opensearch-project
[DOC] TLS unclear using encrypted password settings for SSL
What do you want to do?
- [x] Request a change to existing documentation
- [ ] Add new documentation
- [ ] Report a technical problem with the documentation
- [ ] Other
Tell us about your request. Provide a summary of the request and all versions that are affected. The doc about TLS especially the "Using encrypted password settings for SSL" it is unclear how to use those setting. The options are listed but it is not clear where they are used. Does the keys need to be set in the opensearch keystore? Does it need to be set in the opensearch.yml config with a ref to a keystore or is the keystore not even the right tool and encryption is done differently of the password?
https://opensearch.org/docs/2.12/security/configuration/tls/#advanced-using-encrypted-password-settings-for-ssl
I stepped on this as I wanted to get rid of the deprecation warning that is printed when using plugins.security.ssl.transport.truststore_password.
The named sections is present since Opensearch 2.7.
What other resources are available? Provide links to related issues, POCs, steps for testing, etc.
Hi @Jakob3xD, these options do require the use of the OpenSearch keystore.
Here is a link to an article which may be of use to you if you are looking into configuring secrets with the keystore: https://opster.com/guides/opensearch/opensearch-security/opensearch-keystore/
Here is a link to an article which may be of use to you if you are looking into configuring secrets with the keystore: https://opster.com/guides/opensearch/opensearch-security/opensearch-keystore/
Thanks for the link but if i understand it correctly, the suggested solution would be following:
- Set keystore value:
./bin/opensearch-keystore add plugins.security.ssl.transport.truststore_password_secure - Adjust config to ref value:
plugins.security.ssl.transport.truststore_password_secure: ${plugins.security.ssl.transport.truststore_password_secure}
This will lead to following error:
Exception in thread "main" java.lang.IllegalArgumentException: Circular placeholder reference 'plugins.security.ssl.transport.truststore_password_secure' in property definitions
at org.opensearch.common.settings.PropertyPlaceholder.parseStringValue(PropertyPlaceholder.java:95)
at org.opensearch.common.settings.PropertyPlaceholder.parseStringValue(PropertyPlaceholder.java:121)
at org.opensearch.common.settings.PropertyPlaceholder.replacePlaceholders(PropertyPlaceholder.java:83)
at org.opensearch.common.settings.Settings$Builder.replacePropertyPlaceholders(Settings.java:1211)
at org.opensearch.common.settings.Settings$Builder.replacePropertyPlaceholders(Settings.java:1167)
at org.opensearch.node.InternalSettingsPreparer.initializeSettings(InternalSettingsPreparer.java:121)
at org.opensearch.node.InternalSettingsPreparer.prepareEnvironment(InternalSettingsPreparer.java:103)
at org.opensearch.cli.EnvironmentAwareCommand.createEnv(EnvironmentAwareCommand.java:118)
at org.opensearch.cli.EnvironmentAwareCommand.createEnv(EnvironmentAwareCommand.java:109)
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.MultiCommand.execute(MultiCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.Command.main(Command.java:101)
at org.opensearch.common.settings.KeyStoreCli.main(KeyStoreCli.java:56)
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.11.1.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
Exception in thread "main" java.lang.IllegalArgumentException: Circular placeholder reference 'plugins.security.ssl.transport.truststore_password_secure' in property definitions
at org.opensearch.common.settings.PropertyPlaceholder.parseStringValue(PropertyPlaceholder.java:95)
at org.opensearch.common.settings.PropertyPlaceholder.parseStringValue(PropertyPlaceholder.java:121)
at org.opensearch.common.settings.PropertyPlaceholder.replacePlaceholders(PropertyPlaceholder.java:83)
at org.opensearch.common.settings.Settings$Builder.replacePropertyPlaceholders(Settings.java:1211)
at org.opensearch.common.settings.Settings$Builder.replacePropertyPlaceholders(Settings.java:1167)
at org.opensearch.node.InternalSettingsPreparer.initializeSettings(InternalSettingsPreparer.java:121)
at org.opensearch.node.InternalSettingsPreparer.prepareEnvironment(InternalSettingsPreparer.java:103)
at org.opensearch.cli.EnvironmentAwareCommand.createEnv(EnvironmentAwareCommand.java:118)
at org.opensearch.cli.EnvironmentAwareCommand.createEnv(EnvironmentAwareCommand.java:109)
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.Command.main(Command.java:101)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)
Skipping step 2 and only adding the value lets Opensearch Start but LDAP auth does not work with following warning:
Unable to connect to ldapserver ldap.example.com:636 due to java.lang.IllegalStateException: Keystore is closed. Try next.
Trying to set following config line will also cause Opensearch to fail at startup:
plugins.security.ssl.transport.truststore_password: ${plugins.security.ssl.transport.truststore_password_secure}
The value is set in the keystore:
[opensearch@staging-opensearch1-n3 ~]$ ./bin/opensearch-keystore list
keystore.seed
plugins.security.ssl.transport.truststore_password_secure
Therefore it is unclear for me how to use this config setting.
As an extra information. I am only using the truststore to validate the ssl cert of the ldap. The node to node transport is done via cert files. This is my current transport config section:
plugins.security.ssl.transport.pemcert_filepath: node-transport.pem
plugins.security.ssl.transport.pemkey_filepath: node-transport-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: opensearch.crt
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.truststore_filepath: truststore.ts
plugins.security.ssl.transport.truststore_password: "changeit"
@Jakob3xD The docs need to be updated to remove the reference to plugins.security.ssl.transport.truststore_password_secure: ${plugins.security.ssl.transport.truststore_password_secure}.
Anything in the keystore is implicitly added to the configuration by default.
i.e. adding a keystore entry for plugins.security.ssl.transport.truststore_password_secure will in effect add this setting to the opensearch config w/o having to refer to a placehold explicitly in opensearch.yml.
Sorry for the confusion, I added that in the keystore docs and realize now that its not required to add an entry with a placeholder in opensearch.yml because its implicitly added.
@Jakob3xD Is there any more to the Keystore is closed error? I was able to run a node locally with the plugins.security.ssl.transport.truststore_password_secure setting in the keystore.
Sorry for the confusion, I added that in the keystore docs and realize that now that its not required to add an entry with a placeholder in
opensearch.ymlbecause its implicitly added.
No problem. That is why I opened the issue. However I still think that for the TLS docs and the _secure setting it should some how be referenced that you need to set those values in the keystore as the doc does not explain how to set/use them. It only tells, that they exist.
@Jakob3xD Is there any more to the Keystore is closed error? I was able to run a node locally with the
plugins.security.ssl.transport.truststore_password_securesetting in the keystore.
The exact log looks like this:
[2024-03-04T08:15:30,194][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [test-opensearch1-n3.example.com] Unable to connect to ldapserver ldap.example.com:636 due to java.lang.IllegalStateException: Keystore is closed. Try next.
[2024-03-04T08:15:30,197][WARN ][o.o.s.a.BackendRegistry ] [test-opensearch1-n3.example.com] Authentication finally failed for jakob.xxx from 172.27.15.3:33968
Maybe our use case worked in the passed by "accident" and is not covered with the new _security settings.
Our node to node certs are self signed certs and therefore we use the plugins.security.ssl.transport.pemtrustedcas_filepath setting but our ldap uses a public cert. This certs is signed by DigiCert and the root CA can change as they have some. Therefore we use a truststore which include all DigiCert to validate the ldap cert against. If the truststore uses the default "changeit" password the LDAP integration of Opensearch works correctly but if I change the password to something else and set the plugins.security.ssl.transport.truststore_password_secure Opensearch prints the log message from above and I get a 401.
From the LDAP doc I can only set pemtrustedcas_filepath. So there is no option to specify the truststore. Maybe the this should me a feature request?
Also tests to only use plugins.security.ssl.transport.keystore_filepath and plugins.security.ssl.transport.truststore_filepath in combination with the _secure settings but the LDAP integration fails with the same error from above.
The node to node tls works fine. It is only LDAP that fails.