Secure OpenSearch Installation Guide for Enterprise Security Infrastructure

Introduction

OpenSearch, as a distributed search and analytics engine, serves as a critical component in modern security infrastructure, particularly when integrated with SIEM solutions like Graylog and Wazuh. This comprehensive guide walks through the secure installation and configuration of OpenSearch 2.15, emphasizing security best practices including proper certificate management, SSL/TLS configuration, and network security hardening.

Prerequisites and System Requirements

Hardware Compatibility Check

Before proceeding with the installation, it's crucial to verify that your virtual machine or server supports Advanced Vector Extensions (AVX) instructions. Modern security applications like MongoDB (required by Graylog) and OpenSearch rely on these processor extensions for optimal performance.

Execute the following command to verify AVX support:

lscpu | grep avx

Important: If this command produces no output, your processor doesn't support AVX instructions. In such cases, you'll need to either:

Migrate to a server with AVX-compatible hardware
Install MongoDB on a separate server that supports AVX
Consider alternative deployment architectures

Without AVX support, both MongoDB and Graylog installations will fail, making this verification step critical for project success.

Certificate Authority (CA) Setup

Creating a Root Certificate Authority

Establishing a proper Public Key Infrastructure (PKI) is fundamental to securing inter-component communications in your security stack. We'll create a custom Certificate Authority that will sign certificates for all OpenSearch nodes.

Generate the CA Private Key

First, create a 4096-bit RSA private key for your Certificate Authority:

# Generate a secure 4096-bit RSA private key for the CA
openssl genrsa -out root-ca.key 4096

The 4096-bit key length provides enhanced security compared to standard 2048-bit keys, offering better protection against future cryptographic attacks.

Configure CA Certificate Details

Create an OpenSSL configuration file (openssl-ca.cnf) to standardize certificate information across your infrastructure:

[ req ]
default_bits        = 4096
prompt              = no
default_md          = sha256
distinguished_name  = dn
 
[ dn ]
C  = MA
ST = Casablanca
L  = Casablanca
O  = bonsaii.local
OU = IT-Department
CN = Bonsaii Organisation
 
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Configuration Breakdown:

default_bits: Ensures all certificates use 4096-bit keys
default_md: SHA-256 provides cryptographic integrity
basicConstraints: Marks this as a Certificate Authority
keyUsage: Defines permitted cryptographic operations

Generate the Root CA Certificate

Create a self-signed root certificate valid for 10 years:

# Generate CA self-signed certificate with 10-year validity
openssl req -x509 -new -nodes -key root-ca.key -sha256 -days 3650   -out root-ca.crt -config openssl-ca.cnf -extensions v3_ca

Automated Certificate Generation for Wazuh Components

Wazuh provides automated tooling for generating certificates across distributed security infrastructure components.

Download Wazuh Certificate Tools

# Download the official Wazuh certificate generation script
curl -sO https://packages.wazuh.com/4.12/wazuh-certs-tool.sh
 
# Download the configuration template
curl -sO https://packages.wazuh.com/4.12/config.yml

Configure Component Network Topology

Edit the config.yml file to define your infrastructure layout. In this single-server deployment, all components share the same hostname:

nodes:
# Wazuh indexer nodes (OpenSearch)
indexer:
  - name: node-1
    ip: "bonsaii.local"
  # Additional nodes for clustered deployments:
  #- name: node-2
  #  ip: "<indexer-node-ip>"
 
# Wazuh server nodes
server:
  - name: wazuh-1
    ip: "bonsaii.local"
  # For multi-node deployments:
  #  node_type: master
  #- name: wazuh-2
  #  ip: "<wazuh-manager-ip>"
  #  node_type: worker
 
# Wazuh dashboard nodes
dashboard:
  - name: dashboard
    ip: "bonsaii.local"

Generate Certificates Using Custom CA

Execute the certificate generation script with your custom CA:

# Make the script executable
chmod u+x wazuh-certs-tool.sh
 
# Generate certificates using your custom CA
./wazuh-certs-tool.sh -A /path/to/your/root-ca.pem /path/to/your/root-ca.key

Package and Prepare Certificates

Create a compressed archive of the generated certificates for distribution:

# Create a tar archive of all certificates
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
 
# Clean up the temporary directory
rm -rf ./wazuh-certificates

OpenSearch Installation and Configuration

System Preparation

Update the system and install required dependencies:

# Update package repositories and install prerequisites
sudo apt-get update && sudo apt-get -y install lsb-release ca-certificates curl gnupg2

Repository Configuration

Import OpenSearch GPG Key

Security best practice requires verifying package integrity using GPG signatures:

# Import and install the OpenSearch public GPG key
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp |   sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring

Add OpenSearch APT Repository

Configure the official OpenSearch repository:

# Add the OpenSearch 2.x repository
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" |   sudo tee /etc/apt/sources.list.d/opensearch-2.x.list

Verify Repository Configuration

# Update package cache to verify repository access
sudo apt-get update
 
# List available OpenSearch versions
sudo apt list -a opensearch

OpenSearch Installation

Install OpenSearch version 2.15.0, which provides optimal compatibility with Graylog:

# Install OpenSearch with custom initial admin password
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<your-secure-password>   apt-get install opensearch=2.15.0

Security Note: Replace <your-secure-password> with a strong administrative password meeting your organization's password policy requirements.

Prevent Automatic Updates

Lock the OpenSearch version to prevent unintended updates that might break Graylog compatibility:

# Hold the OpenSearch package at current version
sudo apt-mark hold opensearch

Initial Functionality Verification

Test the OpenSearch installation using the REST API:

# Test OpenSearch connectivity and authentication
curl -X GET https://localhost:9200 -u 'admin:<your-secure-password>' --insecure

Expected Response:

{
  "name": "hostname",
  "cluster_name": "opensearch",
  "cluster_uuid": "QqgpHCbnSRKcPAizqjvoOw",
  "version": {
      "distribution": "opensearch",
      "number": "2.15.0",
      "build_type": "tar",
      "build_hash": "sha",
      "build_date": "date",
      "build_snapshot": false,
      "lucene_version": "9.x.x",
      "minimum_wire_compatibility_version": "7.10.0",
      "minimum_index_compatibility_version": "7.0.0"
  },
  "tagline": "The OpenSearch Project: https://opensearch.org/"
}

Security Configuration

Network Interface Configuration

Modify the OpenSearch configuration to bind to your designated network interface. Edit /etc/opensearch/opensearch.yml:

# Network configuration - bind to specific interface
network.host: bonsaii.local  # Replace with your actual hostname/IP
 
# Single-node cluster configuration
discovery.type: single-node
 
# Ensure security plugin remains enabled
plugins.security.disabled: false

Security Consideration: Using 0.0.0.0 will bind to all interfaces, which may expose OpenSearch to unintended network access. Always specify the exact interface or hostname.

SSL/TLS Certificate Deployment

Certificate Installation

Create the certificate directory and extract the generated certificates:

# Set the node name matching your configuration
NODE_NAME=node-1
 
# Create certificate directory with appropriate permissions
mkdir /etc/opensearch/certs
 
# Extract certificates for this node
tar -xf ./wazuh-certificates.tar -C /etc/opensearch/certs/   ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
 
# Rename certificates for easier configuration management
mv /etc/opensearch/certs/$NODE_NAME.pem /etc/opensearch/certs/indexer.pem
mv /etc/opensearch/certs/$NODE_NAME-key.pem /etc/opensearch/certs/indexer-key.pem
 
# Set secure permissions
chmod 500 /etc/opensearch/certs
chmod 400 /etc/opensearch/certs/*
chown -R opensearch:opensearch /etc/opensearch/certs

Comprehensive SSL/TLS Configuration

Update /etc/opensearch/opensearch.yml with complete security settings:

# Node and cluster identification
network.host: "bonsaii.local"
node.name: "node-1"
discovery.type: single-node
node.max_local_storage_nodes: "3"
 
# Transport Layer Security (Node-to-Node Communication)
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
 
# HTTP Layer Security (Client-to-Node Communication)
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
 
# Node and Administrator Authentication
plugins.security.allow_default_init_securityindex: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
 
# Security Audit Configuration
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
 
# System Indices Protection
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [
.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
.plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model,
.plugins-ml-task, .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions,
.plugins-ml-memory-meta, .plugins-ml-memory-message, .plugins-ml-stop-words,
.opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
.opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints,
.opendistro-anomaly-detection-state, .opendistro-reports-*, .opensearch-notifications-*,
.opensearch-notebooks, .opensearch-observability, .ql-datasources,
.opendistro-asynchronous-search-response*, .replication-metadata-store,
.opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
.plugins-flow-framework-templates, .plugins-flow-framework-state
]

Certificate Subject Verification

The nodes_dn and authcz.admin_dn configurations must exactly match the certificate subject fields. To verify certificate subject information:

# Display certificate subject in RFC2253 format
openssl x509 -in /etc/opensearch/certs/indexer.pem -noout -subject -nameopt RFC2253

This command reveals the exact Distinguished Name (DN) that should be used in the configuration.

Cleanup Demo Certificates

Remove the default demo certificates to prevent security vulnerabilities:

# Create demo directory for storage
mkdir -p /etc/opensearch/demo
 
# Move demo certificates to separate directory
mv /etc/opensearch/esnode* /etc/opensearch/demo/ 
mv /etc/opensearch/kirk* /etc/opensearch/demo/ 
mv /etc/opensearch/root-ca.pem /etc/opensearch/demo/ 
mv /etc/opensearch/securityadmin_demo.sh /etc/opensearch/demo/

Service Restart and Final Verification

Restart OpenSearch Service

Apply the new configuration by restarting the service:

# Restart OpenSearch to apply security configurations
systemctl restart opensearch
 
# Verify service status
systemctl status opensearch

Security Verification

Test the secure HTTPS endpoint:

# Test secure connectivity with proper authentication
curl -X GET https://localhost:9200 -u 'admin:<your-secure-password>' --insecure

The --insecure flag bypasses hostname verification for testing purposes. In production environments, ensure proper DNS resolution or use IP-based certificates.

Troubleshooting and Monitoring

Log Analysis

Monitor OpenSearch logs for configuration issues or security events:

# Real-time log monitoring
tail -f -n 50 /var/log/opensearch/opensearch.log
 
# Service status verification
systemctl status opensearch
 
# Check for port binding issues
netstat -tlnp | grep :9200

Common Issues and Solutions

Certificate Validation Errors: Verify certificate paths and permissions
Network Binding Issues: Ensure hostname resolution and firewall configuration
Authentication Failures: Confirm password policies and user permissions
Service Startup Failures: Check Java heap size and system resources

Security Best Practices Summary

Certificate Management: Use strong encryption (4096-bit RSA keys) and maintain proper certificate lifecycle management
Network Security: Bind services to specific interfaces and implement network segmentation
Access Control: Implement role-based access control and regular password rotation
Monitoring: Enable comprehensive audit logging and real-time monitoring
Updates: Maintain version control while ensuring security patch deployment

Conclusion

This guide establishes a secure foundation for OpenSearch deployment within enterprise security infrastructure. The implementation includes proper PKI management, comprehensive SSL/TLS configuration, and security hardening measures essential for production environments. Regular security assessments and monitoring should be implemented to maintain the integrity of your security analytics platform.

For production deployments, consider implementing additional security measures such as network intrusion detection, endpoint monitoring, and regular security audits to ensure comprehensive protection of your security infrastructure.