How to configure HTTPS for remote OpenSearch instance in Bitbucket Data Center
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
There are multiple ways to configure HTTPS for OpenSearch. Here we will discuss the easiest way to enable it using the opensearch.yml file.
Environment
Bitbucket Data Center 7.21.0 : Valid for remote Opensearch instance.
Solution
Opensearch uses two ports to listen to external TCP traffic:
Port | Usage |
|---|---|
9200 | used for all API calls over HTTP: This includes search and aggregations, monitoring and anything else that uses a HTTP request. All client libraries will use this port to talk to OpenSearch. |
9300 | custom binary protocol used for communications between nodes in a cluster: For things like cluster updates, master elections, nodes joining/leaving, shared allocation etc. |
You can change the ports that OpenSearch uses, using the http.port and transport.port settings in the opensearch.yml file located in <Opensearch-home>/config/ folder
Instructions to secure the 9300 port is already covered as part of the document Install and configure remote OpenSearch server. đź’ˇ Make sure you have followed all the steps mentioned in that kb before proceeding further.
To configure HTTPS on the http.port 9200, you need to add plugins.security.ssl.http parameters in the opensearch.yml as shown below.
1
2
3
4
5
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: <your_ssl_cert.pem>
plugins.security.ssl.http.pemkey_filepath: <your_ssl_key.pem>
plugins.security.ssl.http.pemtrustedcas_filepath: <you_root_ca.pem>
plugins.security.allow_unsafe_democertificates: falseThe property plugins.security.allow_unsafe_democertificates should be set to false if you want to use a self-signed certificate in your instance. And for the self-signed cert to work you will have to add the OpenSearch SSL cert to Bitbucket's Java trust store for Bitbucket to trust the OpenSearch domain.
If the Bitbucket server is using a self-signed cert then that must be added to the Java truststore used by the Openseach(Instructions).
Was this helpful?