Re: Configure mutual TLS 1.2 to secure SOLR

Fri, 07 Jun 2019 11:28:38 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Paul,

On 6/7/19 11:02, Paul wrote:
> Can someone please outline how to use mutual TLS 1.2 with SOLR. Or,
> point me at docs/tutorials/other where I can read up further on
> this (version currently onsite is SOLR 7.6).

Here's a copy/paste from our internal guide for how to do this. YMMV.

Enjoy!

[...]

5. Configure Solr for TLS
   Create a server key and certificate:
   $ sudo mkdir /etc/solr
   $ sudo keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize
4096 -validity 730 \
          -alias 'solr-ssl' -keystore /etc/solr/solr.p12 -storetype
PKCS12 \
          -ext san=dns:localhost,ip:192.168.10.20
     Use the following information for the certificate:
         First and Last name: 192.168.10.20 (or "localhost", or your
IP address)
         Org unit:  CHADIS Solr (Prod) (or dev)
         Everything else should be obvious

   Now, export the public key from the keystore.

   $ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore
/etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl

   Copy that certificate and paste it into this command's stdin:

   $ sudo keytool -importcert -keystore /etc/solr/solr-server.p12
- -storetype PKCS12 -alias 'solr-ssl'

   Now, fix the ownership and permissions on these files:

   $ sudo chown root:solr /etc/solr/solr.p12 /etc/solr/solr-server.p12
   $ sudo chmod 0640 /etc/solr/solr.p12

   Edit the file /etc/default/solr.in.sh

   Set the following settings:

   SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
   SOLR_SSL_KEY_STORE_TYPE=PKCS12
   SOLR_SSL_KEY_STORE_PASSWORD=whatever

   # You MUST set the trust store for some reason.
   SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12
   SOLR_SSL_TRUST_STORE_TYPE=PKCS12
   SOLR_SSL_TRUST_STORE_PASSWORD=whatever

6. Configure Solr to Require Client TLS Certificates

  On each client, create a client key and certificate:

  $ keytool -genkey -keyalg EC -sigalg SHA256withECDSA \
            -validity 730 -alias 'solr-client-ssl' \
            -keystore /etc/solr/solr-client.p12 -storetype PKCS12

  Now dump the certificate for the next step:

  $ keytool -exportcert -keystore /etc/solr/solr-client.p12 -storetype
PKCS12 \
            -alias 'solr-client-ssl' -rfc

  Don't forget that you might want to generate your own client certifica
te
  to use from you own web browser if you want to be able to connect to t
he
  server's dashboard.

  Use the output of that command on each client to put the cert(s)
into this
  trust store on the server:

  $ sudo keytool -importcert -keystore
/etc/solr/solr-trusted-clients.p12 \
                 -storetype PKCS12 -alias '[client key alias]'

  Then, export the server's certificate and put IT into the
trusted-clients
  trust store, because command-line tools will use the server's own key
to
  contact itself.

  $ keytool -exportcert -keystore /etc/solr/solr-server.p12 -storetype
PKCS12 \
            -alias 'solr-ssl'

  $ sudo keytool -importcert -keystore
/etc/solr/solr-trusted-clients.p12 \
                 -storetype PKCS12 -alias 'solr-server'

  Now, set the proper file ownership and permissions:

  $ sudo chown root:solr /etc/solr/solr-trusted-clients.p12
  $ sudo chmod 0640 /etc/solr/solr-trusted-clients.p12

Edit /etc/default/solr.in.sh and add the following entries:

  # NOTE: Some of these are changing from "basic TLS" configuration.
  SOLR_SSL_NEED_CLIENT_AUTH=true
  SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
  SOLR_SSL_TRUST_STORE_TYPE=PKCS12
  SOLR_SSL_TRUST_STORE_PASSWORD=whatever
  SOLR_SSL_CLIENT_TRUST_STORE=/etc/solr/solr-server.p12
  SOLR_SSL_CLIENT_TRUST_STORE_TYPE=PKCS12
  SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=whatever
  SOLR_SSL_CLIENT_KEY_STORE=/etc/solr/solr-client.p12
  SOLR_SSL_CLIENT_KEY_STORE_TYPE=PKCS12
  SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=whatever

Summary of Files in /etc/solr
- -----------------------------

solr.p12          Server keystore. Contains server key and certificate.
                  Used by server to identify itself to clients.
                  Should exist on Solr server.

solr-server.p12   Client trust store. Contains server's certificate.
                  Used by clients to identify and trust the server.
                  Should exist on Solr clients.

solr-client.p12   Client keystore. Contains client key and certificate.
                  Used by clients to identify themselves to the server.
                  Should exist on Solr clients when TLS client certs
are used.

solr-trusted-clients.p12
                  Server trust store. Contains trusted client
certificates.
                  Used by server to trust clients.
                  Should exist on Solr servers when TLS client certs
are used.

[...]

Loading Data into a Core (Index)
- --------------------------------
If you have installed Solr as a service using TLS, you will need to do
some
additional work to call Solr's "post" program. First, ensure you have
patched
bin/post according to the installation instructions above. Then:

  $
SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12
- -Djavax.net.ssl.trustStoreType=PKCS12
- -Djavax.net.ssl.trustStorePassword=[whatever]" \
         /usr/local/solr/bin/post \
         -url https://localhost:8983/solr/[corename]/update [file-to-pos
t]

If you haven't configured Solr with TLS, you can simply do:

  $ ${SOLR_HOME}/bin/post -c [corename] [file-to-post]

(Here's the patch for bin/post)

- --- bin/post    2017-09-03 13:29:15.000000000 -0400
+++ /usr/local/solr/bin/post    2018-04-11 20:08:17.000000000 -0400
@@ -231,8 +231,8 @@
   PROPS+=('-Drecursive=yes')
 fi

- -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
- -"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS}
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlz6rKkACgkQHPApP6U8
pFj4qw/+JKh7wse1mRQ66QmyL46LLll2/AMxpwLdWHVEBS1nJ1dFDNXfqRYMzoYe
JfnrveJ3XsPEFwNgt1P655o8FviWwzf2G18iAI8quPdIxNhfZqS2Vfp7fFDB7/TS
enjbML5QwZyIbPMEPy38IrzVoHDsE6ornSHfIAIucfIea76j9fPxwYQ3nmJmsV+m
yljZ+kas7nRIZAfYl92sH/j8R6y0aAWbqKsKZa9hiBwltpsXuY0giDUv5YHE8BYm
JFgTXNIRcaMK1KS2ugZ1zyLYt2DyQu11dYmplvRMiHAlR4o1YK/ljKfTBilbL8m5
elE51FlVyG6rHZ54KDjgd+EBVvwed37ba+bEzwcy4QJgMd0m/UlkvadnrJVg1Emh
IoI3QlMGN7whrgIRvdkwcF9z2sImx4UNpSbbLZvFs1OeD89Z7Ofp+Rcm0pA+3VJ1
C7ZqUQmBFJl7Cjpchny4pKLIvlvPEYcSmsX1vNWa2Z0qip6lo7C93z0tqFT6tnWO
CBRaILZbH799SMKICwtXElfjzaJLpkBG1cyKfeSbWdPtk9msFhUg/BuQOX2EcRJ8
mCHkYWwaq83Z59fFYRLHCXbfi6pVKONmaX5A/ugxj4v4Z6LcODOUXnJQGZNiWAHb
02HQN5LkJp4JpEWUYFO0o/aorrssPedPg9+4KCCYPJHai9AfqWk=
=XsPA
-----END PGP SIGNATURE-----

Reply via email to