lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Leir <rl...@leirtech.com>
Subject Re: SOLR SSL Java command line properties
Date Fri, 05 Jan 2018 09:01:20 GMT
Bob

Thanks for mentioning the jetty-ssl.xml file.

I have a follow-on question: since it is strongly recommended that you 
host Solr behind a web app (perhaps solr-security-proxy is adequate), 
the Solr REST interface will not be on the open Internet, so perhaps 
HTTP is the appropriate protocol?

Unless you have Solr authentication and do not trust all the internal 
hosts. I could be quite wrong, please correct.

cheers -- Rick


On 01/04/2018 11:51 AM, Bob Feider wrote:
> When I use the provided Apache SOLR startup script (version 6.6.0), 
> the script creates and then executes a java command line that has two 
> sets of SSL properties who's related elements are set to the same 
> values. One set has property names like |javax.net.ssl.*| while the 
> other set has names like |solr.jetty.*|. For example:
>
>    |java -server ...-Dsolr.jetty.keystore.password=secret
>    ...-Djavax.net.ssl.keyStorePassword=secret ......-jar start.jar
>    --module=https|
>
> Our security team does not allow passwords to be passed along on the 
> command line or in environment variables but will allow them to be 
> placed in a file provided the file has restricted access permissions. 
> I noticed that there is a |jetty-ssl.xml| file in the 
> |solr/server/etc| directory that can be used to provide default values 
> for the |SOLR SSL| related properties including the 
> |solr.jetty.keystore.password|. When I remove the 
> |javax.net.ssl.keyStorePassword| and |solr.jetty.keystore.password| 
> properties from the java command line and update the |jetty-ssl.xml| 
> file with my default keystore password, SOLR appears to start properly 
> with the default keystore password contained in that file. I can then 
> connect with my browser to |https://localhost:8983/solr/#| and access 
> the SOLR Admin page just fine.
>
> Are the |javax.net.ssl.*| properties used at all in the SOLR 
> standalone or SOLR cloud products?
>
> Do I need to provide the javax.net.ssl.* properties on the command 
> line for proper operation or can I get away with simply providing them 
> in the jetty-ssl.xml file?
>
> I am concerned that they are used behind the scenes outside of the 
> browser to SOLR server connections to connect to other processes like 
> zookeeper and that by doing this I will uncover some problem down the 
> road that my simple testing has not revealed. The only direct 
> reference to the properties I can see in the source code is in the 
> solr embedded code that is part of the solrj client inside the 
> SSLConfig Java class.
>
> Thanks for your help,
>
> Bob
>
>


Mime
View raw message