-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Anchal,
On 5/24/18 6:02 AM, Anchal Sharma2 wrote: > Thanks a lot for sharing the steps . I tried few of them .Actually > we already have been using solr in our application since an year or > so .We just want to encrypt it to use secure solr now .So ,I > followed the steps where you have created the certificates ,etc > .But when I go to start the solr back ,it doesnt start . We are > using zookeeper .Following is the error I get ,on running solr > start command. > > Command:./solr -c -m 1g -p 8984 -z <localhost>:2181 -s <path till > folder containing data> > > Error: > > lsof 4.55 (latest revision at > ftp://vic.cc.purdue.edu/pub/tools/unix/lsof) usage: > [-?abhlnNoOPRstUvVX] [-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]] [-F > [f]] [-g [s]] [-i [i]] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s] > [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names] Use the > ``-h'' option to get more help information. Still not seeing Solr > listening on 8984 after 30 seconds! at > java.security.KeyStore.load(KeyStore.java:1456) at > org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(Certifica teUtils.java:55) > > at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFact ory.java:871) > at > org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory .java:273) > > at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc le.java:68) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif eCycle.java:132) > > at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif eCycle.java:114) > at > org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFac tory.java:64) > > at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc le.java:68) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif eCycle.java:132) > > at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif eCycle.java:114) > at > org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.j ava:256) > > at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetwor kConnector.java:81) > at > org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java: 236) > > at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc le.java:68) > at org.eclipse.jetty.server.Server.doStart(Server.java:366) at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeC ycle.java:68) > > at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:12 55) > at > java.security.AccessController.doPrivileged(AccessController.java:594) > > at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:117 4) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j ava:90) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:55) > at java.lang.reflect.Method.invoke(Method.java:508) at > org.eclipse.jetty.start.Main.invokeMain(Main.java:321) at > org.eclipse.jetty.start.Main.start(Main.java:817) at > org.eclipse.jetty.start.Main.main(Main.java:112) 2018-05-24 > 09:05:16.714 INFO > (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] > o.a.s.c.c.ZkStateReader A cluster state change: WatchedEvent > state:SyncConnected type:NodeDataChanged path:/clusterstate.json, > has occurred - updating... (live nodes size: 1) 2018-05-24 > 09:05:17.018 INFO > (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] > o.a.s.c.c.ZkStateReader Updated cluster state version to 9702 > 2018-05-24 09:05:17.153 INFO > (coreLoadExecutor-7-thread-2-processing-n:9.109.122.113:8984_solr) > [c:document r:core_node1 x:document] o.a.s.u.SolrIndexConfig > IndexWriter infoStream solr logging is enabled [\] sleep: bad > character in argument What does the solr.log file say? The above stack trace isn't terribly helpful, and it's incomplete. - -chris > -----Christopher Schultz <ch...@christopherschultz.net> wrote: > ----- To: solr-user@lucene.apache.org From: Christopher Schultz > <ch...@christopherschultz.net> Date: 05/23/2018 07:29PM Subject: > Re: Question regarding TLS version for solr > > Anchal, > > On 5/23/18 2:38 AM, Anchal Sharma2 wrote: >> Thank you for replying .But ,I checked the java version solr >> using ,and it is already version 1.8. > >> @Christopher ,can you let me know what steps you followed for >> TLS authentication on solr version 7.3.0. > > Sure. Here are my deployment notes. You may have to adjust them > slightly for your environment. Note that we are using standalone > Solr without any Zookeeper, clustering, etc. This is just about > configuring a single instance. Also, this guide says 7.3.0, but > 7.3.1 would be better as it contains a fix for a CVE. > > === CUT === > > ======================================================== > Instructions for installing Solr and working with Cores > ======================================================== > > Installation ------------ > > Installing Solr is fairly simple. One can simply untar the > distribution tarball and work from that directory, but it is better > to install it in a somewhat more centralized place with a separate > data directory to facilitate upgrades, etc. > > 1. Obtain the distribution tarball Go to > https://lucene.apache.org/solr/mirrors-solr-latest-redir.html and > obtain the latest supported version of Solr. (7.3.0 as of this > writing). > > 2. Untar the archive $ tar xzf solr-x.y.x.tgz > > 3. Install Solr $ cd solr-x.y.z $ sudo bin/install_solr_service.sh > ../solr-x.y.z.tgz \ -i /usr/local \ -d /mnt/securefs/solr \ -n > (that last -n says "don't start Solr") > > 4. Configure Solr Settings Edit the file /etc/default/solr.in.sh > > Settings you may want to explicitly set: > > SOLR_JAVA_HOME=(java home) SOLR_HEAP="1024M" > > 5. Configure Solr for TLS Create a server key and certificate: $ > sudo mkdir /etc/solr $ sudo keytool -genkey -keyalg EC -sigalg > SHA256withECDSA -keysize 256 -validity 730 \ -alias 'solr-ssl' > -keystore /etc/solr/solr.p12 -storetype PKCS12 \ -ext > san=dns:localhost,ip:192.168.10.20 Use the following information > for the certificate: First and Last name: 192.168.10.20 (or > "localhost", or your IP address) Org unit: [whatever] Everything > else should be obvious > > Now, export the public key from the keystore. > > $ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore > /etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl > > Copy that certificate and paste it into this command's stdin: > > $ sudo keytool -importcert -keystore /etc/solr/solr-server.p12 > -storetype PKCS12 -alias 'solr-ssl' > > Now, fix the ownership and permissions on these files: > > $ sudo chown root:solr /etc/solr/solr.p12 > /etc/solr/solr-server.p12 $ sudo chmod 0640 /etc/solr/solr.p12 > > Edit the file /etc/default/solr.in.sh > > Set the following settings: > > SOLR_SSL_KEY_STORE=/etc/solr/solr.p12 > SOLR_SSL_KEY_STORE_TYPE=PKCS12 > SOLR_SSL_KEY_STORE_PASSWORD=whatever > > # You MUST set the trust store for some reason. > SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12 > SOLR_SSL_TRUST_STORE_TYPE=PKCS12 > SOLR_SSL_TRUST_STORE_PASSWORD=whatever > > Then, patch the file bin/post; you are going to need this, later. > > --- bin/post 2017-09-03 13:29:15.000000000 -0400 +++ > /usr/local/solr/bin/post 2018-04-11 20:08:17.000000000 -0400 @@ > -231,8 +231,8 @@ PROPS+=('-Drecursive=yes') fi > > -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" > org.apache.solr.util.SimplePostTool "${PARAMS[@]}" -"$JAVA" > -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" > org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +echo "$JAVA" > -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS} > org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +"$JAVA" > -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS} > org.apache.solr.util.SimplePostTool "${PARAMS[@]}" > > 6. Configure Solr to Require Client TLS Certificates > > On each client, create a client key and certificate: > > $ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 > \ -validity 730 -alias 'solr-client-ssl' > > Now dump the certificate for the next step: > > $ keytool -exportcert -keystore [client-key-store] -storetype > PKCS12 \ -alias 'solr-client-ssl' > > Don't forget that you might want to generate your own client > certifica te to use from you own web browser if you want to be able > to connect to t he server's dashboard. > > Use the output of that command on each client to put the cert(s) > into this trust store on the server: > > $ sudo keytool -importcert -keystore > /etc/solr/solr-trusted-clients.p12 \ -storetype PKCS12 -alias > '[client key alias]' > > Edit /etc/default/solr.in.sh and add the following entries: > > SOLR_SSL_NEED_CLIENT_AUTH=true > SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12 > SOLR_SSL_TRUST_STORE_TYPE=PKCS12 > SOLR_SSL_TRUST_STORE_PASSWORD=whatever > > Summary of Files in /etc/solr ----------------------------- > > solr-client.p12 Client keystore. Contains client key and > certificate. Used by clients to identify themselves to the server. > > solr.p12 Server keystore. Contains server key and > certificate. Used by server to identify itself to clients. > > solr-server.p12 Client trust store. Contains server's > certificate. Used by clients to identify and trust the server. > > solr-trusted-clients.p12 Server trust store. Contains trusted > client certificates. Used by server to trust clients. > > Starting and Stopping Solr -------------------------- > > If you've installed Solr as a service, you can simply run: > > $ sudo /etc/init.d/solr [cmd] > > If you haven't installed Solr as a service, you can run the Solr > script directly from the expanded tarball directory: > > $ ${SOLR_HOME}/bin/solr start (or stop) > > Creating a New Core (Index) --------------------------- > > If you have installed Solr as a service, you will have to use sudo > to create your core so that the directories and files get the > correct ownership and permissions. > > $ sudo -u solr /usr/local/solr/bin/solr -c [corename] > > If you haven't install Solr as a service, this is nominally > easier: > > $ ${SOLR_HOME}/bin/solr -c [corename] > > Loading Data into a Core (Index) -------------------------------- > If you have installed Solr as a service using TLS, you will need to > do some additional work to call Solr's "post" program. First, > ensure you have patched bin/post according to the installation > instructions above. Then: > > $ > SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12 > > - -Djavax.net.ssl.trustStoreType=PKCS12 > -Djavax.net.ssl.trustStorePassword=[whatever] > -Djavax.net.ssl.keyStore=/etc/solr/solr-client.p12 > -Djavax.net.ssl.keyStoreType=PKCS12 > -Djavax.net.ssl.keyStorePassword=[whatever]" \ > /usr/local/solr/bin/post \ -url > https://localhost:8983/solr/[corename]/update [file-to-pos t] > > If you haven't configured Solr with TLS, you can simply do: > > $ ${SOLR_HOME}/bin/post -c [corename] [file-to-post] > > === CUT === > > I hope that helps. > > I give permission to anyone on the Solr team to adapt the above > content into a TLS guide for the Solr documentation. > > -chris > > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsGzuQACgkQHPApP6U8 pFiDHhAAjOe4Ii7yHWuBwFe0K0IJo7RDzEn5AiIK9RAQJYN5vaWU+rFzuxUxVWmU DRQgIziWh/B3enOg1dDRLgUFe9amQdR4YM00KSGyivuTVkOXs4ZwTmKzsH1c/YYz rhOwszMk7BRQnkdAOTFAfdHYWmN3s9n70ZsIvLixFnEhe6xFJK+BSEWzG2BtLC6l +kCKTXL3rVj3bhrpdCkXOkpZk5nlgZ7a3Xj2qplu7+mT2zpKWPzjK7VhwQxnzbCD jQFbeW76iwnPiRmhmRE1qG0fNBAN2bLttSk/mlwn3KhjpOGDOHBxGop+V1pjhYkx UhoVHdPfWAyF6SPhRZT2kYnGEUs7AaaKpFChRxB4VC46f0xKwGwNDRDzx25f1qp3 Dtyw3TZZT9QMP6IhUCvVfJintxfuo0rSXCgdIzchCgep6Pdu6mO2ZFlxD8S/S0MR 3eKtYhxtBqDQMmEaZBEJGWVJqSDt/ksk85XeELCFpecUaT7HS6AnWOlTkA7wD3Ii M6050llDeBVnz5Ghi27bwS6bcSR8LpnDZGUPjgSDIX9zAcmyWhvQlAJpeLKgrish FO1g0IBSr6BDRExnmo0YNkpEmWHdF+b9qJJJjhX3EgNT7hTbKjlgrRERMd5Y/B9/ wjeop6o3kbEY+4xlaK48bkpC1ypyHAOJfe9Q2AdndPsJlqmZ1xo= =QO2M -----END PGP SIGNATURE-----
