Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP. It means all communications between your browser and the website are encrypted.
Securing solr is important as much as any e-commerce websites or banking website because user query or request should not decrypt by hacker to protect confidential information.In this article we will discuss how to enable SSL on single node server with the example jetty server using self signed certificate.
To enable SSL on your single node solr please follow below steps.
Table of Contents
Step 1: Generate a Self-Signed Certificate and a Key
To generate a self-signed certificate and a single key that will be used to authenticate both the server and the client, we’ll use the JDK keytool command and create a separate keystore. This keystore will also be used as a truststore below.
Here we have used JDK Keytool to generate keys.Perform below steps to generate keys and import.
Step 1.1: Goto Solr installation bin directory
Goto solr-{VERSION}/bin directory
Step 1.2: Generate key
Execute command to generate key.
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
genkeypair option is used to generate key. keytool has various option to give alias, algorithm name,keysize.etc..
here we have used RSA algorithm.Need to specify password for key, it’s validity,keystore file name.
The -ext SAN=… keytool option allows you to specify all the DNS names and/or IP addresses that will be allowed during hostname verification
Example:
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=JavaDeveloperZone, L=Location, ST=State, C=Country"
The above command will create a keystore file named solr-ssl.keystore.jks in the current directory.
Step 2: Convert the Certificate and Key to PEM Format
CURL doesn’t able to understand JKS formatted key store so we need to convert it to PEM format using keystore.
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Above command will prompt you for destination keystore password and source keystore password.Use secret password in our case.Refer below image.
Step 3: Set System Properties
Set SSL related properties as java system property in solr-in.cmd for windows and solr-in.sh for linux.
set SOLR_SSL_KEY_STORE=D:\\solr-6.4.2\\solr-6.4.2\\bin\\solr-ssl.keystore.jks set SOLR_SSL_KEY_STORE_PASSWORD=secret set SOLR_SSL_KEY_STORE_TYPE=JKS set SOLR_SSL_TRUST_STORE=D:\\solr-6.4.2\\solr-6.4.2\\bin\\solr-ssl.keystore.jks set SOLR_SSL_TRUST_STORE_PASSWORD=secret set SOLR_SSL_TRUST_STORE_TYPE=JKS set SOLR_SSL_NEED_CLIENT_AUTH=false set SOLR_SSL_WANT_CLIENT_AUTH=false
Step 4: Start Solr
Execute below solr start command.
solr.cmd start -p 8983
Step 5: verify SSL
That’s it. Once solr started,verify it in your browser.
Refer Solr Reference Guide for more details.
Was this post helpful?
Let us know if you liked the post. That’s the only way we can improve.
1 comment. Leave new
Getting this error while starting the solr:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
at org.eclipse.jetty.start.Main.start(Main.java:457)
at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: java.io.IOException: Invalid keystore format