Configuring SSL for OpenSearch Dashboards

You can configure SSL for OpenSearch Dashboards. When you configure SSL for OpenSearch Dashboards, you need to set the SSL Option field (in the OpenSearch Dashboards section) on the Search Instance Properties page to ENABLE.

To set up SSL for OpenSearch Dashboards, complete these steps:

1. Configuration required in opensearch_dashboards.yml:

   server.ssl.enabled: true
   server.ssl.certificate: <certificate issued by server> (for example, signed.cer)
   server.ssl.key: <keystore> (for example, mykeystore.key)

   If OpenSearch is SSL enabled, you need to complete the following additional configuration:

   opensearch.ssl.certificateAuthorities:(for example,"C:\OS\opensearch2.3.0\plugins\orcl-security-plugin\config\properties\cacert.cer")

   Note: Keystore and certificate should be placed in the bin (default) folder or config folder (specify the path in opensearch_dashboards.yml).

2. Import the trusted root from CA and save it locally (for example, D:\ca\cacert.cer).

3. Import root certificate from CA to the keystore using keytool:

   JAVA_HOME\bin>keytool -importcert -keystore OSD_HOME/bin/mykeystore.jks -file D:\ca\cacert.cer -alias my_ca

4. Setting up keystore and private key:

   keytool -genkey -alias alias1 -keystore OSD_HOME/bin/mykeystore.jks -keyalg RSA -keysize 2048 -validity 712

5. Create certificate signing request:

   keytool -certreq -alias alias1 -keystore OSD_HOME/bin/mykeystore.jks -file D:\ca\mycsr.csr -keyalg rsa

   This command creates a CSR as follows (this CSR is only for sample reference):

   -----BEGIN NEW CERTIFICATE REQUEST-----
   MIIC6zCCAdMCAQAwdjELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ QmFuZ2Fsb3JlMQ8wDQYDVQQKEwZPcmFjbGUxEzARBgNVBAsTClBlb3BsZXNvZnQxGTAXBgNVBAMT EFJvaGluaSBQYWxsaXlhbGkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCT1Tr4o6Yi v/dkwqhiCJ4d6ddVhyGTMzBHSQB6tvl0GvNWjmJMQXWEpAsu6gOgoECY0HwGC4L1bQh7hiwyT3ub ckTYnWULNgf1WulUIpyU9Z3Aj1BV3uhZWWJPnTC1JRyXIdvOMocpIM3YdQF1ZY3eOMY3Y1KT3ZMO GnDQzpSLFuXcVyAWbg32LKE9SW2zVIM8ueb6h1szv3U3KhJB7dI5inpoXg7cpnZxzjUK303HhB5l im0O3aPslhLb9rt9KjhAI4nxrpM9FEoAZI9V1NVpqfIksdBLVRnCqZGbNqH5n2nW3on5OFoNoRUI mTBc6VswPxHDz+bBAgcE0U8ETY39AgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBTJQ2nGlpP2ke5Z8HBrfvnBsgUjWTANBgkqhkiG9w0BAQsFAAOCAQEAEmcwNcQnAPTXfpHHbUIpsY+/ NhmfaltnhDq6AAcOL/rBmymgafdqDlIGWJ7tYJ/1zCjkFx9zeIh6RKhBHjzpuf8uM7Q1JJVB7CKI GP5UxJEs4bsgOqjSs8m71zGEW1D9gopYhGQJmcJr929NeR9k4cMMLpSbpsox2CPjstiepzIVKJEq ppqG3G+PXUZMW04Va/SCGhMNdcLsd6XV3I5UWNCMNuJFEyBF4KVH6EJf59/vt3L2tQaV2X7JydcH 8llaFxBPwCJe2GCB7Yo9Pi9OlkDFIkk2cAHry576Gf/T7GwHBg4/4T/vCRV1aZtKaRYJDmUW+5ae 4Nmzp3YwcTrdzg==
   -----END NEW CERTIFICATE REQUEST-----

6. Use the CSR to get a certificate from CA. Download it and save it locally (for example, D:\ca\signed.cer).

7. Import the certificate to the keystore:

   keytool -importcert -keystore OSD_HOME/bin/mykeystore.jks -file D:\ca\signed.cer -alias alias1

8. Convert the keystore file to pem format because OpenSearch Dashboards does not support any other format.

   keytool -importkeystore -srckeystore OSD_HOME/bin/mykeystore.jks -destkeystore OSD_HOME/bin/mykeystore.p12 -srcstoretype jks -deststoretype pkcs12

   Move the intermediate mykeystore.p12 file to Linux and execute the below commands:

   openssl pkcs12 -in mykeystore.p12 -out mykeystore.pem

   Or directly use this command:

   keytool -list -rfc -keystore "mykeystore.jks" | sed -e "/-*BEGIN [A-Z]*-*/,/-*END [A-Z]-*/!d" >> "myKeystore.pem"

9. Convert the pem file to .key format:openssl rsa -in mykeystore.pem -out mykeystore.key

10. Update the opensearch_dashboards.yml file with the SSL settings.