Creating SSL Certificates for Solr
If a certificate is created with all the required hostnames in the SAN config and is already being used to configuring other Track components with SSL, the same certificates can be used here as well. If that is not the case, follow the steps below to create new certificates for Solr.
Before creating certificates, create a SAN config file. The contents of this file should include IP addresses, DNS names, or hostnames that are involved in communication. In other words, we want the certificate to recognize and authorize these hosts. A sample san.conf file is shown below:
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.0 = nastelin.com
IP.0 = 172.16.31.152
IP.1 = 172.16.31.54
IP.2 = 172.16.31.19
To create the SSL keystore and truststore, execute the commands below (making the required changes to fields such as alias names, passwords, and certificate names):
keytool -keystore solr.keystore.jks -alias solr -keyalg RSA -validity 1000 -genkey -storepass password -keypass password -ext SAN=DNS:nastelin.com,IP:172.16.31.152,IP:172.16.31.54,IP:172.16.31.19
openssl req -new -x509 -keyout ca-key.key -out ca-cert.crt -days 1000
keytool -keystore solr.truststore.jks -alias solr-truststore -importcert -file ca-cert.crt
keytool -keystore solr.keystore.jks -alias solr -certreq -file cert-file-server.csr -ext SAN=DNS:nastelin.com,IP:172.16.31.152,IP:172.16.31.54,IP:172.16.31.19
openssl x509 -req -CA ca-cert.crt -CAkey ca-key.key -in cert-file-server.csr -out cert-signed-server.crt -days 1000 -CAcreateserial -passin pass:password -extfile san.conf -extensions req_ext
keytool -keystore solr.keystore.jks -alias solr-truststore -importcert -file ca-cert.crt
keytool -keystore solr.keystore.jks -alias solr -importcert -file cert-signed-se
Enabling SSL on Solr
Stop all services (Web, CEP, Domain, ActiveMQ, Kafka, and Solr), except Zookeeper.
The Solr control script is already configured to pass SSL-related Java system properties to the JVM. To activate SSL, uncomment and update the properties beginning with SOLR_SSL* in the $SOLR_HOME/bin/solr.in.sh file (e.g., /opt/meshiq/track/solr/current/bin/solr.in.sh or /opt/nastel/solr/current/bin/solr.in.sh).
SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=/opt/nastel/java/current/bin/solr.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/nastel/java/current/bin/solr.truststore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_CHECK_PEER_NAME=true
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
Configuring Zookeeper to Use HTTPS
Configure Zookeeper to redirect all communication to HTTPS instead of HTTP, since Solr is accessed through Zookeeper.
To do this, go to $SOLR_HOME/server/scripts/cloud-scripts (e.g., /opt/meshiq/track/solr/current/server/scripts/cloud-scripts or /opt/nastel/solr/current/server/scripts/cloud-scripts) and run the following command:
zkcli.sh -zkhost HOSTNAME/IP:ZookeeperPort/Your_CHROOT -cmd clusterprop -name urlScheme -val https
Configuring Client-Side Certificates on Track, to Communicate Securely with Solr
Under $AUTOPILOT_HOME (either /opt/meshiq/platform or /opt/nastel/AutoPilotM6), open the global.properties file and add the following properties:
property javax.net.ssl.keyStore=/opt/nastel/java/current/bin/solr.keystore.jks
property javax.net.ssl.keyStorePassword=password
property javax.net.ssl.trustStore=/opt/nastel/java/current/bin/solr.truststore.jks
property javax.net.ssl.trustStorePassword=password
property jkool.solr.metrics.intvl.sec=0
If required, global.properties supports storing encrypted passwords. To encrypt a password, use the apnet utility located in $AUTOPILOT_HOME/bin. The command is shown below, followed by an example of using the encrypted password in the file.
Encrypting password using the apnet utility:
[nastel@MIMIR bin]$ ./apnet encrypt 'password'
Loading properties from file="/opt/meshiq/platform/global.properties", filter=*
Loading properties from file="../wgs11.properties", filter=*
Loaded properties from file="../wgs11.properties", filter=*, elapsed.ms=15
Loaded properties from file="/opt/meshiq/platform/global.properties", filter=*, elapsed.ms=802
Encrypted token="0umNX+S7ObqfbvzC6ISLnQ=="
Target="password", action=encrypt, response=null
Using the encrypted password in global.properties:
property javax.net.ssl.keyStore=/opt/nastel/java/current/bin/solr.keystore.jks
property_encrypted javax.net.ssl.keyStorePassword=0umNX+S7ObqfbvzC6ISLnQ==
property javax.net.ssl.trustStore=/opt/nastel/java/current/bin/solr.truststore.jks
property_encrypted javax.net.ssl.trustStorePassword=0umNX+S7ObqfbvzC6ISLnQ==
property jkool.solr.metrics.intvl.sec=0
Start all services back.
Related articles
How do I configure Zookeeper with SSL