Jan H√łydahl commented on SOLR-8897:

For the problem of revealing passwords in solr.in.sh, would it help to point to 
an external file for retrieving the SSL passwords? e.g. 

I'm not sure if we can avoid passing the passwords to Jetty using sysprops. 
However, we can avoid passwords being exposed in the Admin UI "Args" section by 
showing {{*****}} instead of password? Probably need to be done on REST API 

> SSL-related passwords in solr.in.sh are in plain text
> -----------------------------------------------------
>                 Key: SOLR-8897
>                 URL: https://issues.apache.org/jira/browse/SOLR-8897
>             Project: Solr
>          Issue Type: Improvement
>          Components: scripts and tools, security
>            Reporter: Esther Quansah
> As per the steps mentioned at following URL, one needs to store the plain 
> text password for the keystore to configure SSL for Solr, which is not a good 
> idea from security perspective.
> URL: 
> https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties
> (https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties)
> Is there any way so that the encrypted password can be stored (instead of 
> plain password) in solr.in.cmd/solr.in.sh to configure SSL?

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to