To generate a self-signed certificate and a single key that will be used to authenticate both the server and the client, we’ll use the JDK keytool command and create a separate keystore.
This keystore will also be used as a truststore below.
It’s possible to use the keystore that comes with the JDK for these purposes, and to use a separate truststore, but those options aren’t covered here.
Run the commands below in the server/etc/ directory in the binary Solr distribution.
It’s assumed that you have the JDK keytool utility on your PATH, and that openssl is also on your PATH. See https://www.openssl.org/related/binaries.html for OpenSSL binaries for Windows and Solaris.
The -ext SAN=…keytool option allows you to specify all the DNS names and/or IP addresses that will be allowed during hostname verification if you choose to require it.
In addition to localhost and 127.0.0.1, this example includes a LAN IP address 192.168.1.3 for the machine the Solr nodes will be running on:
The Solr Control Script is already setup to pass SSL-related Java system properties to the JVM.
To activate the SSL settings, uncomment and update the set of properties beginning with SOLR_SSL_* in bin/solr.in.sh on *nix systems or bin\solr.in.cmd on Windows.
If you setup Solr as a service on Linux using the steps outlined in Taking Solr to Production, then make these changes in /var/solr/solr.in.sh.
# Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config# to enable https module with custom jetty configuration.SOLR_SSL_ENABLED=true# Uncomment to set SSL-related system properties# Be sure to update the paths to the correct keystore for your environmentSOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12
# Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable clients to authenticate (but not require)SOLR_SSL_WANT_CLIENT_AUTH=false# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting# this to false can be useful to disable these checks when re-using a certificate on many hostsSOLR_SSL_CHECK_PEER_NAME=true
REM Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config
REM to enable https module with custom jetty configuration.
REM Uncomment to set SSL-related system properties
REM Be sure to update the paths to the correct keystore for your environment
REM Require clients to authenticate
REM Enable clients to authenticate (but not require)set SOLR_SSL_WANT_CLIENT_AUTH=false
REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
REM this to false can be useful to disable these checks when re-using a certificate on many hosts
Client Authentication Settings
Enable either SOLR_SSL_NEED_CLIENT_AUTH or SOLR_SSL_WANT_CLIENT_AUTH but not both at the same time. They are mutually exclusive and Jetty will select one of them which may not be what you expect. SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION should be set to false if you want to disable hostname verification.
When you start Solr, the bin/solr script includes these settings and will pass them as system properties to the JVM.
set SOLR_OPTS=" -Dsolr.ssl.credential.provider.chain=hadoop"set SOLR_HADOOP_CREDENTIAL_PROVIDER_PATH=localjceks://file/home/solr/hadoop-credential-provider.jceks
Be sure to use the correct zkhost value for your system. If you have set up your ZooKeeper ensemble to use a chroot for Solr, make sure to include it in the zkhost string, e.g., -zkhost server1:2181,server2:2181,server3:2181/solr.
Update Cluster Properties for Existing Collections
If you are using SolrCloud and have collections created before enabling SSL, you will need to update the cluster properties to use HTTPS.
If you do not have existing collections or are not using SolrCloud, you can skip ahead and start Solr.
Updating cluster properties can be done with the Collections API CLUSTERPROP command, as in this example (update the hostname and port as appropriate for your system):
This command only needs to be run on one node of the cluster, the change will apply to all nodes.
Once this and all other steps are complete, you can go ahead and start Solr.
Starting Solr After Enabling SSL
Run Single Node Solr using SSL
Start Solr using the Solr control script as shown in the examples below.
Customize the values for the parameters shown as needed and add any used in your system.
$ bin/solr -p 8984
C:\> bin\solr.cmd -p 8984
Run SolrCloud with SSL
If you have defined ZK_HOST in solr.in.sh/solr.in.cmd (see instructions) you can omit -z <zk host string> from all of the bin/solr/bin\solr.cmd commands below.
Start each Solr node with the Solr control script as shown in the examples below. Customize the values for the parameters shown as necessary and add any used in your system.
If you created the SSL key without all DNS names or IP addresses on which Solr nodes run, you can tell Solr to skip hostname verification for inter-node communications by setting the -Dsolr.ssl.checkPeerName=false system property.
The curl commands in the following sections will not work with the system curl on OS X Yosemite (10.10). Instead, the certificate supplied with the -E parameter must be in PKCS12 format, and the file supplied with the --cacert parameter must contain only the CA certificate, and no key (see above for instructions on creating this file):
Use curl to query the SolrCloud collection created above, from a directory containing the PEM formatted certificate and key created above (e.g., example/etc/) - if you have not enabled client authentication (system property -Djetty.ssl.clientAuth=true), then you can remove the -E solr-ssl.pem:secret option:
From a java client using SolrJ, index a document. In the code below, the javax.net.ssl.* system properties are set programmatically, but you could instead specify them on the java command line, as in the post.jar example above: