How to Install OpenSearch on Ubuntu 24.04

OpenSearch is a community-driven project by Amazon and a fork of Elasticsearch and Kibana. It's a fully open-source search engine and analytics suite with rich features and innovative functionality. The OpenSearch project's main components are OpenSearch (a fork of Elasticsearch) and the OpenSearch Dashboards (a fork of Kibana). Both components provide features such as enterprise security, alerting, machine learning, SQL, index state management, and more.

This guide will show you how to install OpenSearch and OpenSearch Dashboard on the Ubuntu 24.04 server. You'll also secure OpenSearch with TLS certificates and enable authentication with username and password.

Prerequisites

Before you start, make sure you have the following:

  • An Ubuntu 24.04 server with at least 8GB of RAM
  • A non-root user with an administrator server

Adding OpenSearch repository

To begin, you need to add the OpenSearch and OpenSearch Dashboard repositories to your system. In this example, we'll be using the latest stable version of OpenSearch.

First, run the command below to install basic packages to your Ubuntu system.

sudo apt install lsb-release ca-certificates curl gnupg2 -y

Download the GPG key for the OpenSearch repository with the following command.

curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring

Add repositories for the OpenSearch and OpenSearch Dashboard to your system with the command below. In this example, you'll be using OpenSearch 2.x stable version.

echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list

echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-dashboards-2.x.list

Lastly, run the 'apt' command below to update your package index and retrieve new OpenSearch package information.

sudo apt update

Installing OpenSearch and OpenSearch Dashboard

After the OpenSearch repository is added, you'll be installing OpenSearch and OpenSearch Dashboard through the APT package manager. Then, you'll start both services via the 'systemctl' utility.

Before installing OpenSearch, run the command below to generate a random password for the OpenSearch installation. Make sure to copy the output and include uppercase, number, and symbol.

sudo openssl rand -hex 16

Now run the command below to install the 'opensearch' and 'opensearch-dashboard' packages. Make sure to change the 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' and type 'Y' to confirm with the installation.

sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=B07e_af7e9f8fe12e@85ab797ddc1f174Dapt-get install opensearch opensearch-dashboard

After the installation is finished, run the 'systemctl' command below to reload the systemd manager and apply the new service files.

sudo systemctl daemon-reload

You can now start, enable, and verify OpenSearch with the command below.

sudo systemctl enable --now opensearch
sudo systemctl status opensearch

You can see below OpenSearch is running.

check opensearch

Lastly, you can now start, enable, and verify the OpenSearch Dashboard service using the following command.

sudo systemctl enable --now opensearch-dashboards
sudo systemctl status opensearch-dashboards

In the following output, you can see the 'opensearch-dashboards' service is running.

check opensearch dashboard

Configuring OpenSearch

With OpenSearch installed, you will be configuring the installation through the '/etc/opensearch/opensearch.yml' file. You'll also increase the default max JVM (Java Virtual Memory) size for OpenSearch as needed.

Open the default OpenSearch configuration '/etc/opensearch/opensearch.yml' with the 'nano' editor.

sudo nano /etc/opensearch/opensearch.yml

Change the following OpenSearch configurations:

  • * Change the 'network.host' option with your local IP address
  • * Add the 'discovery.type' as 'single-node' to run OpenSearch on a single mode
  • * Set the 'plugins.security.disabled' to 'false'
# Bind OpenSearch to the correct network interface. Use 0.0.0.0
# to include all available interfaces or specify an IP address
# assigned to a specific interface.
network.host: 192.168.10.60

# Unless you have already configured a cluster, you should set
# discovery.type to single-node, or the bootstrap checks will
# fail when you try to start the service.
discovery.type: single-node

# If you previously disabled the security plugin in opensearch.yml,
# be sure to re-enable it. Otherwise you can skip this setting.
plugins.security.disabled: false

Save the file and exit the editor when finished.

Next, open the JVM (Java Virtual Machine) configuration '/etc/opensearch/jvm.options' with the 'nano' editor.

sudo nano /etc/opensearch/jvm.options

Increase the default max memory for OpenSearch as needed. The default value is '1GB'.

-Xms2g
-Xmx2g

Save and exit the file.

Lastly, run the following 'systemctl' command to restart 'opensearch' and apply your changes. With this, OpenSearch will be running on a local IP address in a single mode.

sudo systemctl restart opensearch

Securing OpenSearch with TLS/SSL certificates

Now that you've configured OpenSearch, you'll need to set up the OpenSearch security through SSL/TLS certificates. In this section, you'll disable demo certificates, and then generate root certificates, admin certificates, and host/server certificates.

Before generating SSL certificates, delete demo certificates from OpenSearch using the command below.

rm -f /opt/opensearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}

Edit the OpenSearch configuration '/etc/opensearch/opensearch.yml' with the 'nano' editor.

sudo nano /etc/opensearch/opensearch.yml

Comment 'demo' security configuration for OpenSearch like the following.

disable demo

Save the file and exit the editor.

Now create a new directory '/etc/opensearch/certs' and move into it. This directory will be used to store new certificates for OpenSearch.

mkdir -p /etc/opensearch/certs; cd /etc/opensearch/certs

Generating root certificates

First, run the command below to generate root certificates that will be used to sign your other certificates such as server and client certificates.

openssl genrsa -out root-ca-key.pem 2048

Now run the following command to generate a root certificate from your private key. Make sure to change the '-subj' option with your server details.

openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730

Generating admin certificates

Create a new private key for your admin certificate with the following.

openssl genrsa -out admin-key-temp.pem 2048

Convert your admin key to the PKCS8 format using the command below.

openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Next, create a new signing request certificate (CSR) for the admin certificate with the command below.

openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr

Now run the following command to sign your new admin request certificate (CSR) with the root certificate.

openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730

root ca and admin

Generating host or server certificates

Generate the private key for your OpenSearch hosts/servers and convert the certificate to PKCS8 format.

openssl genrsa -out ubuntu24-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in ubuntu24-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ubuntu24-key.PEM

Now run the following command to generate a certificate request (CSR) for your host. The CN or Common Name should match the fqdn of your host server and not the hostname. In this example, the fqdn for the server is 'ubuntu24.howtoforge.local'.

openssl req -new -key ubuntu24-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ubuntu24.howtoforge.local" -out ubuntu24.csr

Next, run the command below to create a new extension file that contains the DNS of your host/server.

echo 'subjectAltName=DNS:ubuntu24.howtoforge.local' > ubuntu24.ext

Lastly, run the following command to sign the host/server certificate with the root certificate and include the extension file you created earlier.

openssl x509 -req -in ubuntu24.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out ubuntu24.pem -days 730 -extfile ubuntu24.ext

server certificate

Setting up certificates

Delete temporary certificates, CSR (certificate requests) for the admin and host, and the extension file with the following.

rm *temp.pem *csr *ext
ls

Now convert the 'root-ca.pem' certificate to the 'root-ca.crt' file with the command below.

openssl x509 -outform der -in root-ca.pem -out root-ca.crt

After that, copy the 'root-ca.crt' certificate to the '/usr/local/share/ca-certificates' directory and load your root certificate to the server.

sudo cp root-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

add root ca

Lastly, run the following command to set up proper permission and ownership of certificate files and directories.

sudo chown -R opensearch:opensearch /etc/opensearch/certs
sudo chmod 0700 /etc/opensearch/certs
sudo chmod 0600 /etc/opensearch/certs/*.pem
sudo chmod 0600 /etc/opensearch/certs/*.crt

Adding certificates to OpenSearch

After generating TLS certificates for OpenSearch, you need to add a new configuration to the 'opensearch.yml' file. In this case, you'll add a new configuration to the 'opensearch.yml' through the bash script.

Before adding certificates to your OpenSearch server, run the command below to back up the 'opensearch.yml' file and set up your server fqdn.

sudo cp /etc/opensearch/opensearch.yml /etc/opensearch/opensearch.yml.orig
sudo hostnamectl set-hostname ubuntu24.howtoforge.local

Now create a new file 'add-cert.sh' file with the 'nano' editor.

nano add-cert.sh

Insert the following configurations into the file. With this, you'll add new configurations to the OpenSearch config file 'opensearch.yml'

#! /bin/bash

# Before running this script, make sure to replace the CN in the
# node's distinguished name with a real DNS A record.

echo "plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/ubuntu24.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/ubuntu24-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.enabled: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/ubuntu24.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/ubuntu24-key.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.allow_default_init_securityindex: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.authcz.admin_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo " - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.nodes_dn:" | sudo tee -a /etc/opensearch/opensearch.yml
echo " - 'CN=ubuntu24.hwdomain.lan,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.audit.type: internal_opensearch" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.enable_snapshot_restore_privilege: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.check_snapshot_restore_write_privileges: true" | sudo tee -a /etc/opensearch/opensearch.yml
echo "plugins.security.restapi.roles_enabled: [\"all_access\", \"security_rest_api_access\"]" | sudo tee -a /etc/opensearch/opensearch.yml

Save the file and exit the editor when finished.

Now make the 'add-cert.sh' file executable and execute it with the following command. New configurations will be added to the 'opensearch.yml' file.

chmod +x add-cert.sh
./add-cert.sh

add new configuration

Securing OpenSearch with password authentication

At this point, you've configured OpenSearch with SSL/TLS certificates, and in the next step, you'll set up password authentication for OpenSearch. You'll be setting two users that will be used to log in to the OpenSearch and integrate into the OpenSearch Dashboard.

Go to the '/usr/share/opensearch/plugins/opensearch-security/tools' directory and execute the 'hash.sh' script to generate a new password for OpenSearch. Execute the 'hash.sh' twice to generate two passwords for OpenSearch and OpenSearch Dashboard. Also, make sure to copy the generated password on your note.

cd /usr/share/opensearch/plugins/opensearch-security/tools
OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./hash.sh

Now open the file '/etc/opensearch/opensearch-security/internal_users.yml' with the following 'nano' editor.

sudo nano /etc/opensearch/opensearch-security/internal_users.yml

Change the hash password for user 'admin' and 'kibanaserver' with your password earlier. The 'admin' user will be used to log in to the OpenSearch Dashboard, the 'kibanaserver' user will be used to connect between OpenSearch and OpenSearch Dashboard.

admin:
hash: "$2y$12$zPtsgbrpfmInPRuDEKvDKetuzhUzsQWyCpE9foT1uun5RTMW51p9K"
reserved: true
backend_roles:
- "admin"
description: "Admin user"

kibanaserver:
hash: "$2y$12$zPtsgbrpfmInPRuDEKvDKetuzhUzsQWyCpE9foT1uun5RTMW51p9K"
reserved: true
description: "Demo OpenSearch Dashboards user"

Save the file and exit the editor when finished.

Now run the command below to restart the 'opensearch' service and apply your changes.

sudo systemctl restart opensearch

Once OpenSearch restarted, run the command below to apply your SSL certificates to the OpenSearch.

cd /usr/share/opensearch/plugins/opensearch-security/tools
OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -h 192.168.10.60 -p 9200 -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/certs/root-ca.pem -cert /etc/opensearch/certs/admin.pem -key /etc/opensearch/certs/admin-key.pem -icl -nhnv

If it goes well, you'll see an output like this:

add ceerts

Lastly, run the 'curl' command below to verify the authentication to the OpenSearch server.

curl https://192.168.10.60:9200 -u admin:password -k
curl https://node-rock1:9200 -u kibanaserver:kibanapass -k

When successful, you'll be able to access OpenSearch with your username and password through HTTPS protocol.

access opensearch

Configuring OpenSearch Dashboard

After password authentication is configured, you'll be setting up the OpenSearch Dashboard by editing the file 'opensearch-dashboard,yml'.

Open the configuration for OpenSearch Dashboard '/etc/opensearch-dashboards/opensearch-dashboard.yml' with the'nano' editor.

sudo nano /etc/opensearch-dashboards/opensearch-dashboard.yml

Input your local IP address to the 'server.host' option like the following:

server.host: "192.168.10.60"

Make sure to change the OpenSearch host, username, and password with your information.

opensearch.hosts: ["https://192.168.10.60:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanapass

Save the file and exit the editor.

Now run the 'systemctl' command below to restart the OpenSearch Dashboard and apply your changes. With this, the OpenSearch Dashboard should be connected to OpenSearch.

sudo systemctl restart opensearch-dashboards

Next, open your web browser and visit http://192.168.10.60:5601. If your installation is successful, you'll see the OpenSearch Dashboard login page.

Enter your admin user and password, then click 'Log in'.

login

Once logged in, select the 'Add data' to add new data or click the 'Explore on my own' option.

explore my own

To ensure the connection between OpenSearch and OpenSearch Dashboard, you need to check the OpenSearch status from the dashboard.

On the 'Management' section, click 'Dev Tools'.

dev tools

Within the console section, input 'GET /' and click the play button. If your connection to the OpenSearch and OpenSearch Dashboard is successful, you'll see the following page.

query

Conclusion

Congratulations! You've installed OpenSearch and OpenSearch Dashboard on the Ubuntu 24.04 server. OpenSearch runs in single mode, and the installation is secured with HTTPS. Lastly, you've also configured authentication for OpenSearch and integrated OpenSearch with the OpenSearch Dashboard.

Share this page:

0 Comment(s)