[
https://issues.apache.org/jira/browse/SOLR-7893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16897468#comment-16897468
]
Jörn Franke commented on SOLR-7893:
-----------------------------------
I did some initial tests with Solr 8.2
First you need to add the jetty-all.jar of Zookeeper 3.5.5 to the classpath of
Solr. I created a Solr issue for this, so this should be fixed in 8.2.1 or
8.3.0. Meanwhile you can copy it manually.
Second, even after deploying and configuring it, I get a unknown certificate
issue. The thing is I configured a truststore with my CAs and a certificate
signed by the CAs. This is really strange, because it should work this way, but
it does not. I do not go for self-signed certificate, because aside the
security issues with them, they would cause operational overhead (every time
the ZK cluster is extended I need to the additional unsigned CA then to all
truststores of Solr - that does not make sense to me). I also need to clarify
with the ZK user list why the client needs to provide an own certificate. The
Zookeeper server - I understand, but the client does not need one, because I
use for authentication Kerberos and not certificates.
I also noticed that secureClientPort and clientPort have to be set mandatory
and they have to be set to different ports, otherwise you get in ZK a cannot
bind address issue.
Once I have it figured out all, I will put it into a document. For
completeness, I will also include SSL between the ZooKeeper servers (not really
a Solr issue, but for making Solr secure we should also take into account the
complete picture with ZK).
> Document ZooKeeper SSL support
> ------------------------------
>
> Key: SOLR-7893
> URL: https://issues.apache.org/jira/browse/SOLR-7893
> Project: Solr
> Issue Type: Sub-task
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Labels: ssl, zookeeper
>
> Once ZooKeeper supports SSL properly, Solr should start using it for all
> communication. See comments in
> https://cwiki.apache.org/confluence/display/solr/Enabling+SSL
> {quote}
> ZooKeeper does not support encrypted communication with clients like Solr.
> There are several related JIRA tickets where SSL support is being
> planned/worked on: ZOOKEEPER-235; ZOOKEEPER-236; ZOOKEEPER-733; and
> ZOOKEEPER-1000.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
