[jira] [Commented] (SOLR-8897) SSL-related passwords in solr.in.sh are in plain text
[ https://issues.apache.org/jira/browse/SOLR-8897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16523832#comment-16523832 ] Ian commented on SOLR-8897: --- Thanks [~pluk77] for pointing out that the Jetty password utility doesn't work with the collection API. That was one of the suggestions I was looking into from this thread from 2016 [http://lucene.472066.n3.nabble.com/Prevent-the-SSL-Keystore-and-Truststore-password-from-showing-up-in-the-Solr-Admin-and-Linux-process-td4257422.html] [~janhoy] Is there an open ticket about not showing the password in the Solr Portal UI as you suggest? Also this solution from SOLR-10307 which has marked this issue as a duplicate, resolves the issue by using environment variables. I don't think this is much of an improvement, see [https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/ (|https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/]There is another solution referenced of using Hadoop, but that doesn't apply to me) For reference I'm using Solr 6.6 on Windows. This is my first time posting here, so not sure on the protocols. Can this ticket be re-raised/split? To solve storing the password securely at rest (If that the Jetty password Utility or other mechanism, my main language is not Java, what's best practice?) Not exposed in the UI. Not expose the password to other processes, likely to be caught in memory/crash dumps. Update the documentation to show how can configure Solr HTTPS password certificates securely, (Even 7.2 still shows setting the password in plain text in solr.in.cmd - [https://lucene.apache.org/solr/guide/7_2/enabling-ssl.html)] Thanks in advance, let me know how I can help. > SSL-related passwords in solr.in.sh are in plain text > - > > Key: SOLR-8897 > URL: https://issues.apache.org/jira/browse/SOLR-8897 > Project: Solr > Issue Type: Improvement > Components: scripts and tools, security >Reporter: Esther Quansah >Priority: Major > > As per the steps mentioned at following URL, one needs to store the plain > text password for the keystore to configure SSL for Solr, which is not a good > idea from security perspective. > URL: > https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties > > (https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties) > Is there any way so that the encrypted password can be stored (instead of > plain password) in solr.in.cmd/solr.in.sh to configure SSL? -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-8897) SSL-related passwords in solr.in.sh are in plain text
[
https://issues.apache.org/jira/browse/SOLR-8897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16087226#comment-16087226
]
Marcel Berteler commented on SOLR-8897:
---
Issue still persistent in version 6.6.0.
When using obfuscated passwords, starting SOLR in stand alone mode results in
errors, although it does seem to start and has the correct certificate when
browsing the Admin UI.
INFO - 2017-07-14 13:50:30.105;
org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to
{s}->https://localhost:443
INFO - 2017-07-14 13:50:30.108;
org.apache.http.impl.client.DefaultRequestDirector; I/O exception
(java.net.SocketException) caught when connecting to
{s}->https://localhost:443: java.security.NoSuchAlgorithmException: Error
constructing implementation (algorithm: Default, provider: SunJSSE, class:
sun.security.ssl.SSLContextImpl$DefaultSSLContext)
> SSL-related passwords in solr.in.sh are in plain text
> -
>
> Key: SOLR-8897
> URL: https://issues.apache.org/jira/browse/SOLR-8897
> Project: Solr
> Issue Type: Improvement
> Components: scripts and tools, security
>Reporter: Esther Quansah
>
> As per the steps mentioned at following URL, one needs to store the plain
> text password for the keystore to configure SSL for Solr, which is not a good
> idea from security perspective.
> URL:
> https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties
>
> (https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties)
> Is there any way so that the encrypted password can be stored (instead of
> plain password) in solr.in.cmd/solr.in.sh to configure SSL?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-8897) SSL-related passwords in solr.in.sh are in plain text
[ https://issues.apache.org/jira/browse/SOLR-8897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15877881#comment-15877881 ] Marcel Berteler commented on SOLR-8897: --- OK, so I just discovered the hard way that using obfuscated passwords is only working partially. SOLR 6.4.1 in cloud mode starts, the Admin UI is usable, but some of the collection API's don't and will report a "Keystore was tampered with, or password was incorrect" error. > SSL-related passwords in solr.in.sh are in plain text > - > > Key: SOLR-8897 > URL: https://issues.apache.org/jira/browse/SOLR-8897 > Project: Solr > Issue Type: Improvement > Components: scripts and tools, security >Reporter: Esther Quansah > > As per the steps mentioned at following URL, one needs to store the plain > text password for the keystore to configure SSL for Solr, which is not a good > idea from security perspective. > URL: > https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties > > (https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties) > Is there any way so that the encrypted password can be stored (instead of > plain password) in solr.in.cmd/solr.in.sh to configure SSL? -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-8897) SSL-related passwords in solr.in.sh are in plain text
[ https://issues.apache.org/jira/browse/SOLR-8897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15644273#comment-15644273 ] Marcel Berteler commented on SOLR-8897: --- A slightly better way than using clear txt is using the obfuscated (OBF) version of the password which can be generated using the password utility that comes with Jetty. http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords > SSL-related passwords in solr.in.sh are in plain text > - > > Key: SOLR-8897 > URL: https://issues.apache.org/jira/browse/SOLR-8897 > Project: Solr > Issue Type: Improvement > Components: scripts and tools, security >Reporter: Esther Quansah > > As per the steps mentioned at following URL, one needs to store the plain > text password for the keystore to configure SSL for Solr, which is not a good > idea from security perspective. > URL: > https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties > > (https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties) > Is there any way so that the encrypted password can be stored (instead of > plain password) in solr.in.cmd/solr.in.sh to configure SSL? -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-8897) SSL-related passwords in solr.in.sh are in plain text
[
https://issues.apache.org/jira/browse/SOLR-8897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15575180#comment-15575180
]
Jan Høydahl commented on SOLR-8897:
---
For the problem of revealing passwords in solr.in.sh, would it help to point to
an external file for retrieving the SSL passwords? e.g.
{{SOLR_SSL_CONFIGFILE=/var/secret/ssl-passwords.txt}}?
I'm not sure if we can avoid passing the passwords to Jetty using sysprops.
However, we can avoid passwords being exposed in the Admin UI "Args" section by
showing {{*}} instead of password? Probably need to be done on REST API
level?
> SSL-related passwords in solr.in.sh are in plain text
> -
>
> Key: SOLR-8897
> URL: https://issues.apache.org/jira/browse/SOLR-8897
> Project: Solr
> Issue Type: Improvement
> Components: scripts and tools, security
>Reporter: Esther Quansah
>
> As per the steps mentioned at following URL, one needs to store the plain
> text password for the keystore to configure SSL for Solr, which is not a good
> idea from security perspective.
> URL:
> https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties
>
> (https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties)
> Is there any way so that the encrypted password can be stored (instead of
> plain password) in solr.in.cmd/solr.in.sh to configure SSL?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
