opensearch-docs-cn/_install-and-configure/install-dashboards/tls.md

3.8 KiB

layout title parent nav_order redirect_from
default Configure TLS Installing OpenSearch Dashboards 40
/dashboards/install/tls/

Configure TLS for OpenSearch Dashboards

By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable TLS for HTTPS, update the following settings in opensearch_dashboards.yml.

Setting Description
opensearch.ssl.verificationMode This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are full, certificate, or none. We recommend full if you enable TLS, which enables hostname verification. certificate just checks the certificate, not the hostname, and none performs no checks (suitable for HTTP). Default is full.
opensearch.ssl.certificateAuthorities If opensearch.ssl.verificationMode is full or certificate, specify the full path to one or more CA certificates that comprise a trusted chain for your OpenSearch cluster. For example, you might need to include a root CA and an intermediate CA if you used the intermediate CA to issue your admin, client, and node certificates.
server.ssl.enabled This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP.
server.ssl.certificate If server.ssl.enabled is true, specify the full path to a valid client certificate for your OpenSearch cluster. You can generate your own or get one from a certificate authority.
server.ssl.key If server.ssl.enabled is true, specify the full path (e.g. /usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem to the key for your client certificate. You can generate your own or get one from a certificate authority.
server.ssl.certificateAuthorities This setting adds the SSL certificate authority which issues SSL certificates for the Dashboard's server in a list format.
opensearch_security.cookie.secure If you enable TLS for OpenSearch Dashboards, change this setting to true. For HTTP, set it to false.

This opensearch_dashboards.yml configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration:

opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem
server.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem", "/usr/share/opensearch-dashboards/config/intermediate-ca.pem" ]
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem", "/usr/share/opensearch-dashboards/config/intermediate-ca.pem" ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true

If you use the Docker install, you can pass a custom opensearch_dashboards.yml to the container. To learn more, see the Docker installation page.

After enabling these settings and starting OpenSearch Dashboards, you can connect to it at https://localhost:5601. You might have to acknowledge a browser warning if your certificates are self-signed. To avoid this sort of warning (or outright browser incompatibility), best practice is to use certificates from trusted certificate authority.