[jira] [Commented] (SOLR-14141) eliminate JKS keystore from solr SSL docs

Sun, 29 Dec 2019 06:35:12 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-14141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17004800#comment-17004800
 ] 

ASF subversion and git services commented on SOLR-14141:
--------------------------------------------------------

Commit 1cb6e35058bd0d36b20eb44326c4cf7c79696391 in lucene-solr's branch 
refs/heads/master from Robert Muir
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=1cb6e35 ]

SOLR-14141: eliminate JKS keystore from solr ssl docs.

Currently the documentation pretends to create a JKS keystore. It is
only actually a JKS keystore on java 8: on java9+ it is a PKCS12
keystore with a .jks extension (because PKCS12 is the new java default).
It works even though solr explicitly tells the JDK
(SOLR_SSL_KEY_STORE_TYPE=JKS) that its JKS when it is in fact not, due
to how keystore backwards compatibility was implemented.

Fix docs to explicitly create a PKCS12 keystore with .p12 extension and
so on instead of a PKCS12 keystore masquerading as a JKS one. This
simplifies the SSL steps since the "conversion" step (which was doing
nothing) from .JKS -> .P12 can be removed.


> eliminate JKS keystore from solr SSL docs
> -----------------------------------------
>
>                 Key: SOLR-14141
>                 URL: https://issues.apache.org/jira/browse/SOLR-14141
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>         Attachments: SOLR-14141.patch, SOLR-14141.patch
>
>
> On the "Enabling SSL" page: 
> https://lucene.apache.org/solr/guide/8_3/enabling-ssl.html#enabling-ssl
> The first step is currently to create a JKS keystore. The next step 
> immediately converts the JKS keystore into PKCS12, so that openssl can then 
> be used to extract key material in PEM format for use with curl.
> Now that PKCS12 is java's default keystore format, why not omit step 1 
> entirely? What am I missing? PKCS12 is a more commonly 
> understood/standardized format.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to