[
https://issues.apache.org/jira/browse/SOLR-16743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17845015#comment-17845015
]
David Smiley commented on SOLR-16743:
-------------------------------------
Where I work, we use rotating keys but we don't need changes as invasive as
this (e.g. with the extra code/complexity added here to accompany it). At the
time we used a company Java "KeyStore" that internally dynamically reloads. A
bit of custom glue creates a custom SSLContext, and we call
`org.apache.solr.client.solrj.impl.Http2SolrClient#setDefaultSSLConfig`.
Presently I would recommend users use Managed-mesh/Istio with rotating keys,
which is more scalable in terms of integration effort, complexity, maintenance
than cusotmizing/configurable SSL on each and every service.
> Auto reload keystore/truststore on change
> -----------------------------------------
>
> Key: SOLR-16743
> URL: https://issues.apache.org/jira/browse/SOLR-16743
> Project: Solr
> Issue Type: Improvement
> Components: Server, SolrJ
> Reporter: Houston Putman
> Assignee: Tomas Eduardo Fernandez Lobbe
> Priority: Major
> Fix For: main (10.0), 9.5
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently everyone who uses Solr with SSL must restart their clusters when
> new certificates are created.
> Jetty comes with an
> [ssl-reload|https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-module-ssl-reload]
> module for reloading the server's keystore.
> For the client we would likely need to reload the truststore, but that
> requires more investigation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
