Securing solr cluster is important as much as any e-commerce websites or banking website because user query or request should not decrypt by hacker to protect confidential information.In this article we will discuss how to enable SSL on single node server with the example jetty server using self signed certificate.
In our previous Securing Single Node Solr we have discussed how to secure standalone solr.
To enable SSL on your single node solr please follow below steps.
Table of Contents
- Step 1: Download apache zookeeper
- Step 2: Configure zookeeper
- Step 3 :Start zookeeper
- Step 4: generate keys
- Step 5: Set System Properties
- Step 6: Configure Solr propertyies in zookeeper
- Step 7: Create two SolrHome directory
- Step 8: Start First node
- Step 9: Start Second node
- Step 10: verify SSL on both Solr nodes
- Was this post helpful?
Step 1: Download apache zookeeper
Apache zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services.Download zookeeper from Here .
Step 2: Configure zookeeper
Create zoo.cfg file and add below configuration parameters.
tickTime=2000 dataDir=/tmp/data/zookeeper clientPort=2181
Step 3 :Start zookeeper
To run the instance, you can simply use the ZOOKEEPER_HOME/bin/zkServer.cmd script provided, as with this command:
zkServer.cmd start
Step 4: generate keys
Step 4.1: Generate a Self-Signed Certificate and a Key
To generate a self-signed certificate and a single key that will be used to authenticate both the server and the client, we’ll use the JDK keytool command and create a separate keystore. This keystore will also be used as a truststore below.
Here we have used JDK Keytool to generate keys.Perform below steps to generate keys and import.
Step 4.1.1: Goto Solr installation bin directory
Goto solr-{VERSION}/bin directory
Step 4.1.2: Generate key
Execute command to generate key.
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
genkeypair option is used to generate key. keytool has various option to give alias, algorithm name,keysize.etc..
here we have used RSA algorithm.Need to specify password for key, it’s validity,keystore file name.
The -ext SAN=… keytool option allows you to specify all the DNS names and/or IP addresses that will be allowed during hostname verification
Example:
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:192.168.1.206,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=JavaDeveloperZone, L=Location, ST=State, C=Country"
The above command will create a keystore file named solr-ssl.keystore.jks in the current directory.
Step 4.2: Convert the Certificate and Key to PEM Format
CURL doesn’t able to understand JKS formatted key store so we need to convert it to PEM format using keystore.
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Above command will prompt you for destination keystore password and source keystore password.Use secret password in our case.
Step 5: Set System Properties
Set SSL related properties as java system property in solr-in.cmd for windows and solr-in.sh for linux.
set SOLR_SSL_KEY_STORE=D:\\solr-6.4.2\\solr-6.4.2\\bin\\solr-ssl.keystore.jks set SOLR_SSL_KEY_STORE_PASSWORD=secret set SOLR_SSL_KEY_STORE_TYPE=JKS set SOLR_SSL_TRUST_STORE=D:\\solr-6.4.2\\solr-6.4.2\\bin\\solr-ssl.keystore.jks set SOLR_SSL_TRUST_STORE_PASSWORD=secret set SOLR_SSL_TRUST_STORE_TYPE=JKS set SOLR_SSL_NEED_CLIENT_AUTH=false set SOLR_SSL_WANT_CLIENT_AUTH=false
Step 6: Configure Solr propertyies in zookeeper
Before you start any SolrCloud nodes, you must configure your solr cluster properties in ZooKeeper, so that Solr nodes know to communicate via SSL.The urlScheme cluster-wide property needs to be set to https before any Solr node starts up.Use below command:
server\scripts\cloud-scripts\zkcli.bat -zkhost localhost:2181 -cmd clusterprop -name urlScheme -val https
Step 7: Create two SolrHome directory
Create two copies of the server/solr/ directory which will serve as the Solr home directories for each of your two SolrCloud nodes:
mkdir cloud xcopy /E server\solr cloud\server1\ xcopy /E server\solr cloud\server2\
Step 8: Start First node
Start the first Solr node on port 8984.If you haven’t specified DNS/all IP address you can tell solr to skip hostname verification for inter solr node communication by setting solr.ssl.checkPeerName false.
bin\solr.cmd -cloud -s cloud\server_1 -z localhost:2181 -p 8984 -Dsolr.ssl.checkPeerName=false
Step 9: Start Second node
Start the second Solr node on port 8985.
bin\solr.cmd -cloud -s cloud\server_2 -z localhost:2181 -p 8985 -Dsolr.ssl.checkPeerName=false
Step 10: verify SSL on both Solr nodes
That’s it. Once solr started,verify it in your browser.Here we have added one sample collection to check solr node communction over SSL.
bin\solr.cmd create -c mycollection -shards 2
Refer Solr Reference Guide for more details.
Was this post helpful?
Let us know if you liked the post. That’s the only way we can improve.
