Skip to main content
Version: 5.1

Removing Old Entries

After successfully adding new certificates, it's necessary to remove outdated entries related to the previous Certificate Authority (CA) and update OpenSearch node configurations. This prevents the use of old certificates and avoids potential authentication conflicts.

Removing Old CA Entries

Once the new certificate chain has been added to CA files, remove the old CA entry from the certificate structure.

Original structure:

-----BEGIN CERTIFICATE-----  
[Old CA]  
-----END CERTIFICATE-----  
-----BEGIN CERTIFICATE-----  
[Intermediate CA]  
-----END CERTIFICATE-----  
-----BEGIN CERTIFICATE-----  
[Root CA]  
-----END CERTIFICATE-----

Updated structure (without old CA):

-----BEGIN CERTIFICATE-----  
[Intermediate CA]  
-----END CERTIFICATE-----  
-----BEGIN CERTIFICATE-----  
[Root CA]  
-----END CERTIFICATE-----

Removing Old nodes_dn and admin_dn Entries

In all opensearch.yml configuration files, remove outdated nodes_dn and admin_dn entries, keeping only current ones.

Original configuration snippet:

plugins.security.nodes_dn:  
  - "CN=smos-*,O=Old Org,L=Dubai,ST=Dubai,C=AE"  
  - "CN=smos-*,O=New Org,L=Dubai,ST=Dubai,C=AE"

Updated snippet (without old entries):

plugins.security.nodes_dn:  
  - "CN=smos-*,O=New Org,L=Dubai,ST=Dubai,C=AE"

Disabling Shard Allocation

Before restarting OpenSearch nodes, disable shard allocation:

PUT _cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.enable": "none"
  }
}

Restarting OpenSearch Nodes

Restart OpenSearch nodes in the established order to apply changes.

  1. Restart OS Master nodes:
systemctl stop opensearch  
systemctl start opensearch

Verify successful cluster reconnection:

GET _cat/nodes?v
  1. Restart OS-DATA nodes in sequence: cold - warm - hot

Enabling Shard Allocation

After restarting OpenSearch nodes, enable shard allocation:

PUT _cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}

Restarting SAF Monitor Components

For proper system operation, restart all Smart Monitor components as described in Deploying Generated Certificates for Other Search Anywhere Framework Components.