Videos tutorials
Coming soon…
Requirements
You will also need the ingest attachments plugin if you need to search files.
Find it on Github at : https://github.com/eostis-sarl/wpsolr-opensearch-self-signed-certificates
Or read the following :
Configure and install Opensearch with self-signed certificates
OpenSearch is an open-source search and analytics platform designed for scalability and speed. It is built on a foundation of Elasticsearch and Kibana, two popular tools for search and data visualization. OpenSearch offers powerful search and analytical capabilities, making it suitable for a wide range of use cases, from text-based search engines to log and event data analysis.
We are going to use docker containers to host the different applications. To install the docker engine, use the following link : https://docs.docker.com/engine/install/.
The opensearch official documentation can be found here : https://opensearch.org/docs/latest.
Opensearch uses a great amount of memory maps, so you have to add this line to /etc/sysctl.conf :
vm.max_map_count = 262144
This will increase the amount of virtual memory maps of your host machine the docker container can use.
If you do intend on using the tls to secure your node, do the following.
Generating the self-signed certificates (optional)
We’re going to consider that the Certifacte Authority (CA) has a CN called “CA” and that the CN of the node will be the hostname of the opensearch server (in this case “opensearch-server-1” so for each time its written in this doc, replace it with your own).
A CA server provides a user-friendly and efficient solution for generating and securely storing asymmetric key pairs. These key pairs are essential for tasks such as encryption, decryption, digital signing, and validation within a Public Key Infrastructure (PKI). The CA server is not something that needs to be active at all times, when it’s not generating certs it can be turned off. So the CA CN can be whatever you want.
The Common Name (CN) of the node will be determined by the method your clients use to reach the server. If the client is within another Docker container on the same machine or network, the CN should match the container’s name. However, if the client is on a different machine or network, the CN be the hostname of the machine hosting the container.
Enter your CNs like this :
CA_CN="CA"
NODE_CN="opensearch-server-1"
ADMIN_CN="admin"
Then enter your Distinguished Names (DN) using the following structure:
CA_DN="/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA" NODE_DN="/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=opensearch-server-1" ADMIN_DN="/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=admin"
If you don’t have a full DN, you can just write it like this :
CA_DN="/CN=CA"
NODE_DN="/CN=opensearch-server-1"
ADMIN_DN="/CN=admin"
To generate the self signed certificates :
mkdir opensearch_certs
cd opensearch_certs
Generate the Root CA :
openssl genrsa -out ca-key.pem 2048
openssl req -new -x509 -sha256 -key ca-key.pem -subj "$CA_DN" -out ca.pem -days 730
Generate the Admin certificate :
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=admin" -out admin.csr
openssl x509 -req -in admin.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
This certificate is used for administrative tasks. It’s typically assigned to individuals or systems that need to perform administrative actions on the cluster, such as managing settings, adding or removing nodes, and configuring security settings. The admin certificate grants full control over the cluster.
Generate the node certificate :
openssl genrsa -out "$NODE_CN"-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in "$NODE_CN"-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out "$NODE_CN"-key.pem
openssl req -new -key "$NODE_CN"-key.pem -subj "$NODE_DN" -out "$NODE_CN".csr
echo "subjectAltName=DNS:"$NODE_CN", DNS:localhost" > "$NODE_CN".ext
openssl x509 -req -in "$NODE_CN".csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -sha256 -out "$NODE_CN".pem -days 730 -extfile "$NODE_CN".ext
Start the Opensearch service
Create the docker-compose file with the following content :
version: '3'
services:
opensearch-server-1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
image: opensearchproject/opensearch:latest # Specifying the latest available image - modify if you want a specific version
container_name: opensearch-server-1
hostname: opensearch-server-1
environment:
- cluster.name=opensearch-cluster # Name the cluster
- node.name=opensearch-server-1 # Name the node that will run in this container
- discovery.seed_hosts=opensearch-server-1 # Nodes to look for when discovering the cluster
- cluster.initial_cluster_manager_nodes=opensearch-server-1 # Nodes eligible to serve as cluster manager
- bootstrap.memory_lock=true # Disable JVM heap memory swapping
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
ulimits:
memlock:
soft: -1 # Set memlock to unlimited (no soft or hard limit)
hard: -1
nofile:
soft: 262144 # Maximum number of open files for the opensearch user - set to at least 65536
hard: 262144
volumes:
- opensearch-server-1-data:/usr/share/opensearch/data
- opensearch-server-1-config:/usr/share/opensearch/config
# The self-signed certificates
- ./opensearch_certs/ca.pem:/usr/share/opensearch/config/ca.pem
- ./opensearch_certs/opensearch-server-1.pem:/usr/share/opensearch/config/opensearch-server-1.pem
- ./opensearch_certs/opensearch-server-1-key.pem:/usr/share/opensearch/config/opensearch-server-1-key.pem
- ./opensearch_certs/admin.pem:/usr/share/opensearch/config/admin.pem
- ./opensearch_certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
ports:
- 9200:9200 # REST API
- 9600:9600 # Performance Analyzer
networks:
- opensearch-net # All of the containers will join the same Docker bridge network
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
container_name: opensearch-dashboards
ports:
- 5601:5601 # Map host port 5601 to container port 5601
expose:
- "5601" # Expose port 5601 for web access to OpenSearch Dashboards
environment:
OPENSEARCH_HOSTS: '["https://opensearch-server-1:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
networks:
- opensearch-net
volumes:
opensearch-server-1-data:
opensearch-server-1-config:
networks:
opensearch-net:
Then start the container with :
cd path/to/docker-compose.yml
docker-compose up -d
or
sudo docker-compose -f specific-file-name up -d
Make sure the volumes or mounts in your dockerfile match the paths and names of the certificate files.
Configure the Opensearch security plugin
Using simple http & no authentification
If you do not intend on using the tls to secure your node, add in /usr/share/opensearch/config/opensearch.yml this single line :
plugins.security.disabled: true
WARNING! According to the official documentation at https://opensearch.org/docs/latest/security/configuration/disable: Disabling or removing the plugin exposes the configuration index for the Security plugin. If the index contains sensitive information, be sure to protect it through some other means. If you no longer need the index, delete it.
Using https & authentification
Configure the opensearch server by modifying the file on the container at /usr/share/opensearch/config/opensearch.yml:
plugins.security.ssl.transport.pemcert_filepath: opensearch-server-1.pem #formerly esnode.pem
plugins.security.ssl.transport.pemkey_filepath: opensearch-server-1-key.pem #formerly esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: ca.pem #Using the newly generated one
plugins.security.ssl.transport.enforce_hostname_verification: true #formerly false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: opensearch-server-1.pem #formerly esnode.pem
plugins.security.ssl.http.pemkey_filepath: opensearch-server-1-key.pem #formerly esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: ca.pem #using the newly generated one
plugins.security.allow_unsafe_democertificates: false #formerly true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- "CN=CA,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
- "CN=admin,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
plugins.security.nodes_dn:
- "CN=opensearch-server-1,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" # for each node add another line
Since plugins.security.allow_unsafe_democertificates has been set to true, you need to delete the demo certificates esnode.pem, esnode-key.pem, kirk.pem, kirk-key.pem, root-ca.pem and root-ca.pem in the config directory of opensearch-server-1 docker container to not cause any errors.
Restart the container.
Apply the opensearch security settings using the following command in the opensearch node docker container :
sudo docker exec -it opensearch-server-1 ./plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security -icl -nhnv -cacert config/ca.pem -cert config/admin.pem -key config/admin-key.pem
Restart the container to apply the changes.
Manage Opensearch
You need to change the admin password
Hash the password you want to use for admin using the script /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh :
sudo docker exec -it opensearch-server-1 ./plugins/opensearch-security/tools/hash.sh -p new_password
Copy the hash it returns and paste it in /usr/share/opensearch/config/opensearch-security/internal_users.yml :
admin:
hash: "new_hash"
reserved: true
backend_roles:
- "admin"
Either do the same for the other users in the file or delete them. Otherwise they will have default password and your opensearch installation will be compromised. Restart the container or opensearch service for the password change to apply
Now from your host machine you can connect to the opensearch sevice using :
curl -u admin:new_password --cacert opensearch_certs/opensearch-server-1.pem https://localhost:9200
Or from your wordpress machine :
curl -u admin:new_password --cacert /path/to/opensearch-server-1.pem https://opensearch-server-1:9200
Get all the user’s information.
curl -XGET "https://localhost:9200/_plugins/_security/api/internal" --cacert opensearch_certs/opensearch-serverserver-1.pem -u admin:new_password
Create a user
curl -XPUT "https://localhost:9200/_plugins/_security/api/internalusers/new_user" -H 'Content-Type: application/json' -d '
{
"password": "Password_0123!",
"backend_roles": ["admin"],
"attributes": {
"attribute1": "value1",
"attribute2": "value2"
}
}' --cacert opensearch_certs/opensearch-server-1.pem -u admin:new_password
Check a specific user (in this case “new_user”) information
curl -XGET "https://localhost:9200/_plugins/_security/api/internalusers/new_user" --cacert opensearch_certs/opensearch-server-1.pem -u new_user:Password_0123!
Delete the user if you want
curl -XDELETE "https://localhost:9200/_plugins/_security/api/internalusers/new_user" --cacert opensearch_certs/opensearch-server-1.pem -u admin:new_password
Set up Opensearch with PHP
If you wish to go a step further and have a functioning search experience, you could check out our guide on how to set up Opensearch with the official PHP client.