I'm a committer on the Apache Lucene/Solr project. One of our users opened an issue on Solr 6.6.2, which uses Jetty 9.3.14. Here's the URL for that issue:
https://issues.apache.org/jira/browse/SOLR-11678 They want to use different passwords for their key store and their trust store. If they set their stores up so they both use the same password, then everything works, but when they use different passwords, the Jetty startup throws an exception. At this time I don't have precise information on how the user has installed and configured Solr, but I'm taking a leap of faith and assuming that they're not completely clueless and have done the job correctly from the point of view of the Solr project. I'm just barely familiar with how Java deals with stores for SSL ... enough to know that it's typically more difficult to inform Java-based software about certificates and keys compared to software that can directly use PEM-encoded files. The Solr startup script sets system properties for the store filenames and environment variables for the passwords, and makes sure the environment variables are exported so forked processes can access them. Then in the jetty-ssl.xml that Solr provides we have this: <Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="./etc/solr-ssl.keystore.jks"/></Set> <Set name="KeyStorePassword"><Env name="SOLR_SSL_KEY_STORE_PASSWORD" default="secret"/></Set> <Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="./etc/solr-ssl.keystore.jks"/></Set> <Set name="TrustStorePassword"><Env name="SOLR_SSL_TRUST_STORE_PASSWORD" default="secret"/></Set> Does Jetty support different passwords for the key store and the trust store? If so, then based on the info I've provided, is Solr configuring Jetty correctly? Would we need to upgrade Jetty beyond 9.3.14 for it to work? Thanks, Shawn _______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
