Bob
Thanks for mentioning the jetty-ssl.xml file.
I have a follow-on question: since it is strongly recommended that you
host Solr behind a web app (perhaps solr-security-proxy is adequate),
the Solr REST interface will not be on the open Internet, so perhaps
HTTP is the appropriate protocol?
Unless you have Solr authentication and do not trust all the internal
hosts. I could be quite wrong, please correct.
cheers -- Rick
On 01/04/2018 11:51 AM, Bob Feider wrote:
When I use the provided Apache SOLR startup script (version 6.6.0),
the script creates and then executes a java command line that has two
sets of SSL properties who's related elements are set to the same
values. One set has property names like |javax.net.ssl.*| while the
other set has names like |solr.jetty.*|. For example:
|java -server ...-Dsolr.jetty.keystore.password=secret
...-Djavax.net.ssl.keyStorePassword=secret ......-jar start.jar
--module=https|
Our security team does not allow passwords to be passed along on the
command line or in environment variables but will allow them to be
placed in a file provided the file has restricted access permissions.
I noticed that there is a |jetty-ssl.xml| file in the
|solr/server/etc| directory that can be used to provide default values
for the |SOLR SSL| related properties including the
|solr.jetty.keystore.password|. When I remove the
|javax.net.ssl.keyStorePassword| and |solr.jetty.keystore.password|
properties from the java command line and update the |jetty-ssl.xml|
file with my default keystore password, SOLR appears to start properly
with the default keystore password contained in that file. I can then
connect with my browser to |https://localhost:8983/solr/#| and access
the SOLR Admin page just fine.
Are the |javax.net.ssl.*| properties used at all in the SOLR
standalone or SOLR cloud products?
Do I need to provide the javax.net.ssl.* properties on the command
line for proper operation or can I get away with simply providing them
in the jetty-ssl.xml file?
I am concerned that they are used behind the scenes outside of the
browser to SOLR server connections to connect to other processes like
zookeeper and that by doing this I will uncover some problem down the
road that my simple testing has not revealed. The only direct
reference to the properties I can see in the source code is in the
solr embedded code that is part of the solrj client inside the
SSLConfig Java class.
Thanks for your help,
Bob
