Client certificate authentication

After obtaining your own certificates either from a certificate authority (CA) or by generating your own certificates using OpenSSL, you can start configuring OpenSearch to authenticate a user using a client certificate.

Client certificate authentication offers more security advantages than just using basic authentication (username and password). Because client certificate authentication requires both a client certificate and its private key, which are often in the user’s possession, it is less vulnerable to brute force attacks in which malicious individuals try to guess a user’s password.

Another benefit of client certificate authentication is you can use it along with basic authentication, providing two layers of security.

Enabling client certificate authentication

To enable client certificate authentication, you must first set clientauth_mode in opensearch.yml to either OPTIONAL or REQUIRE:

  1. plugins.security.ssl.http.clientauth_mode: OPTIONAL

Next, enable client certificate authentication in the client_auth_domain section of config.yml.

  1. clientcert_auth_domain:
  2. description: "Authenticate via SSL client certificates"
  3. http_enabled: true
  4. transport_enabled: true
  5. order: 1
  6. http_authenticator:
  7. type: clientcert
  8. config:
  9. username_attribute: cn #optional, if omitted DN becomes username
  10. challenge: false
  11. authentication_backend:
  12. type: noop

Assigning roles to a certificate’s common name

You can now assign your certificate’s common name (CN) to a role. This step requires you to identify the certificate’s CN and the role you want to assign it to. To view a list of all predefined OpenSearch roles, see Predefined roles. To get started, first define a role and then map your certificate’s CN to that role.

After determining which role to map to your certificate’s CN, you can use OpenSearch Dashboards, roles_mapping.yml, or the REST API to map the role. The following example uses the REST API to map the CN CLIENT1 to the role readall.

Example request

  1. PUT _plugins/_security/api/rolesmapping/readall
  2. {
  3. "backend_roles" : ["sample_role" ],
  4. "hosts" : [ "example.host.com" ],
  5. "users" : [ "CLIENT1" ]
  6. }

Example response

  1. {
  2. "status": "OK",
  3. "message": "'readall' updated."
  4. }

After mapping a role to your client certificate’s CN, you’re ready to connect to your cluster using those credentials.

The code example below uses the Python requests library to connect to a local OpenSearch cluster and sends a GET request to the movies index.

  1. import requests
  2. import json
  3. base_url = 'https://localhost:9200/'
  4. headers = {
  5. 'Content-Type': 'application/json'
  6. }
  7. cert_file_path = "/full/path/to/client-cert.pem"
  8. key_file_path = "/full/path/to/client-cert-key.pem"
  9. root_ca_path = "/full/path/to/root-ca.pem"
  10. # Send the request.
  11. path = 'movies/_doc/3'
  12. url = base_url + path
  13. response = requests.get(url, cert = (cert_file_path, key_file_path), verify=root_ca_path)
  14. print(response.text)

Using certificates with Docker

While we recommend using the tarball installation of ODFE to test client certificate authentication configurations, you can also use any of the other install types. For instructions on using Docker security, see Configuring basic security settings.