securityadmin.sh Troubleshooting

If securityadmin.sh can’t reach the cluster, it outputs:

By default, securityadmin.sh uses localhost. If your cluster runs on any other host, specify the hostname using the -h option.

Check the port

Check that you are running securityadmin.sh against the transport port, not the HTTP port.

By default, securityadmin.sh uses 9300. If your cluster runs on a different port, use the -p option to specify the port number.

If securityadmin.sh can reach the cluster, but can’t update the configuration, it outputs this error:

• Try running with -icl and -nhnv.

By default, securityadmin.sh uses opensearch as the cluster name.

If your cluster has a different name, you can either ignore the name completely using the -icl option or specify the name using the -cn option.

Check hostname verification

By default, verifies that the hostname in your node’s certificate matches the node’s actual hostname.

If this is not the case (e.g. if you’re using the demo certificates), you can disable hostname verification by adding the -nhnv option.

By default, securityadmin.sh only executes if the cluster state is at least yellow.

Check the security index name

By default, the Security plugin uses .opendistro_security as the name of the configuration index. If you configured a different index name in opensearch.yml, specify it using the -i option.

If the TLS certificate used to start securityadmin.sh isn’t an admin certificate, the script outputs:

You must use an admin certificate when executing the script. To learn more, see .

For more information on why securityadmin.sh is not executing, add the --diagnose option:

The script prints the location of the generated diagnostic file.