Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add separate certificates section #433 #6881

52 changes: 43 additions & 9 deletions _security/configuration/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
Name | Description
:--- | :---
`plugins.security.ssl.transport.pemkey_filepath` | Path to the certificate's key file (PKCS \#8), which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.transport.pemkey_password` | Key password. Omit this setting if the key has no password. Optional.
`plugins.security.ssl.transport.pemkey_password` | The key password. Omit this setting if the key has no password. Optional.
`plugins.security.ssl.transport.pemcert_filepath` | Path to the X.509 node certificate chain (PEM format), which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.transport.pemtrustedcas_filepath` | Path to the root CAs (PEM format), which must be under the `config` directory, specified using a relative path. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved

Expand All @@ -36,7 +36,7 @@
:--- | :---
`plugins.security.ssl.http.enabled` | Whether to enable TLS on the REST layer. If enabled, only HTTPS is allowed. Optional. Default is `false`.
`plugins.security.ssl.http.pemkey_filepath` | Path to the certificate's key file (PKCS \#8), which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.http.pemkey_password` | Key password. Omit this setting if the key has no password. Optional.
`plugins.security.ssl.http.pemkey_password` | The key password. Omit this setting if the key has no password. Optional.
`plugins.security.ssl.http.pemcert_filepath` | Path to the X.509 node certificate chain (PEM format), which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.http.pemtrustedcas_filepath` | Path to the root CAs (PEM format), which must be under the `config` directory, specified using a relative path. Required.

Expand All @@ -54,27 +54,61 @@
:--- | :---
`plugins.security.ssl.transport.keystore_type` | The type of the keystore file, JKS or PKCS12/PFX. Optional. Default is JKS.
`plugins.security.ssl.transport.keystore_filepath` | Path to the keystore file, which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.transport.keystore_alias: my_alias` | Alias name. Optional. Default is the first alias.
`plugins.security.ssl.transport.keystore_alias` | The alias name for keystore. Optional. Default is the first alias.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.keystore_password` | Keystore password. Default is `changeit`.
`plugins.security.ssl.transport.truststore_type` | The type of the truststore file, JKS or PKCS12/PFX. Default is JKS.
`plugins.security.ssl.transport.truststore_filepath` | Path to the truststore file, which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.transport.truststore_alias` | Alias name. Optional. Default is all certificates.
`plugins.security.ssl.transport.truststore_alias` | The alias name for truststore. Optional. Default is all certificates.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.truststore_password` | Truststore password. Default is `changeit`.


### REST layer TLS

Name | Description
:--- | :---
`plugins.security.ssl.http.enabled` | Whether to enable TLS on the REST layer. If enabled, only HTTPS is allowed. Optional. Default is false.
`plugins.security.ssl.http.keystore_type` | The type of the keystore file, JKS or PKCS12/PFX. Optional. Default is JKS.
`plugins.security.ssl.http.keystore_filepath` | Path to the keystore file, which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.http.keystore_alias` | Alias name. Optional. Default is the first alias.
`plugins.security.ssl.http.keystore_password` | Keystore password. Default is `changeit`.
`plugins.security.ssl.http.keystore_alias` | The alias name of the keystore. Optional. Default is the first alias.
`plugins.security.ssl.http.keystore_password` | The password for the keystore. Default is `changeit`.
`plugins.security.ssl.http.truststore_type` | The type of the truststore file, JKS or PKCS12/PFX. Default is JKS.
`plugins.security.ssl.http.truststore_filepath` | Path to the truststore file, which must be under the `config` directory, specified using a relative path. Required.
`plugins.security.ssl.http.truststore_alias` | Alias name. Optional. Default is all certificates.
`plugins.security.ssl.http.truststore_password` | Truststore password. Default is `changeit`.
`plugins.security.ssl.http.truststore_alias` | The alias name of the truststore. Optional. Default is all certificates.
`plugins.security.ssl.http.truststore_password` | The password for the truststore. Default is `changeit`.


## Separate client and server certificates for transport layer TLS

By default, transport layer TLS certificates need to be configured as both client (`TLS Web Client Authentication`) and server (`TLS Web Server Authentication`) in the certificate's `Extended Key Usage` section, bacause the nodes using the TLS certificates take on the responsibility of serving and receiving the communication requests internally.

Check failure on line 81 in _security/configuration/tls.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.Spelling] Error: bacause. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks. Raw Output: {"message": "[OpenSearch.Spelling] Error: bacause. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security/configuration/tls.md", "range": {"start": {"line": 81, "column": 213}}}, "severity": "ERROR"}
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
If you want to use separate certificates as client and server, add the `plugins.security.ssl.transport.extended_key_usage_enabled: true` setting to `opensearch.yml`. Next, configure the settings outlined in the [separate client and server X.509 PEM certificates and PKCS #8 keys]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-x509-pem-certificates-and-pkcs-8-keys) or [separate client and server Keystore and truststore files]({{site.url}}{{site.baseurl}}/security/configuration/tls/#separate-client-and-server-keystore-and-truststore-files) sections.

Check failure on line 82 in _security/configuration/tls.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.SpacingPunctuation] There should be no space before and one space after the punctuation mark in 'server, add'. Raw Output: {"message": "[OpenSearch.SpacingPunctuation] There should be no space before and one space after the punctuation mark in 'server, add'.", "location": {"path": "_security/configuration/tls.md", "range": {"start": {"line": 82, "column": 56}}}, "severity": "ERROR"}

Check failure on line 82 in _security/configuration/tls.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.SpacingWords] There should be one space between words in 'add the'. Raw Output: {"message": "[OpenSearch.SpacingWords] There should be one space between words in 'add the'.", "location": {"path": "_security/configuration/tls.md", "range": {"start": {"line": 82, "column": 65}}}, "severity": "ERROR"}
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

### Separate client and server X.509 PEM certificates and PKCS #8 keys

Name | Description
:--- | :---
`plugins.security.ssl.transport.server.pemkey_filepath` | Path to the server certificate's key file (PKCS \#8). Must be specified using a relative path under the `config` directory. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.server.pemkey_password` | The server key password. Omit this setting if the key has no password. Optional.
`plugins.security.ssl.transport.server.pemcert_filepath` | Path to the X.509 node server certificate chain (PEM format). Must be specified using a relative path under the `config` directory. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.server.pemtrustedcas_filepath` | Path to the root CAs (PEM format). Must be specified using a relative path under the `config` directory. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.client.pemkey_filepath` | Path to the client certificate's key file (PKCS \#8). Must be specified using a relative path under the `config` directory. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.client.pemkey_password` | The client key password. Omit this setting if the key has no password. Optional.
`plugins.security.ssl.transport.client.pemcert_filepath` | Path to the X.509 node client certificate chain (PEM format). Must be specified using a relative path under the `config` directory. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.client.pemtrustedcas_filepath` | Path to the root CAs (PEM format). Must be specified using a relative path under the `config` directory. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved

### Separate client and server keystore and truststore files

Name | Description
:--- | :---
`plugins.security.ssl.transport.keystore_type` | The type of the keystore file, either `JKS` or `PKCS12/PFX`. Optional. Default is `JKS`.
`plugins.security.ssl.transport.keystore_filepath` | Path to the keystore file. Must be specified using a relative path under the `config` directory. Required.
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
`plugins.security.ssl.transport.server.keystore_alias` | The alias name of the server key. Optional. Default is the first alias.
`plugins.security.ssl.transport.client.keystore_alias` | The alias name of the client key. Optional. Default is the first alias.
`plugins.security.ssl.transport.server.keystore_keypassword` | The keystore password for the server. Default is `changeit`.
`plugins.security.ssl.transport.client.keystore_keypassword` | The keystore password for the client. Default is `changeit`.
`plugins.security.ssl.transport.server.truststore_alias` | The alias name of the server. Optional. Default is all certificates.
`plugins.security.ssl.transport.client.truststore_alias` | The alias name of the client. Optional. Default is all certificates.
`plugins.security.ssl.transport.truststore_filepath` | The path to the `truststore` file. Must be specified using a relative path under the `config` directory. Required.
`plugins.security.ssl.transport.truststore_type` | The type of the `truststore` file, either `JKS` or `PKCS12/PFX`. Default is `JKS`.
`plugins.security.ssl.transport.truststore_password` | The `truststore` password. Default is `changeit`.


## Configuring node certificates
Expand Down
Loading