Skip to main content
Version: 5.1

Replacing Old Certificates

Copying New Certificates for OpenSearch

Overview

Certificate replacement in OpenSearch is a critical step for establishing secure node-to-node communication. This process involves deploying new certificates and private keys to appropriate nodes to ensure data encryption and service authentication.

Notations:

$PATH_NEW_NODE_CERT_KEY — path to new certificates and private keys

Please note!

Disable shard allocation or restart nodes sequentially, waiting for cluster recovery before proceeding.

  1. Deploy certificates to SA Data Master
cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${OS_HOME}/config/
  1. Restart SA Data Master node
systemctl stop opensearch 
systemctl start opensearch
  1. Verify node reconnection to cluster
GET _cat/nodes?v
  1. Restart data nodes

Restarting SA Data Storage should be performed in stages: first, it is necessary to perform a sequential reboot of nodes with the routing_mode parameter cold, then - warm, after - `hot'.

Deploying Generated Certificates for SA Engine RE and Inventory

warning

Perform these steps only if these components use different certificates than SA Data Master and SA Data Storage nodes.

  1. Deploy certificates to SA Engine RE
cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${OS_HOME}/utils/sme-re
  1. Restart SA Engine RE nodes
systemctl stop sme-re
systemctl start sme-re
  1. Check logs for errors
tail -f /app/logs/opensearch/sme-re/main.log
  1. Deploy certificates to Inventory
cp $PATH_NEW_NODE_CERT_KEY/{ca-cert.pem} ${OS_HOME}/utils/inventory

Deploying Generated Certificates for Other Search Anywhere Framework Components

  1. Deploy certificates to OpenSearch Dashboards (OSD)
cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${OSD_HOME}/config
  1. Restart OSD nodes
systemctl stop opensearch-dashboards
systemctl start opensearch-dashboards

  1. Verify OSD connection to OpenSearch

  2. Deploy certificates to Logstash

cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${LOGSTASH_HOME}/config/
  1. Restart Logstash nodes
systemctl stop logstash
systemctl start logstash
  1. Check Logstash logs for errors
tail -f /app/logs/logstash/logstash-plain.log
  1. Deploy certificates to SAF Beat Manager
cp $PATH_NEW_NODE_CERT_KEY/{cert.pem,key.pem} ${SBM_HOME}/etc/ssl
  1. Restart SAF Beat Manager
systemctl stop SAFBeatManager
systemctl start SAFBeatManager