Configure TLS for OpenSearch Dashboards
By default, for ease of testing and getting started, OpenSearch Dashboards runs over HTTP. To enable TLS for HTTPS, update the following settings in opensearch_dashboards.yml.
| Setting | Description |
|---|---|
server.ssl.enabled | Enables SSL communication between the OpenSearch Dashboards server and the user’s web browser. Set to true for HTTPS or false for HTTP. |
server.ssl.supportedProtocols | Specifies the array of supported TLS protocols. Possible values are TLSv1, TLSv1.1, and TLSv1.2, TLSv1.3. Default is ['TLSv1.1', 'TLSv1.2', and 'TLSv1.3']. |
server.ssl.cipherSuites | Specifies the array of TLS cipher suites. Optional. |
server.ssl.certificate | If server.ssl.enabled is set to true, specifies the full path to a valid Privacy Enhanced Mail (PEM) server certificate for OpenSearch Dashboards. You can generate your own certificate or get one from a certificate authority (CA). |
server.ssl.key | If server.ssl.enabled is set to true, specifies the full path to the key for your server certificate, for example, /usr/share/opensearch-dashboards-1.0.0/config/my-client-cert-key.pem. You can generate your own certificate or get one from a CA. |
server.ssl.keyPassphrase | Sets the password for the key. Omit this setting if the key has no password. Optional. |
server.ssl.keystore.path | Uses a JKS (Java KeyStore) or PKCS12/PFX (Public-Key Cryptography Standards) file instead of a PEM certificate and key. |
server.ssl.keystore.password | Sets the password for the key store. Required. |
server.ssl.clientAuthentication | Specifies the TLS client authentication mode to use. Can be one of the following: none, optional, or required. If set to required, your web browser needs to send a valid client certificate signed by the CA configured in server.ssl.certificateAuthorities. Default is none. |
server.ssl.certificateAuthorities | Specifies the full path to one or more CA certificates in an array that issues the certificate used for client authentication. Required if server.ssl.clientAuthentication is set to optional or required. |
server.ssl.truststore.path | Uses a JKS or PKCS12/PFX trust store file instead of PEM CA certificates. |
server.ssl.truststore.password | Sets the password for the trust store. Required. |
opensearch.ssl.verificationMode | Establishes communication between OpenSearch and OpenSearch Dashboards. Valid values are full, certificate, or none. full is recommended if TLS is enabled, which enables hostname verification. certificate checks the certificate but not the hostname. none performs no checks (suitable for HTTP). Default is full. |
opensearch.ssl.certificateAuthorities | If opensearch.ssl.verificationMode is set to full or certificate, specifies the full path to one or more CA certificates in an array that comprises a trusted chain for an OpenSearch cluster. For example, you might need to include a root CA and an intermediate CA if you used the intermediate CA to issue your admin, client, and node certificates. |
opensearch.ssl.truststore.path | Uses a JKS or PKCS12/PFX trust store file instead of PEM CA certificates. |
opensearch.ssl.truststore.password | Sets the password for the trust store. Required. |
opensearch.ssl.alwaysPresentCertificate | Sends the client certificate to the OpenSearch cluster if set to true, which is necessary when mTLS is enabled in OpenSearch. Default is false. |
opensearch.ssl.certificate | If opensearch.ssl.alwaysPresentCertificate is set to true, specifies the full path to a valid client certificate for the OpenSearch cluster. You can generate your own certificate or get one from a CA. |
opensearch.ssl.key | If opensearch.ssl.alwaysPresentCertificate is set to true, specifies the full path to the key for the client certificate. You can generate your own certificate or get one from a CA. |
opensearch.ssl.keyPassphrase | Sets the password for the key. Omit this setting if the key has no password. Optional. |
opensearch.ssl.keystore.path | Uses a JKS or PKCS12/PFX key store file instead of a PEM certificate and key. |
opensearch.ssl.keystore.password | Sets the password for the key store. Required. |
opensearch_security.cookie.secure | If TLS is enabled for OpenSearch Dashboards, change this setting to true. For HTTP, set it to false. |
The following opensearch_dashboards.yml configuration shows OpenSearch and OpenSearch Dashboards running on the same machine with the demo configuration:
server.host: '0.0.0.0'
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem", "/usr/share/opensearch-dashboards/config/intermediate-ca.pem" ]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true
If you use the Docker install option, you can pass a custom opensearch_dashboards.yml file to the container. To learn more, see the Docker installation page.
You can connect to OpenSearch Dashboards at https://localhost:5601 after enabling these settings and starting the application. You might need to acknowledge a browser warning if your certificates are self-signed. To avoid this type of warning (or outright browser incompatibility), it is best practice to use certificates from a trusted CA.