OpenSearch SSL/TLS Security Migration

[Kbayero]

Describe the feature

Migrate OpenSearch deployment from insecure HTTP without authentication to secure HTTPS with TLS encryption and basic authentication. Previously, OpenSearch was exposed over plain HTTP without any authentication mechanism, creating significant security risks in production environments.

Use Case

• Protect sensitive log and alert data in transit from network sniffing attacks
• Prevent unauthorized access to OpenSearch indices containing security events
• Comply with security standards requiring encryption for data at rest and in transit
• Enable secure multi-tenant deployments where network isolation is not guaranteed
• Support enterprise security audits requiring authenticated access to all data stores

Proposed Solution

1. TLS Certificate Generation:

   • Auto-generate self-signed certificates during installation
   • Configure OpenSearch to use HTTPS on port 9200
   • Support custom CA certificates for enterprise deployments

2. Authentication Implementation:

   • Enable OpenSearch security plugin
   • Configure basic authentication (username/password)
   • Store credentials securely in configuration
   • Propagate credentials to all dependent services (soc-ai, backend, etc.)

3. Client Updates:

   • Update all HTTP clients to use HTTPS scheme
   • Add basic auth headers to OpenSearch requests
   • Configure TLS verification (skip for self-signed in internal networks)
   • Update connection strings across all plugins and services

4. Backward Compatibility:

   • Migration path for existing installations
   • Documentation for certificate renewal procedures

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change