mirror of https://github.com/apache/lucene.git
SOLR-14141: eliminate JKS keystore from solr ssl docs.
Currently the documentation pretends to create a JKS keystore. It is only actually a JKS keystore on java 8: on java9+ it is a PKCS12 keystore with a .jks extension (because PKCS12 is the new java default). It works even though solr explicitly tells the JDK (SOLR_SSL_KEY_STORE_TYPE=JKS) that its JKS when it is in fact not, due to how keystore backwards compatibility was implemented. Fix docs to explicitly create a PKCS12 keystore with .p12 extension and so on instead of a PKCS12 keystore masquerading as a JKS one. This simplifies the SSL steps since the "conversion" step (which was doing nothing) from .JKS -> .P12 can be removed.
This commit is contained in:
parent
c01b45b924
commit
300e81b655
|
@ -141,8 +141,8 @@ REM SSL Certificates contain host/ip "peer name" information that is validated b
|
|||
REM this to false can be useful to disable these checks when re-using a certificate on many hosts
|
||||
REM set SOLR_SSL_CHECK_PEER_NAME=true
|
||||
REM Override Key/Trust Store types if necessary
|
||||
REM set SOLR_SSL_KEY_STORE_TYPE=JKS
|
||||
REM set SOLR_SSL_TRUST_STORE_TYPE=JKS
|
||||
REM set SOLR_SSL_KEY_STORE_TYPE=PKCS12
|
||||
REM set SOLR_SSL_TRUST_STORE_TYPE=PKCS12
|
||||
|
||||
REM Uncomment if you want to override previously defined SSL values for HTTP client
|
||||
REM otherwise keep them commented and the above values will automatically be set for HTTP clients
|
||||
|
|
|
@ -158,8 +158,8 @@
|
|||
# this to false can be useful to disable these checks when re-using a certificate on many hosts
|
||||
#SOLR_SSL_CHECK_PEER_NAME=true
|
||||
# Override Key/Trust Store types if necessary
|
||||
#SOLR_SSL_KEY_STORE_TYPE=JKS
|
||||
#SOLR_SSL_TRUST_STORE_TYPE=JKS
|
||||
#SOLR_SSL_KEY_STORE_TYPE=PKCS12
|
||||
#SOLR_SSL_TRUST_STORE_TYPE=PKCS12
|
||||
|
||||
# Uncomment if you want to override previously defined SSL values for HTTP client
|
||||
# otherwise keep them commented and the above values will automatically be set for HTTP clients
|
||||
|
|
|
@ -18,8 +18,8 @@
|
|||
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set>
|
||||
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set>
|
||||
<Set name="EndpointIdentificationAlgorithm"><Property name="solr.jetty.ssl.verifyClientHostName"/></Set>
|
||||
<Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="JKS"/></Set>
|
||||
<Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="JKS"/></Set>
|
||||
<Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set>
|
||||
<Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set>
|
||||
|
||||
<!-- =========================================================== -->
|
||||
<!-- Create a TLS specific HttpConfiguration based on the -->
|
||||
|
|
|
@ -36,25 +36,14 @@ In addition to `localhost` and `127.0.0.1`, this example includes a LAN IP addre
|
|||
|
||||
[source,bash]
|
||||
----
|
||||
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
|
||||
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
|
||||
----
|
||||
|
||||
The above command will create a keystore file named `solr-ssl.keystore.jks` in the current directory.
|
||||
The above command will create a keystore file named `solr-ssl.keystore.p12` in the current directory.
|
||||
|
||||
=== Convert the Certificate and Key to PEM Format for Use with curl
|
||||
|
||||
curl isn't capable of using JKS formatted keystores, so the JKS keystore needs to be converted to PEM format, which curl understands.
|
||||
|
||||
First convert the JKS keystore into PKCS12 format using `keytool`:
|
||||
|
||||
[source,bash]
|
||||
----
|
||||
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
|
||||
----
|
||||
|
||||
The keytool application will prompt you to create a destination keystore password and for the source keystore password, which was set when creating the keystore ("secret" in the example shown above).
|
||||
|
||||
Next convert the PKCS12 format keystore, including both the certificate and the key, into PEM format using the http://www.openssl.org[`openssl`] command:
|
||||
Convert the PKCS12 format keystore, including both the certificate and the key, into PEM format using the http://www.openssl.org[`openssl`] command:
|
||||
|
||||
[source,bash]
|
||||
----
|
||||
|
@ -82,9 +71,9 @@ NOTE: If you setup Solr as a service on Linux using the steps outlined in <<taki
|
|||
SOLR_SSL_ENABLED=true
|
||||
# Uncomment to set SSL-related system properties
|
||||
# Be sure to update the paths to the correct keystore for your environment
|
||||
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
|
||||
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12
|
||||
SOLR_SSL_KEY_STORE_PASSWORD=secret
|
||||
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
|
||||
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.p12
|
||||
SOLR_SSL_TRUST_STORE_PASSWORD=secret
|
||||
# Require clients to authenticate
|
||||
SOLR_SSL_NEED_CLIENT_AUTH=false
|
||||
|
@ -95,9 +84,6 @@ SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
|
|||
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
|
||||
# this to false can be useful to disable these checks when re-using a certificate on many hosts
|
||||
SOLR_SSL_CHECK_PEER_NAME=true
|
||||
# Override Key/Trust Store types if necessary
|
||||
SOLR_SSL_KEY_STORE_TYPE=JKS
|
||||
SOLR_SSL_TRUST_STORE_TYPE=JKS
|
||||
----
|
||||
|
||||
When you start Solr, the `bin/solr` script includes the settings in `bin/solr.in.sh` and will pass these SSL-related system properties to the JVM.
|
||||
|
@ -115,9 +101,9 @@ REM to enable https module with custom jetty configuration.
|
|||
set SOLR_SSL_ENABLED=true
|
||||
REM Uncomment to set SSL-related system properties
|
||||
REM Be sure to update the paths to the correct keystore for your environment
|
||||
set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
|
||||
set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12
|
||||
set SOLR_SSL_KEY_STORE_PASSWORD=secret
|
||||
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
|
||||
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.p12
|
||||
set SOLR_SSL_TRUST_STORE_PASSWORD=secret
|
||||
REM Require clients to authenticate
|
||||
set SOLR_SSL_NEED_CLIENT_AUTH=false
|
||||
|
@ -128,9 +114,6 @@ set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
|
|||
REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
|
||||
REM this to false can be useful to disable these checks when re-using a certificate on many hosts
|
||||
set SOLR_SSL_CHECK_PEER_NAME=true
|
||||
REM Override Key/Trust Store types if necessary
|
||||
set SOLR_SSL_KEY_STORE_TYPE=JKS
|
||||
set SOLR_SSL_TRUST_STORE_TYPE=JKS
|
||||
----
|
||||
|
||||
=== Run Single Node Solr using SSL
|
||||
|
@ -403,7 +386,7 @@ Use `post.jar` to index some example documents to the SolrCloud collection creat
|
|||
----
|
||||
cd example/exampledocs
|
||||
|
||||
java -Djavax.net.ssl.keyStorePassword=secret -Djavax.net.ssl.keyStore=../../server/etc/solr-ssl.keystore.jks -Djavax.net.ssl.trustStore=../../server/etc/solr-ssl.keystore.jks -Djavax.net.ssl.trustStorePassword=secret -Durl=https://localhost:8984/solr/mycollection/update -jar post.jar *.xml
|
||||
java -Djavax.net.ssl.keyStorePassword=secret -Djavax.net.ssl.keyStore=../../server/etc/solr-ssl.keystore.p12 -Djavax.net.ssl.trustStore=../../server/etc/solr-ssl.keystore.p12 -Djavax.net.ssl.trustStorePassword=secret -Durl=https://localhost:8984/solr/mycollection/update -jar post.jar *.xml
|
||||
----
|
||||
|
||||
=== Query Using curl
|
||||
|
@ -421,9 +404,9 @@ From a java client using SolrJ, index a document. In the code below, the `javax.
|
|||
|
||||
[source,java]
|
||||
----
|
||||
System.setProperty("javax.net.ssl.keyStore", "/path/to/solr-ssl.keystore.jks");
|
||||
System.setProperty("javax.net.ssl.keyStore", "/path/to/solr-ssl.keystore.p12");
|
||||
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
|
||||
System.setProperty("javax.net.ssl.trustStore", "/path/to/solr-ssl.keystore.jks");
|
||||
System.setProperty("javax.net.ssl.trustStore", "/path/to/solr-ssl.keystore.p12");
|
||||
System.setProperty("javax.net.ssl.trustStorePassword", "secret");
|
||||
String zkHost = "127.0.0.1:2181";
|
||||
CloudSolrClient client = new CloudSolrClient.Builder().withZkHost(zkHost).build();
|
||||
|
|
|
@ -145,7 +145,7 @@ Then you can start the Exporter as follows (Linux).
|
|||
[source,bash]
|
||||
----
|
||||
$ cd contrib/prometheus-exporter
|
||||
$ export JAVA_OPTS="-Djavax.net.ssl.trustStore=truststore.jks -Djavax.net.ssl.trustStorePassword=truststorePassword -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory -Dsolr.httpclient.config=basicauth.properties -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider -DzkDigestUsername=readonly-user -DzkDigestPassword=zkUserPassword"
|
||||
$ export JAVA_OPTS="-Djavax.net.ssl.trustStore=truststore.p12 -Djavax.net.ssl.trustStorePassword=truststorePassword -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory -Dsolr.httpclient.config=basicauth.properties -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider -DzkDigestUsername=readonly-user -DzkDigestPassword=zkUserPassword"
|
||||
$ export CLASSPATH_PREFIX="../../server/solr-webapp/webapp/WEB-INF/lib/commons-codec-1.11.jar"
|
||||
$ ./bin/solr-exporter -p 9854 -z zk1:2181,zk2:2181,zk3:2181 -f ./conf/solr-exporter-config.xml -n 16
|
||||
----
|
||||
|
|
Loading…
Reference in New Issue