This is an earlier version of the OpenSearch documentation. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.
Configure TLS for OpenSearch Dashboards
By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable TLS for HTTPS, update the following settings in
|opensearch.ssl.verificationMode||This setting is for communications between OpenSearch and OpenSearch Dashboards. Valid values are |
|server.ssl.enabled||This setting is for communications between OpenSearch Dashboards and the web browser. Set to true for HTTPS, false for HTTP.|
|opensearch_security.cookie.secure||If you enable TLS for OpenSearch Dashboards, change this setting to |
opensearch_dashboards.yml configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration:
opensearch.hosts: ["https://localhost:9200"] opensearch.ssl.verificationMode: full opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" opensearch.requestHeadersAllowlist: [ authorization,securitytenant ] server.ssl.enabled: true server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem", "/usr/share/opensearch-dashboards/config/intermediate-ca.pem" ] opensearch_security.multitenancy.enabled: true opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] opensearch_security.readonly_mode.roles: ["kibana_read_only"] opensearch_security.cookie.secure: true
If you use the Docker install, you can pass a custom
opensearch_dashboards.yml to the container. To learn more, see the Docker installation page.
After enabling these settings and starting OpenSearch Dashboards, you can connect to it at
https://localhost:5601. You might have to acknowledge a browser warning if your certificates are self-signed. To avoid this sort of warning (or outright browser incompatibility), best practice is to use certificates from trusted certificate authority.