Skip to main content
Version: 5.0

Replacing Old Certificates

Copying New Certificates for OpenSearch

Overview

Certificate replacement in OpenSearch is a critical step for establishing secure node-to-node communication. This process involves deploying new certificates and private keys to appropriate nodes to ensure data encryption and service authentication.

Notations:

$PATH_NEW_NODE_CERT_KEY — path to new certificates and private keys

Please note!

Disable shard allocation or restart nodes sequentially, waiting for cluster recovery before proceeding.

  1. Deploy certificates to SM Data Master
cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${OS_HOME}/config/
  1. Restart SM Data Master node
systemctl stop opensearch 
systemctl start opensearch
  1. Verify node reconnection to cluster
GET _cat/nodes?v
  1. Restart data nodes

Restarting SM Data Storage should be performed in stages: first, it is necessary to perform a sequential reboot of nodes with the routing_mode parameter cold, then - warm, after - hot.

Deploying Generated Certificates for SME-RE and Inventory

warning

Perform these steps only if these components use different certificates than SM Data Master and SM Data Storage nodes.

  1. Deploy certificates to SME-RE
cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${OS_HOME}/utils/sme-re
  1. Restart SME-RE nodes
systemctl stop sme-re
systemctl start sme-re
  1. Check logs for errors
tail -f /app/logs/opensearch/sme-re/main.log
  1. Deploy certificates to Inventory
cp $PATH_NEW_NODE_CERT_KEY/{ca-cert.pem} ${OS_HOME}/utils/inventory

Deploying Generated Certificates for Other Smart Monitor Components

  1. Deploy certificates to OpenSearch Dashboards (OSD)
cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${OSD_HOME}/config
  1. Restart OSD nodes
systemctl stop opensearch-dashboards
systemctl start opensearch-dashboards

  1. Verify OSD connection to OpenSearch

  2. Deploy certificates to Logstash

cp $PATH_NEW_NODE_CERT_KEY/{node-cert.pem,node-key.pem} ${LOGSTASH_HOME}/config/
  1. Restart Logstash nodes
systemctl stop logstash
systemctl start logstash
  1. Check Logstash logs for errors
tail -f /app/logs/logstash/logstash-plain.log
  1. Deploy certificates to Smart Beat Manager
cp $PATH_NEW_NODE_CERT_KEY/{cert.pem,key.pem} ${SBM_HOME}/etc/ssl
  1. Restart Smart Beat Manager
systemctl stop smartBeatManager
systemctl start smartBeatManager