Hi,
For testing purposes, I would like to run an OpenSearch node in a docker container and connect my test DMA with that. With the opensearchproject/opensearch:latest image, I have a docker image that can be used and I'm also able to reach the IP from where my DMA is running. The only issue is on how to set up the proper certificates so browsing to "https" is trusted.
I'm following the steps as described here: Installing an OpenSearch database | DataMiner Docs and the problem I'm facing is on how to deploy the certificates. If I open a bash script inside the docker container I'm not able to execute update-ca-certificates as that command is not known, executing apt-get update && apt-get install -y ca-certificates is also not possible because the apt-get command does not exist, and probably manually adding the apt-get package will also not be possible because dpkg command also does not exist.
I'm aware of this site: Docker - OpenSearch Documentation which gives the explanation when using pem files, but in my case there is a rootCA.crt file.
Also note that the OpenSearch docker container mentions "OpenSSL not available (this is not an error, we simply fallback to built-in JDK SSL)", could this cause an issue as rootCA.crt could be checked with openssl verify rootCA.crt and I don't know how much openssl is needed for PKCS12?
Would anyone have experience on how to deploy the own created certificates, as described in the DataMiner Docs, on the OpenSearch docker container?
Regards,
Hi Laurens,
I have no experience in setting up Opensearch in a docker container so I'm not 100% certain about this, but I would think this should help you setting up your test node.
The ca-certificates package is not a generic linux concept, running the update-ca-certificates command is only necessary in the case the package is pre-installed on the linux distro of choice. If this is not the case, this step can be skipped.
The documentation does indeed show how to set up TLS using .pem files, however, the script we recommend in our documentation generates .p12 files. I believe you should use the following configuration to set up the container with the .p12 files:
volumes:
- ./keystore.p12:/path/to/node-keystore.p12
- ./admin.pem:/path/to/admin.pem
- ./admin-key.pem:/path/to/admin-key.pem
- ./custom-opensearch.yml:/path/to/opensearch.yml
With the TLS section of the opensearch.yml like this:
#Transport layer TLS
plugins.security.ssl.transport.keystore_type: PKCS12
plugins.security.ssl.transport.keystore_filepath: keystore.p12
plugins.security.ssl.transport.keystore_password: ReplaceMeByGeneratedPasswordByGithubScript
plugins.security.ssl.transport.truststore_type: PKCS12
plugins.security.ssl.transport.truststore_filepath: keystore.p12
plugins.security.ssl.transport.truststore_password: ReplaceMeByGeneratedPasswordByGithubScript#REST Layer TLS
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.keystore_type: PKCS12
plugins.security.ssl.http.keystore_filepath: keystore.p12
plugins.security.ssl.http.keystore_password: ReplaceMeByGeneratedPasswordByGithubScript
plugins.security.ssl.http.truststore_type: PKCS12
plugins.security.ssl.http.truststore_filepath: keystore.p12
plugins.security.ssl.http.truststore_password: ReplaceMeByGeneratedPasswordByGithubScriptplugins.security.allow_default_init_securityindex: true
plugins.security.nodes_dn:
- 'CN=FQDNOpenSearchNode1,OU=NameOfYourCluster,O=OpenSearch,C=BE'
- 'CN=FQDNOpenSearchNode2,OU=NameOfYourCluster,O=OpenSearch,C=BE'
- 'CN=FQDNOpenSearchNode3,OU=NameOfYourCluster,O=OpenSearch,C=BE'
# it is also possible to use wildcards in the CN field, as long as plugins.security.authcz.admin_dn does not match the wildcard expression:
# - 'CN=*OpenSearchNode*,OU=NameOfYourCluster,O=OpenSearch,C=BE'plugins.security.authcz.admin_dn:
- CN=Admin,OU=NameOfYourCluster,O=OpenSearch,C=BE
The rootCA.crt you mentioned needs to be installed on the DMA machine in order for DataMiner to be able to set up a connection towards the Opensearch node.
Kind regards,
I tried the setup with the generated p12 files and the docker container failed to start with a "javax.crypto.BadPaddingException: given final block not properly padded. Such issues can arise if a bad key is used during decryption". The java version to generate the certificate was the same as the docker container is using and the configured password was also correct. I now used the script to generate the pem files instead as was shown here: https://opensearch.org/docs/latest/security/configuration/generate-certificates/#sample-script-to-generate-self-signed-pem-certificates and then executed the command "openssl x509 -outform der -in root-ca.pem -out root-ca.crt" to be able to easily add the trusted root certificate on the DMA. With the yml config set to use the pem files I'm now able to start up the docker container and establish a trusted connection from the DMA.