Securing solr cluster is important as much as any e-commerce websites or banking website because  user query or request should not decrypt by hacker to protect confidential information.In this article we will discuss how to enable SSL on single node server with the example jetty server using self signed certificate.

In our previous Securing Single Node Solr we have discussed how to secure standalone solr.

To enable SSL on your single node solr please follow below steps.

Step 1: Download apache zookeeper

Apache zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services.Download zookeeper from  Here .

Step 2: Configure zookeeper

Create zoo.cfg file and add below configuration parameters.

tickTime=2000
dataDir=/tmp/data/zookeeper
clientPort=2181

Step 3 :Start zookeeper

To run the instance, you can simply use the ZOOKEEPER_HOME/bin/zkServer.cmd script provided, as with this command:

zkServer.cmd start

Step 4: generate keys

Step 4.1: Generate a Self-Signed Certificate and a Key

To generate a self-signed certificate and a single key that will be used to authenticate both the server and the client, we’ll use the JDK keytool command and create a separate keystore. This keystore will also be used as a truststore below.

Here we have used JDK Keytool to generate keys.Perform below steps to generate keys and import.

Step 4.1.1: Goto Solr installation bin directory

Goto solr-{VERSION}/bin directory

Step 4.1.2: Generate key

Execute command to generate key.

keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"

genkeypair option is used to generate key. keytool has various option to give alias, algorithm name,keysize.etc..

here we have used RSA algorithm.Need to specify password for key, it’s validity,keystore file name.

The -ext SAN=…​ keytool option allows you to specify all the DNS names and/or IP addresses that will be allowed during hostname verification

Example:
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:192.168.1.206,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=JavaDeveloperZone, L=Location, ST=State, C=Country"

The above command will create a keystore file named solr-ssl.keystore.jks in the current directory.

Step 4.2:  Convert the Certificate and Key to PEM Format

CURL doesn’t able to understand JKS formatted key store so we need to convert it to PEM format using keystore.

keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12

Above command will prompt you for destination keystore password and source keystore password.Use secret password in our case.

Step 5: Set System Properties

Set SSL related properties as java system property in solr-in.cmd for windows and solr-in.sh for linux.

set SOLR_SSL_KEY_STORE=D:\\solr-6.4.2\\solr-6.4.2\\bin\\solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=secret
set SOLR_SSL_KEY_STORE_TYPE=JKS
set SOLR_SSL_TRUST_STORE=D:\\solr-6.4.2\\solr-6.4.2\\bin\\solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=secret
set SOLR_SSL_TRUST_STORE_TYPE=JKS
set SOLR_SSL_NEED_CLIENT_AUTH=false
set SOLR_SSL_WANT_CLIENT_AUTH=false

Step 6: Configure Solr propertyies in zookeeper

Before you start any SolrCloud nodes, you must configure your solr cluster properties in ZooKeeper, so that Solr nodes know to communicate via SSL.The urlScheme cluster-wide property needs to be set to https before any Solr node starts up.Use below command:

server\scripts\cloud-scripts\zkcli.bat -zkhost localhost:2181 -cmd clusterprop -name urlScheme -val https

Step 7: Create two SolrHome directory

Create two copies of the server/solr/ directory which will serve as the Solr home directories for each of your two SolrCloud nodes:

mkdir cloud
xcopy /E server\solr cloud\server1\
xcopy /E server\solr cloud\server2\

Step 8: Start First node

Start the first Solr node on port 8984.If you haven’t specified DNS/all IP address you can tell solr to skip hostname verification for inter solr node communication by setting solr.ssl.checkPeerName false.

bin\solr.cmd -cloud -s cloud\server_1 -z localhost:2181 -p 8984 -Dsolr.ssl.checkPeerName=false

Step 9: Start Second node

Start the second Solr node on port 8985.

bin\solr.cmd -cloud -s cloud\server_2 -z localhost:2181 -p 8985 -Dsolr.ssl.checkPeerName=false

Step 10: verify SSL on both Solr nodes

That’s it. Once solr started,verify it in your browser.Here we have added one sample collection to check solr node communction over SSL.

bin\solr.cmd create -c mycollection -shards 2

Securing solr cloud

Refer Solr Reference Guide for more details.

Was this post helpful?
Let us know, if you liked the post. Only in this way, we can improve us.
Yes
No

Leave a Reply

Your email address will not be published. Required fields are marked *