Skip to content

Instantly share code, notes, and snippets.

@Samk13

Samk13/certs.md

Last active September 14, 2023 21:09
Show Gist options
  • Save Samk13/26d7446aca4a93cc430ab288257e5c68 to your computer and use it in GitHub Desktop.
Save Samk13/26d7446aca4a93cc430ab288257e5c68 to your computer and use it in GitHub Desktop.
Download ZIP
Generating SSL Certificates
Raw
certs.md

Generating SSL Certificates for OpenSearch in InvenioRDM

Overview

This document outlines the steps to generate SSL certificates required for OpenSearch in an InvenioRDM project.

Required Certificates

Three certificates are generally required:

  1. client-cert.pem: The client certificate
  2. client-key.pem: The private key associated with the client certificate
  3. root-ca.pem: The Root Certificate Authority certificate

Steps

Generate Root CA Certificate and Key

Generate Root CA Key

openssl genpkey -algorithm RSA -out root-ca-key.pem

Generate Root CA Certificate

openssl req -new -x509 -days 3650 -key root-ca-key.pem -out root-ca.pem

Note: Keep root-ca-key.pem extremely secure. Anyone with access to it can generate trusted certificates.

Generate Client Certificate and Key

Generate Client Private Key

openssl genpkey -algorithm RSA -out client-key.pem

Generate Client CSR (Certificate Signing Request)

openssl req -new -key client-key.pem -out client.csr

Generate Client Certificate

openssl x509 -req -days 365 -in client.csr -signkey client-key.pem -out client-cert.pem

Security Considerations

  • client-key.pem: Secret. Should not be committed to the repository; add to .gitignore.
  • client.csr: Intermediate file; not secret but unnecessary to track. Add to .gitignore.
  • client-cert.pem: Public but may also be added to .gitignore depending on your management approach.
  • root-ca.pem: Public. Can be committed if needed but often managed separately.
  • root-ca-key.pem: Extremely secret. Should never be committed or shared.

Docker Configuration Example

In your docker-compose file, you can map these certificates as follows:

volumes:
    - ./docker/opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml #add config
    - ./docker/opensearch/client-cert.pem:/usr/share/opensearch-dashboards/config/client-cert.pem
    - ./docker/opensearch/client-key.pem:/usr/share/opensearch-dashboards/config/client-key.pem
    - ./docker/opensearch/root-ca.pem:/usr/share/opensearch-dashboards/config/root-ca.pem
server.host: "0.0.0.0"
opensearch.hosts: ["https://search:9200"]
opensearch.ssl.verificationMode: none 
opensearch.username: "admin"
opensearch.password: "admin"
opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/client-key.pem
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem" ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true
#disable_security_dashboards_plugin: false

docker-compose service:

  search:
    image: opensearchproject/opensearch:2.3.0
    container_name: search
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node1
      - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
      - "DISABLE_INSTALL_DEMO_CONFIG=false" # disables execution of install_demo_configuration.sh bundled with security plugin, which installs demo certificates and security configurations to OpenSearch
      - "DISABLE_SECURITY_PLUGIN=false" # disables security plugin entirely in OpenSearch by setting plugins.security.disabled: true in opensearch.yml
      - "discovery.type=single-node" # disables bootstrap checks that are enabled when network.host is set to a non-loopback address
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
        hard: 65536
    volumes:
      - search-data:/usr/share/opensearch/data
    ports:
      - 9200:9200
      - 9600:9600 # required for Performance Analyzer
    networks:
      - search
  opensearch-dashboards:
    volumes:
      - ./docker/opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml #add config
      - ./docker/opensearch/client-cert.pem:/usr/share/opensearch-dashboards/config/client-cert.pem
      - ./docker/opensearch/client-key.pem:/usr/share/opensearch-dashboards/config/client-key.pem
      - ./docker/opensearch/root-ca.pem:/usr/share/opensearch-dashboards/config/root-ca.pem
    image: opensearchproject/opensearch-dashboards:2.3.0
    container_name: opensearch-dashboards
    ports:
      - 5601:5601
    expose:
      - "5601"
    environment:
      # - 'OPENSEARCH_HOSTS=["https://search:9200"]'
      - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=false" # disables security dashboards plugin in OpenSearch Dashboards
    networks:
      - search
        

volumes:
  search-data:

networks:
  search:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment