diff --git a/roles/opensearch/opensearch/config.sls b/roles/opensearch/opensearch/config.sls
index 4d12106..d340244 100644
--- a/roles/opensearch/opensearch/config.sls
+++ b/roles/opensearch/opensearch/config.sls
@@ -1,104 +1,70 @@
 #   -------------------------------------------------------------
 #   Salt — Provision OpenSearch
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 #   Project:        Nasqueron
 #   -------------------------------------------------------------
 
 {% set config = salt['opensearch.get_config']() %}
 
 #   -------------------------------------------------------------
 #   OpenSearch
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 /opt/opensearch/config/opensearch.yml:
   file.managed:
     - source: salt://roles/opensearch/opensearch/files/opensearch.conf
     - user: opensearch
     - group: opensearch
     - template: jinja
     - context:
         config: {{ config }}
 
 #   -------------------------------------------------------------
 #   TLS certificates
 #
 #   This method is based on OpenSearch Ansible playbook to
 #   generate self-signed certificates for node to node (transport)
 #   communication, and for the rest API.
 #
 #   The certificates are generated by Search Guard Offline TLS Tool.
 #
 #   This should only run on one node, then provisioned everywhere.
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 /usr/local/dl/search-guard-tlstool.zip:
   file.managed:
     - source: https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip
     - source_hash: f59f963c7ee28d557849ccde297660a3c593a6bf3531d7852fb9ab8b4fc7597e
 
 /opt/tlstool:
   archive.extracted:
     - source: /usr/local/dl/search-guard-tlstool.zip
     - enforce_toplevel: False
     - user: opensearch
     - group: opensearch
 
 /opt/tlstool/config/tlsconfig.yml:
   file.managed:
     - source: salt://roles/opensearch/opensearch/files/tlsconfig.yml.jinja
     - template: jinja
     - context:
         config: {{ config }}
         domain_name: {{ grains['domain'] }}
         node_full_domain_name: {{ grains['fqdn'] }}
 
 opensearch_generate_certificates:
   cmd.run:
      - name: /opt/tlstool/tools/sgtlstool.sh -c /opt/tlstool/config/tlsconfig.yml -ca -crt -t /opt/tlstool/config/
      - env:
          JAVA_HOME: /opt/opensearch/jdk
      - creates: /opt/tlstool/config/root-ca.pem
 
 {% for certificate in salt['opensearch.list_certificates']() %}
 
 opensearch_deploy_certificate_{{ certificate }}:
    cmd.run:
      - name: install --mode=0600 --owner=opensearch {{ certificate }}.pem {{ certificate }}.key /opt/opensearch/config
      - cwd: /opt/tlstool/config
      - creates: /opt/opensearch/config/{{ certificate }}.pem
 
 {% endfor %}
-
-#   -------------------------------------------------------------
-#   Security plugin
-#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml:
-  file.managed:
-    - source: salt://roles/opensearch/opensearch/files/internal_users.yml.jinja
-    - user: opensearch
-    - group: opensearch
-    - template: jinja
-    - context:
-        users:
-          {% for user, credential in config['users'].items() %}
-          {{ user }}:
-            username: {{ salt['zr.get_username'](credential) }}
-            password: {{ salt['zr.get_password'](credential) }}
-          {% endfor %}
-
-opensearch_security_initialize:
-   cmd.run:
-     - name: >
-         bash /opt/opensearch/plugins/opensearch-security/tools/securityadmin.sh
-         -cacert /opt/opensearch/config/root-ca.pem
-         -cert /opt/opensearch/config/admin.pem
-         -key /opt/opensearch/config/admin.key
-         -f /opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
-         -nhnv -icl
-         -h {{ config['network_host'] }}
-
-         touch /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
-     - env:
-         JAVA_HOME: /opt/opensearch/jdk
-     - creates: /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
diff --git a/roles/opensearch/opensearch/files/security_initialize.sh b/roles/opensearch/opensearch/files/security_initialize.sh
new file mode 100755
index 0000000..49bc2d9
--- /dev/null
+++ b/roles/opensearch/opensearch/files/security_initialize.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+OPENSEARCH_HOSTNAME=$1
+ROOT=/opt/opensearch
+
+# Wait a little bit to let OpenSearch start
+sleep 5
+
+bash $ROOT/plugins/opensearch-security/tools/securityadmin.sh \
+    -cacert $ROOT/config/root-ca.pem \
+    -cert $ROOT/config/admin.pem \
+    -key $ROOT/config/admin.key \
+    -f $ROOT/plugins/opensearch-security/securityconfig/internal_users.yml \
+    -nhnv -icl \
+    -h "$OPENSEARCH_HOSTNAME"
+
+touch $ROOT/plugins/opensearch-security/securityconfig/.initialized
diff --git a/roles/opensearch/opensearch/init.sls b/roles/opensearch/opensearch/init.sls
index 1a7b94d..07d4044 100644
--- a/roles/opensearch/opensearch/init.sls
+++ b/roles/opensearch/opensearch/init.sls
@@ -1,13 +1,14 @@
 #   -------------------------------------------------------------
 #   Salt — Provision OpenSearch
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 #   Project:        Nasqueron
 #   License:        Trivial work, not eligible to copyright
 #   -------------------------------------------------------------
 
 include:
   - .kernel
   - .software
   - .config
   - .service
+  - .security
   - .wrapper
diff --git a/roles/opensearch/opensearch/security.sls b/roles/opensearch/opensearch/security.sls
new file mode 100644
index 0000000..f38368e
--- /dev/null
+++ b/roles/opensearch/opensearch/security.sls
@@ -0,0 +1,34 @@
+#   -------------------------------------------------------------
+#   Salt — Provision OpenSearch
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+{% set config = salt['opensearch.get_config']() %}
+
+#   -------------------------------------------------------------
+#   Security plugin
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml:
+  file.managed:
+    - source: salt://roles/opensearch/opensearch/files/internal_users.yml.jinja
+    - user: opensearch
+    - group: opensearch
+    - template: jinja
+    - context:
+        users:
+          {% for user, credential in config['users'].items() %}
+          {{ user }}:
+            username: {{ salt['zr.get_username'](credential) }}
+            password: {{ salt['zr.get_password'](credential) }}
+          {% endfor %}
+
+opensearch_security_initialize:
+   cmd.script:
+     - source: salt://roles/opensearch/opensearch/files/security_initialize.sh
+     - args: {{ config['network_host'] }}
+     - env:
+         JAVA_HOME: /opt/opensearch/jdk
+     - creates: /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
diff --git a/roles/opensearch/opensearch/software.sls b/roles/opensearch/opensearch/software.sls
index a99fcaa..5f9afc4 100644
--- a/roles/opensearch/opensearch/software.sls
+++ b/roles/opensearch/opensearch/software.sls
@@ -1,76 +1,77 @@
 #   -------------------------------------------------------------
 #   Salt — Provision OpenSearch
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 #   Project:        Nasqueron
 #   License:        Trivial work, not eligible to copyright
 #   -------------------------------------------------------------
 
 {% from "map.jinja" import shells with context %}
 
 #   -------------------------------------------------------------
 #   User account
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 opensearch_group:
   group.present:
     - name: opensearch
     - gid: 835
 
 opensearch_user:
   user.present:
     - name: opensearch
     - fullname: OpenSearch
     - uid: 835
     - gid: opensearch
     - home: /opt/opensearch
     - shell: {{ shells['bash'] }}
 
 #   -------------------------------------------------------------
 #   Download and extract tarballs
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 /usr/local/dl:
   file.directory
 
 {% if grains['kernel'] == 'Linux' and grains['cpuarch'] == 'x86_64' %}
 {% for product, info in pillar['opensearch_products'].items() %}
 
 {% set distname = product + "-" + info['version'] %}
 
 /usr/local/dl/{{ distname }}.tar.gz:
   file.managed:
     - source: https://artifacts.opensearch.org/releases/bundle/{{ product }}/{{ info['version'] }}/{{ distname }}-linux-x64.tar.gz
     - source_hash: {{ info['hash'] }}
 
 /opt/{{ product }}:
   file.directory:
     - user: opensearch
     - group: opensearch
 
 extract_opensearch_{{ product }}:
   archive.extracted:
     - name: /opt/{{ product }}
     - source: /usr/local/dl/{{ distname }}.tar.gz
     - user: opensearch
     - group: opensearch
-    - overwrite: True
     - enforce_toplevel: False
     - options: --strip 1
-    - onchanges:
-       - file: /usr/local/dl/{{ distname }}.tar.gz
 
 {% endfor %}
 {% endif %}
 
+/opt/opensearch/plugins/opensearch-security/tools/hash.sh:
+  file.managed:
+    - mode: 0755
+
 #   -------------------------------------------------------------
 #   Cleanup legacy versions
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 {% for product, versions in pillar['opensearch_legacy_products'].items() %}
 {% for version in versions %}
 
 /usr/local/dl/{{ product }}-{{ version }}.tar.gz:
   file.absent
 
 {% endfor %}
 {% endfor %}