Hi Jeff, Are you still having the same issue or did you manage to fix it?
I have the default files that come with the Solr 5.2.1 installation (I’m copying those below). I’m pretty sure my password is correct, unless the tool is generating one that does not match my version? I’m using the jetty jar that comes with the Solr installation to generate it, so I’m assuming this is not the case. Jetty-ssl.xml <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd";> <!-- ============================================================= --> <!-- Configure a TLS (SSL) Context Factory --> <!-- This configuration must be used in conjunction with jetty.xml --> <!-- and either jetty-https.xml or jetty-spdy.xml (but not both) --> <!-- ============================================================= --> <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="./etc/solr-ssl.keystore.jks"/></Set> <Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password" default="secret"/></Set> <Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="./etc/solr-ssl.keystore.jks"/></Set> <Set name="TrustStorePassword"><Property name="solr.jetty.truststore.password" default="secret"/></Set> <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="excludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> </Array> </Set> <!-- =========================================================== --> <!-- Create a TLS specific HttpConfiguration based on the --> <!-- common HttpConfiguration defined in jetty.xml --> <!-- Add a SecureRequestCustomizer to extract certificate and --> <!-- session information --> <!-- =========================================================== --> <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg> </Call> </New> </Configure> jetty-https.xml <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd";> <!-- ============================================================= --> <!-- Configure a HTTPS connector. --> <!-- This configuration must be used in conjunction with jetty.xml --> <!-- and jetty-ssl.xml. --> <!-- ============================================================= --> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <!-- =========================================================== --> <!-- Add a HTTPS Connector. --> <!-- Configure an o.e.j.server.ServerConnector with connection --> <!-- factories for TLS (aka SSL) and HTTP to provide HTTPS. --> <!-- All accepted TLS connections are wired to a HTTP connection.--> <!-- --> <!-- Consult the javadoc of o.e.j.server.ServerConnector, --> <!-- o.e.j.server.SslConnectionFactory and --> <!-- o.e.j.server.HttpConnectionFactory for all configuration --> <!-- that may be set here. --> <!-- =========================================================== --> <Call id="httpsConnector" name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="acceptors" type="int"><Property name="solr.jetty.ssl.acceptors" default="-1"/></Arg> <Arg name="selectors" type="int"><Property name="solr.jetty.ssl.selectors" default="-1"/></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.SslConnectionFactory"> <Arg name="next">http/1.1</Arg> <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg> </New> </Item> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="sslHttpConfig"/></Arg> </New> </Item> </Array> </Arg> <Set name="host"><Property name="solr.jetty.host" /></Set> <Set name="port"><Property name="solr.jetty.https.port" default="8983" /></Set> <Set name="idleTimeout"><Property name="solr.jetty.https.timeout" default="50000"/></Set> <Set name="soLingerTime"><Property name="solr.jetty.https.soLingerTime" default="-1"/></Set> <Set name="acceptorPriorityDelta"><Property name="solr.jetty.ssl.acceptorPriorityDelta" default="0"/></Set> <Set name="selectorPriorityDelta"><Property name="solr.jetty.ssl.selectorPriorityDelta" default="0"/></Set> <Set name="acceptQueueSize"><Property name="solr.jetty.https.acceptQueueSize" default="0"/></Set> </New> </Arg> </Call> </Configure> -----Original Message----- From: Jeff Wu [mailto:wuhai...@gmail.com] Sent: Monday, February 29, 2016 12:58 PM To: solr-user@lucene.apache.org Subject: Re: Prevent the SSL Keystore and Truststore password from showing up in the Solr Admin and Linux processes (Solr 5.2.1) Hi Katherine, we had exact the same issue, we need to protect our password. Anyone who can access to solr server can do "ps -elf|grep java" to grep the solr commandline, and it has all the password in plain text. The /bin/solr shell will set 10 related system property: SOLR_SSL_OPTS=" -Dsolr.jetty.keystore=$SOLR_SSL_KEY_STORE \ -Dsolr.jetty.keystore.password=$SOLR_SSL_KEY_STORE_PASSWORD \ -Dsolr.jetty.truststore=$SOLR_SSL_TRUST_STORE \ -Dsolr.jetty.truststore.password=$SOLR_SSL_TRUST_STORE_PASSWORD \ -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH \ -Dsolr.jetty.ssl.wantClientAuth=$SOLR_SSL_WANT_CLIENT_AUTH" SOLR_SSL_OPTS+=" -Djavax.net.ssl.keyStore=$SOLR_SSL_KEY_STORE \ -Djavax.net.ssl.keyStorePassword=$SOLR_SSL_KEY_STORE_PASSWORD \ -Djavax.net.ssl.trustStore=$SOLR_SSL_TRUST_STORE \ -Djavax.net.ssl.trustStorePassword=$SOLR_SSL_TRUST_STORE_PASSWORD" and also SOLR_JETTY_CONFIG+=("--module=https") The questions we have: 1. We doubt "OBF:XYZ" does not work when you set to solr.in.sh. the javax.net.ssl can't work with jetty OBF. What we saw is Incorrect password Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:225) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) at java.security.KeyStore.load(KeyStore.java:1445) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:852) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732) at sun.reflect.GeneratedConstructorAccessor280.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at java.security.Provider$Service.newInstance(Provider.java:1595) 2. Is there any good sample we can referent to configure in jetty-https.xml and jetty-ssl.xml to leverage Jetty OBF? Katherine, can you share your jetty-ssl.xml and jetty-https.xml? From this link: http://www.eclipse.org/jetty/documentation/9.2.6.v20141205/configuring-ssl.html, did you put keystore files under jetty home? and followed this sample? <New id="sslContextFactory" class= "org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set> <Set name="KeyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set> <Set name="KeyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set> <Set name="TrustStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set> <Set name="TrustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set> </New> 2016-02-15 13:23 GMT-05:00 Katherine Mora <km...@searchtechnologies.com<mailto:km...@searchtechnologies.com>>: > Hello All, > > I've configured Solr 5.2.1 to enable SSL by following the instructions > listed in the Wiki in Enabling SSL< > https://cwiki.apache.org/confluence/display/solr/Enabling+SSL>. This > is working fine. However, if I go to the Solr Admin (Dashboard -> JVM > -> Args) or if I list the processes running in the computer, I can see > the password that I set in the solr.in.sh script for > SOLR_SSL_KEY_STORE_PASSWORD and > SOLR_SSL_TRUST_STORE_PASSWORD: > > -Dsolr.jetty.truststore.password=XYZ > -Dsolr.jetty.keystore.password=XYZ > -Djavax.net.ssl.trustStorePassword=XYZ > -Djavax.net.ssl.keyStorePassword=XYZ > > > I have tried securing the passwords using Jetty's Password utility: > > java -cp jetty-util-9.2.10.v20150310.jar > org.eclipse.jetty.util.security.Password XYZ > > And using the "OBF:XYZ" password in solr.in.sh instead but I get an > exception java.security.NoSuchAlgorithmException -> java.io.IOException: > Keystore was tampered with, or password was incorrect (I'm listing the > complete exception below as well) > > Additionally, I have tried to remove the lines in the "bin/solr" > script that set the passwords in SOLR_SSL_OPTS and eventually in > SOLR_OPTS instead, setting the passwords directly in the jetty > configuration files located under "server/etc". However, when I do > this, I get an exception saying the password cannot be null. It seems > like there is a setting that is not listed in the jetty files. I found > that "keyManagerPassword" is not listed in the jetty-ssl.xml file and > I added it, but I keep getting the same error. > > Does anyone know how to prevent the SSL keystore and trust store > password from showing up in the Solr Admin by doing the configuration > in the jetty files or by securing the passwords? > > Thanks in advance for any help you can provide. > > > Caused by: java.net.SocketException: > java.security.NoSuchAlgorithmException: Error constructing > implementation > (algorithm: Default, provider: SunJSSE, class: > sun.security.ssl.SSLContextImpl$DefaultSSLContext) > at > javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:198) > at > javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:205) > at > org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:513) > at > org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:383) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165) > at > org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:466) > ... 12 more > Caused by: java.security.NoSuchAlgorithmException: Error constructing > implementation (algorithm: Default, provider: SunJSSE, class: > sun.security.ssl.SSLContextImpl$DefaultSSLContext) > at java.security.Provider$Service.newInstance(Provider.java:1259) > at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) > at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) > at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) > at javax.net.ssl.SSLContext.getDefault(SSLContext.java:97) > at > javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:121) > at > org.apache.http.conn.ssl.SSLSocketFactory.getSystemSocketFactory(SSLSocketFactory.java:190) > at > org.apache.http.impl.conn.SchemeRegistryFactory.createSystemDefault(SchemeRegistryFactory.java:85) > at > org.apache.http.impl.client.SystemDefaultHttpClient.createClientConnectionManager(SystemDefaultHttpClient.java:121) > at > org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:484) > at > org.apache.solr.client.solrj.impl.HttpClientUtil.setMaxConnections(HttpClientUtil.java:214) > at > org.apache.solr.client.solrj.impl.HttpClientConfigurer.configure(HttpClientConfigurer.java:35) > at > org.apache.solr.client.solrj.impl.HttpClientUtil.configureClient(HttpClientUtil.java:142) > at > org.apache.solr.client.solrj.impl.HttpClientUtil.createClient(HttpClientUtil.java:118) > at > org.apache.solr.handler.component.HttpShardHandlerFactory.init(HttpShardHandlerFactory.java:166) > at > org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:49) > at org.apache.solr.core.CoreContainer.load(CoreContainer.java:328) > at > org.apache.solr.servlet.SolrDispatchFilter.createCoreContainer(SolrDispatchFilter.java:140) > at > org.apache.solr.servlet.SolrDispatchFilter.init(SolrDispatchFilter.java:110) > at > org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:138) > at > org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:852) > at > org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:298) > at > org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349) > at > org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342) > at > org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741) > at > org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:41) > at > org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:186) > at > org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:498) > at > org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:146) > at > org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:180) > at > org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:461) > at > org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:64) > at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:609) > at > org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:528) > at org.eclipse.jetty.util.Scanner.scan(Scanner.java:391) > at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:313) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:150) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:560) > at > org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:235) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) > at org.eclipse.jetty.server.Server.start(Server.java:387) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) > at > org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) > at org.eclipse.jetty.server.Server.doStart(Server.java:354) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1255) > at java.security.AccessController.doPrivileged(Native Method) > at > org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1174) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.eclipse.jetty.start.Main.invokeMain(Main.java:321) > at org.eclipse.jetty.start.Main.start(Main.java:817) > at org.eclipse.jetty.start.Main.main(Main.java:112) > Caused by: java.io.IOException: Keystore was tampered with, or > password was incorrect > at > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) > at > sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) > at java.security.KeyStore.load(KeyStore.java:1214) > at > sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:642) > at > sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:527) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at java.security.Provider$Service.newInstance(Provider.java:1240) > ... 59 more > Caused by: java.security.UnrecoverableKeyException: Password > verification failed > at > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) > ... 68 more > > > Katherine Mora >
