How to configure HTTPS for remote OpenSearch instance in Bitbucket Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary


There are multiple ways to configure HTTPS for OpenSearch. Here we will discuss the easiest way to enable it using the opensearch.yml file.

Environment

Bitbucket Data Center 7.21.0 : Valid for remote Opensearch instance.

Solution

Opensearch uses two ports to listen to external TCP traffic:

Port Usage
9200used for all API calls over HTTP: This includes search and aggregations, monitoring and anything else that uses a HTTP request. All client libraries will use this port to talk to OpenSearch.
9300custom binary protocol used for communications between nodes in a cluster: For things like cluster updates, master elections, nodes joining/leaving, shared allocation etc.

You can change the ports that OpenSearch uses, using the http.port and transport.port settings in the opensearch.yml file located in <Opensearch-home>/config/ folder

Instructions to secure the 9300 port is already covered as part of the document Install and configure remote OpenSearch server(grey lightbulb) Make sure you have followed all the steps mentioned in that kb before proceeding further.

To configure HTTPS on the http.port 9200, you need to add plugins.security.ssl.http parameters in the opensearch.yml as shown below.

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: <your_ssl_cert.pem>
plugins.security.ssl.http.pemkey_filepath: <your_ssl_key.pem>
plugins.security.ssl.http.pemtrustedcas_filepath: <you_root_ca.pem>
plugins.security.allow_unsafe_democertificates: false


The property plugins.security.allow_unsafe_democertificates should be set to false if you want to use a self-signed certificate in your instance.  And for the self-signed cert to work you will have to add the OpenSearch SSL cert to Bitbucket's Java trust store for Bitbucket to trust the OpenSearch domain.

If the Bitbucket server is using a self-signed cert then that must be added to the Java truststore used by the Openseach(Instructions).

Last modified on Oct 31, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.