From af01690c7f3e9fc9e34cffa79befabda528aa6dc Mon Sep 17 00:00:00 2001 From: keithhc2 Date: Tue, 11 May 2021 11:58:43 -0700 Subject: [PATCH] Porting over docker certificate security stuff --- docs/opensearch/install/docker-security.md | 37 ++++++++++++++++++- docs/opensearch/install/docker.md | 2 +- docs/security/configuration/client-auth.md | 4 ++ .../configuration/generate-certificates.md | 2 +- 4 files changed, 42 insertions(+), 3 deletions(-) diff --git a/docs/opensearch/install/docker-security.md b/docs/opensearch/install/docker-security.md index c730b61a..34479291 100644 --- a/docs/opensearch/install/docker-security.md +++ b/docs/opensearch/install/docker-security.md @@ -12,7 +12,7 @@ Before deploying to a production environment, you should replace the demo securi Additionally, you can set the Docker environment variable `DISABLE_INSTALL_DEMO_CONFIG` to `true`. This change completely disables the demo installer. -#### Sample Docker Compose file +## Sample Docker Compose file ```yml version: '3' @@ -142,3 +142,38 @@ If you encounter any `File /usr/share/opensearch/config/opensearch.yml has insec {: .note } Finally, you can reach OpenSearch Dashboards at http://localhost:5601, sign in, and use the **Security** panel to perform other management tasks. + +## Using certificates with Docker + +To use your own certificates in your configuration, add all of the necessary certificates to the volumes section of the Docker Compose file: + +```yml +volumes: +- ./root-ca.pem:/full/path/to/certificate.pem +- ./admin.pem:/full/path/to/certificate.pem +- ./admin-key.pem:/full/path/to/certificate.pem +#Add other certificates +``` + +After replacing the demo certificates with your own, you must also include a custom `opensearch.yml` in your setup, which you need to specify in the volumes section. + +```yml +volumes: +#Add certificates here +- ./custom-opensearch.yml: /full/path/to/custom-opensearch.yml +``` + +Remember that the certificates you specify in your Docker Compose file must be the same as the certificates listed in your custom `opensearch.yml` file. At a minimum, you should replace the root, admin, and node certificates with your own. For more information about adding and using certificates, see [Configure TLS certificates](../security/configuration/tls.md). + +```yml +opensearch_security.ssl.transport.pemcert_filepath: new-node-cert.pem +opensearch_security.ssl.transport.pemkey_filepath: new-node-cert-key.pem +opensearch_security.ssl.transport.pemtrustedcas_filepath: new-root-ca.pem +opensearch_security.ssl.http.pemcert_filepath: new-node-cert.pem +opensearch_security.ssl.http.pemkey_filepath: new-node-cert-key.pem +opensearch_security.ssl.http.pemtrustedcas_filepath: new-root-ca.pem +opensearch_security.authcz.admin_dn: + - CN=admin,OU=SSL,O=Test,L=Test,C=DE +``` + +To start the cluster, run `docker-compose up` as usual. diff --git a/docs/opensearch/install/docker.md b/docs/opensearch/install/docker.md index 3017745e..43fed7f7 100644 --- a/docs/opensearch/install/docker.md +++ b/docs/opensearch/install/docker.md @@ -185,7 +185,7 @@ services: - ./custom-opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml ``` -You can use this same method to [pass your own certificates](../docker-security/) to the containers for use with the [Security](../../../security/configuration/) plugin. +You can also configure `docker-compose.yml` and `opensearch.yml` [to take your own certificates](../docker-security/) for use with the [Security](../../security/configuration/) plugin. ### (Optional) Set up Performance Analyzer diff --git a/docs/security/configuration/client-auth.md b/docs/security/configuration/client-auth.md index 33af183a..9c7f9868 100644 --- a/docs/security/configuration/client-auth.md +++ b/docs/security/configuration/client-auth.md @@ -105,3 +105,7 @@ output.opensearch: ssl.certificate: "/full/path/to/client-cert.pem" ssl.key: "/full/path/to/to/client-cert-key.pem" ``` + +## Using certificates with Docker + +While we recommend using the [tarball](../../../install/tar) installation of ODFE to test client certificate authentication configurations, you can also use any of the other install types. For instructions on using Docker, for example, see [Docker security configuration](../../../install/docker-security). diff --git a/docs/security/configuration/generate-certificates.md b/docs/security/configuration/generate-certificates.md index 190f4be5..cfee2c4a 100755 --- a/docs/security/configuration/generate-certificates.md +++ b/docs/security/configuration/generate-certificates.md @@ -170,7 +170,7 @@ This process generates many files, but these are the ones you need to add to you - (Optional) `each-node-cert.pem` - (Optional) `each-node-key.pem` -For information about adding and configuring these certificates, see [Docker security configuration](../../../install/docker-security/) and [Configure TLS certificates](../tls/). +For information about adding and using these certificates in your own setup, see [Docker security configuration](../../../install/docker-security/) and [Configure TLS certificates](../tls/). ## Run securityadmin.sh