Opensearch demo 인증서에서 내부 서버용 CA 생성 후 등록
1. root CA 생성
root CA로 esnode.pem, admin.pem을 서명
cd /etc/opensearch
sudo openssl genrsa -out root-ca-key.pem 2048
sudo openssl req -new -x509 -sha256 \
-key root-ca-key.pem \
-subj "/C=KR/ST=Seoul/L=Seoul/O=MyCompany/OU=OpenSearch/CN=MyRootCA" \
-out root-ca.pem \
-days 3650
2. 노드 인증서 생성
esnode.pem, esnode-key.pem이 Opensearch 노드가 실제로 쓰는 인증서와 키, 문서 기준으로 노드 키는 PKCS#8이어야 하고, 호스트 인증서는 SAN(subjectAltName)을 넣는게 권장
cd /etc/opensearch
# 1) 임시 개인키
sudo openssl genrsa -out esnode-key-temp.pem 2048
# 2) PKCS#8 변환
sudo openssl pkcs8 -inform PEM -outform PEM \
-in esnode-key-temp.pem \
-topk8 -nocrypt -v1 PBE-SHA1-3DES \
-out esnode-key.pem
# 3) CSR 생성
sudo openssl req -new \
-key esnode-key.pem \
-subj "/C=KR/ST=Seoul/L=Seoul/O=MyCompany/OU=OpenSearch/CN=os1.example.com" \
-out esnode.csr
# 4) SAN 파일
cat <<'EOF' | sudo tee /etc/opensearch/esnode.ext >/dev/null
subjectAltName=DNS:localhost,DNS:os1.example.com,IP:127.0.0.1
extendedKeyUsage=serverAuth,clientAuth
EOF
# 5) root CA로 서명
sudo openssl x509 -req -in esnode.csr \
-CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial \
-sha256 -out esnode.pem -days 730 \
-extfile /etc/opensearch/esnode.ext
# 생성 후 확인
openssl x509 -in /etc/opensearch/esnode.pem -noout -subject -ext subjectAltName
3. admin 인증서 생성
admin.pem, admin-key.pem은 관리자 인증서. 이건 노드 인증서와 역할이 다르고, securityadmin.sh이나 Security REST API 작업용. admin cert는 특정 호스트에 묶이지 않으므로 SAN이 필요없다고 문서에 명시
cd /etc/opensearch
# 1) 임시 키
sudo openssl genrsa -out admin-key-temp.pem 2048
# 2) PKCS#8 변환
sudo openssl pkcs8 -inform PEM -outform PEM \
-in admin-key-temp.pem \
-topk8 -nocrypt -v1 PBE-SHA1-3DES \
-out admin-key.pem
# 3) CSR 생성
sudo openssl req -new \
-key admin-key.pem \
-subj "/C=KR/ST=Seoul/L=Seoul/O=MyCompany/OU=OpenSearch/CN=admin" \
-out admin.csr
# 4) root CA로 서명
sudo openssl x509 -req -in admin.csr \
-CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial \
-sha256 -out admin.pem -days 730
# 생성 후 확인
openssl x509 -in /etc/opensearch/admin.pem -noout -subject
4. 파일 권한 추가
sudo chown opensearch:opensearch /etc/opensearch/esnode.pem /etc/opensearch/esnode-key.pem
sudo chown opensearch:opensearch /etc/opensearch/admin.pem /etc/opensearch/admin-key.pem
sudo chown opensearch:opensearch /etc/opensearch/root-ca.pem
sudo chmod 644 /etc/opensearch/esnode.pem /etc/opensearch/admin.pem /etc/opensearch/root-ca.pem
sudo chmod 600 /etc/opensearch/esnode-key.pem /etc/opensearch/admin-key.pem /etc/opensearch/root-ca-key.pem
5. opensearch.yml 설정
- nodes_dn 값은 esnode.pem Subject DN과 정확히 맞아야 함
- admin_dn 값은 admin.pem Subject DN과 정확히 맞아야 함
cluster.name: spring-log-cluster
node.name: node-1
network.host: 0.0.0.0
discovery.type: single-node
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.nodes_dn:
- "CN=os1.example.com,OU=OpenSearch,O=MyCompany,L=Seoul,ST=Seoul,C=KR"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=OpenSearch,O=MyCompany,L=Seoul,ST=Seoul,C=KR"
6. securityadmin.sh 실행
opensearch-security.yml 변경 시 실행
cd /usr/share/opensearch/plugins/opensearch-security/tools
sudo ./securityadmin.sh \
-cd /etc/opensearch/opensearch-security \
-cacert /etc/opensearch/root-ca.pem \
-cert /etc/opensearch/admin.pem \
-key /etc/opensearch/admin-key.pem \
-icl -nhnv
7. opensearch-dashboards.yml 수정
sudo cp /etc/opensearch/root-ca.pem /etc/opensearch-dashboards/root-ca.pem
sudo chown root:root /etc/opensearch-dashboards/root-ca.pem
sudo chmod 644 /etc/opensearch-dashboards/root-ca.pem
# /etc/opensearch-dashboards/opensearch_dashboards.yml
opensearch.hosts: ["https://os1.example.com:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/etc/opensearch-dashboards/root-ca.pem"]
이후 각각 재기동
'Others' 카테고리의 다른 글
| logback + fluent-bit + opensearch 개발 서버용 (1) | 2026.04.15 |
|---|---|
| keycloak으로 구글 SSO 처리 (0) | 2026.03.23 |
| Redis, Prometheus, Grafana 모니터링 (0) | 2025.10.31 |
| mybatis sql 로그 pretty하게 남기기 (4) | 2025.07.31 |
| Redis + Sentine (0) | 2025.03.28 |