Configure TLS for OpenSearch Dashboards

By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable TLS for HTTPS, update the following settings in opensearch_dashboards.yml.

SettingDescription
opensearch.ssl.verificationModeThis setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are full, certificate, or none. We recommend full if you enable TLS, which enables hostname verification. certificate just checks the certificate, not the hostname, and none performs no checks (suitable for HTTP). Default is full.
opensearch.ssl.certificateAuthoritiesIf opensearch.ssl.verificationMode is full or certificate, specify the full path to one or more CA certificates that comprise a trusted chain for your OpenSearch cluster. For example, you might need to include a root CA and an intermediate CA if you used the intermediate CA to issue your admin, client, and node certificates.
server.ssl.enabledThis setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP.
server.ssl.certificateIf server.ssl.enabled is true, specify the full path to a valid client certificate for your OpenSearch cluster. You can generate your own or get one from a certificate authority.
server.ssl.keyIf server.ssl.enabled is true, specify the full path (e.g. /usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem to the key for your client certificate. You can generate your own or get one from a certificate authority.
server.ssl.certificateAuthoritiesThis setting adds the SSL certificate authority which issues SSL certificates for the Dashboard’s server in a list format.
opensearch.ssl.certificateAuthoritiesThis setting adds the SSL certificate authority for OpenSearch.
opensearch_security.cookie.secureIf you enable TLS for OpenSearch Dashboards, change this setting to true. For HTTP, set it to false.

This opensearch_dashboards.yml configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration:

  1. opensearch.hosts: ["https://localhost:9200"]
  2. opensearch.ssl.verificationMode: full
  3. opensearch.username: "kibanaserver"
  4. opensearch.password: "kibanaserver"
  5. opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
  6. server.ssl.enabled: true
  7. server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
  8. server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem
  9. server.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem", "/usr/share/opensearch-dashboards/config/intermediate-ca.pem" ]
  10. opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem", "/usr/share/opensearch-dashboards/config/intermediate-ca.pem" ]
  11. opensearch_security.multitenancy.enabled: true
  12. opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
  13. opensearch_security.readonly_mode.roles: ["kibana_read_only"]
  14. opensearch_security.cookie.secure: true

If you use the Docker install, you can pass a custom opensearch_dashboards.yml to the container. To learn more, see the Docker installation page.

After enabling these settings and starting OpenSearch Dashboards, you can connect to it at https://localhost:5601. You might have to acknowledge a browser warning if your certificates are self-signed. To avoid this sort of warning (or outright browser incompatibility), best practice is to use certificates from trusted certificate authority.