearch.ssl.certificateAuthorities | If `opensearch.ssl.verificationMode` is `full` or `certificate`, specify the full path (e.g. `[ "/usr/share/opensearch-dashboards-1.0.0/config/root-ca.pem" ]` to the certificate authority for your OpenSearch cluster. server.ssl.enabled | This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP. server.ssl.certificate | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert.pem` to a valid client certificate for your OpenSearch cluster. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority. server.ssl.key | If `server.ssl.enabled` is true, specify the full path (e.g. `/usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem` to the key for your client certificate. You can [generate your own]({{site.url}}{{site.baseurl}}/security-plugin/configuration/generate-certificates/) or get one from a certificate authority. -opensearch_security.cookie.secure | If you enable SSL for OpenSearch Dashboards, change this setting to `true`. For HTTP, set it to `false`. +opensearch_security.cookie.secure | If you enable TLS for OpenSearch Dashboards, change this setting to `true`. For HTTP, set it to `false`. This `opensearch_dashboards.yml` configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration: @@ -38,4 +38,4 @@ opensearch_security.cookie.secure: true If you use the Docker install, you can pass a custom `opensearch_dashboards.yml` to the container. To learn more, see the [Docker installation page]({{site.url}}{{site.baseurl}}/opensearch/install/docker/). -After enabling these settings and starting OpenSearch Dashboards, you can connect to it at `https://localhost:5601`. You might have to acknowledge a browser warning if your certificates are self-signed. +After enabling these settings and starting OpenSearch Dashboards, you can connect to it at `https://localhost:5601`. You might have to acknowledge a browser warning if your certificates are self-signed. To avoid this sort of warning (or outright browser incompatibility), best practice is to use certificates from trusted certificate authority.