Hi, I'm also a Solr beginner but I think I can answer a few of your questions:
5 - There's a bug in solr.cmd related to SSL where the settings defined in solr.in.cmd are ignored. You can see SOLR-8491 (https://issues.apache.org/jira/browse/SOLR-8491) for more information and fix. 6- From my understanding, the 'cUrl certificate' is only useful if your Solr instance is using a self-signed certificate; it is used by the client to validate that the server's certificate is valid. 7- The example (from your link) shows how to setups 2 Solr instances on the same machine using different ports (-p) and data directories (-s). When running in SolrCloud configuration, Solr's does not know which protocol to use when communicating with other Solr instances and uses HTTP by default. You can change this behavior by changing the urlScheme cluster property stored in ZooKeeper to HTTPS. Alex -----Original Message----- From: Kostas [mailto:k...@dataverse.gr] Sent: June 28, 2016 8:42 AM To: solr-user@lucene.apache.org Subject: RE: Beginer's questions Regarding the SSL question, it fails when I try this too : solr start -c -V ^ -Dsolr.ssl.checkPeerName=false ^ -Djavax.net.ssl.keyStorePassword=password ^ -Djavax.net.ssl.trustStorePassword=password ^ -Djavax.net.ssl.keyStore="F:/Users/me/Downloads/solr-6.1.0/server/etc/solr-s sl.keystore.jks" ^ -Djavax.net.ssl.trustStore="F:/Users/me/Downloads/solr-6.1.0/server/etc/solr -ssl.keystore.jks" But when I specify the exact same settings inside `solr-6.1.0\server\etc\ jetty-ssl.xml` it works. Do those two places do the same thing? This is the failure I get when jetty-ssl.xml has a wrong password: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.eclipse.jetty.start.Main.invokeMain(Main.java:214) at org.eclipse.jetty.start.Main.start(Main.java:457) at org.eclipse.jetty.start.Main.main(Main.java:75) Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:22 4) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.jav a:70) at java.security.KeyStore.load(KeyStore.java:1445) at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtil s.java:52) at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory. java:1016) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java: 332) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.j ava:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle .java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCyc le.java:114) at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.j ava:64) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.j ava:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle .java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCyc le.java:114) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:26 0) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkCon nector.java:81) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:244) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.j ava:68) at org.eclipse.jetty.server.Server.doStart(Server.java:384) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.j ava:68) at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435) ... 7 more Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ... 30 more >From a few tests that I've run, it seems that the `jetty-ssl.xml` overrides >the command-line arguments. I haven't seen you mention anywhere that I should update `jetty-ssl.xml` and the cmd-line doesn't seem to override those settings, so what am I missing? Kostas -----Original Message----- From: Kostas [mailto:k...@dataverse.gr] Sent: Tuesday, June 28, 2016 1:36 PM To: solr-user@lucene.apache.org Subject: Beginer's questions Hello. I have a ton of questions that I could use some answers. If someone can answer some of them it would be great. 1) I had problems making my Solr 6.1 setup use a fixed collection schema. When I placed the schema.xml file in the filesystem as shown here <http://2.bp.blogspot.com/-zWmWPHKrmYA/URBOUoCYOLI/AAAAAAAAA8M/px33YlR5gCg/s 1600/croppedLargeFontSolrDirectoryStructure.jpg> my Solr installation used to become corrupt (you cannot imagine how much time I've spent on this thing). Later I came across this <https://mail-archives.apache.org/mod_mbox/lucene-solr-user/201509.mbox/%3CC af2dzvvbh2bxrsyeoynrvnl2tjfydahijkakcbigazwpine...@mail.gmail.com%3E> and this <https://mail-archives.apache.org/mod_mbox/lucene-solr-user/201509.mbox/%3CC an4yxvf+1a6jsum3bsus2lo8sst3hbjuihr0-y6h4qjor57...@mail.gmail.com%3E> . AN4YXvf+I have done what it said (I have uploaded the complete configuration onto ZooKeeper and then used it in a new collection) and it worked. So, is this the new way of configuring a collection? I thought ZK was only used for high scalability. If I run my Solr NOT in cloud mode, I would still have to use the same method? 2) Is it bad to run Solr in cloud mode, even if you don't need high scalability? Because I have configured it to run like that (cloud mode) and I don't know if it will have any side-effects. I don't think I need high scalability anyway. 3) When using only 1 core, 1 collection, 1 node, 1 shard (and I have not yet cleared out all these terms by the way, even by looking at the definitions for hours.) can Solr process incoming requests both for querying and for posting new data in a multithreaded manner? I think the answer here is yes, but it would be nice of you could confirm that to me. 4) I have tried to move the cores folder (SOLR_HOME) out of the default location using the `solr.in.cmd` (I am on Windows) file by setting this: set SOLR_HOME="F:\Users\me\Downloads\solr-6.1.0\solr-home" I was expecting this to work out of the box, but turns out it doesn't. The admin UI didn't seem to work quite well with that setting in place. If I remember well, it failed when I tried to add a new core. Am I missing something there? I generally start my Solr like that: solr start -c -Dsolr.ssl.checkPeerName=false -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password 5) I have tried to setup SSL on the Solr server. I have followed the steps here <https://cwiki.apache.org/confluence/display/solr/Enabling+SSL> , and I have updated `solr.in.cmd` with all the settings. It didn't seem to work (for some reason it didn't get the password correctly) and I had to put the settings inside `server/etc/jetty.xml` to make it work. Have I missed anything there? Seems like whatever I put in `solr.in.cmd` is ignored or something. The weird thing is that I have tried to use the options when starting Solr too and they didn't seem to work: solr start -c -Dsolr.ssl.checkPeerName=false -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password 6) If I want my client to use its own certificate that the Solr server will validate before executing any queries, can I do that? I see the examples here: https://cwiki.apache.org/confluence/display/solr/Enabling+SSL where you seem to put cUrl use the server's certificate as a client certificate (that's what I understand at least). Shouldn't the client have its own certificate that the server should trust? And, also, I have tried using the client without any client certificates and the server accepts him. Why do you feed cUrl with a certificate if that is not needed and is there a way to make Solr validate the client certificate with a whitelist or something similar? 7) The section `Run SolrCloud with SSL` here: https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-Ru nSolrCloudwithSSL , seems weird to me because I don't see what it has to do with SSL (maybe apart from the `-Dsolr.ssl.checkPeerName=false` option). Why does it make two nodes there? Do you have to make two nodes to setup SSL on cloud mode?!?! As far as I see the -s option has nothing to do with SSL either. So what does this section demonstrate? I am already running Solr in cloud mode (using the -c option) with SSL enabled and I didn't have to do any of those! That was most of it. J Thanks for your patience and any feedback would be welcome (I hope I have not missed too much and I am totally out of topic), Kostas
