RE: solr-6.1.0 - Using different client and server certificates for authentication doesn't work

2016-08-17 Thread Kostas 
This is what helped me:
https://gist.github.com/jankronquist/6412839




-Original Message-
From: Kostas [mailto:k...@dataverse.gr] 
Sent: Tuesday, July 26, 2016 3:22 PM
To: solr-user@lucene.apache.org
Subject: solr-6.1.0 - Using different client and server certificates for
authentication doesn't work

Hello.

 

I have setup Solr 6.1.0 to use SSL (on Windows) and to do client
authentication based on the client certificate.

When I use the same certificate for both the server and the client
authentication, everything works OK :

 



== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

REM (Client settings residing below are commented out.)

 

== server\etc\jetty-ssl.xml

  

  

  

  

  

  

 

==  This works :

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"



 

However, when I try to use different server and client certificates, it
doesn't work (it seems that it still uses the server certificate for client
authorizations) :

 



== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

 

set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password

set
SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password

 

 

== server\etc\jetty-ssl.xml

  

  

  

  

  

  

 

 

== This fails (!!!):

curl ^

--cert "solr-ssl-client.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"

 

== This STILL works (!!!):

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"



 

I run Solr like this:

 

"%ROO%\bin\solr" start -c -V -f -p 8898^

-Dsolr.ssl.checkPeerName=false

 

>From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml `
and totally discards the ones form `solr.in.cmd`.

Naturally, I would try to set the client certificate inside there
(jetty-ssl.xml), but I don't see any setting available for that.

Is what I am trying to do (use different certificates for server and client
authentication) supported or I waste my time?

Also, why don't the docs say that jetty-ssl.xml overrides the settings in
`solr.in.cmd`? Am I missing something?

 

Thanks,
Kostas

solr-6.1.0 - Using different client and server certificates for authentication doesn't work

2016-07-26 Thread Kostas 
Hello.

 

I have setup Solr 6.1.0 to use SSL (on Windows) and to do client
authentication based on the client certificate.

When I use the same certificate for both the server and the client
authentication, everything works OK :

 



== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

REM (Client settings residing below are commented out.)

 

== server\etc\jetty-ssl.xml

  

  

  

  

  

  

 

==  This works :

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"



 

However, when I try to use different server and client certificates, it
doesn't work (it seems that it still uses the server certificate for client
authorizations) :

 



== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

 

set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password

set
SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password

 

 

== server\etc\jetty-ssl.xml

  

  

  

  

  

  

 

 

== This fails (!!!):

curl ^

--cert "solr-ssl-client.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"

 

== This STILL works (!!!):

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"



 

I run Solr like this:

 

"%ROO%\bin\solr" start -c -V -f -p 8898^

-Dsolr.ssl.checkPeerName=false

 

>From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml `
and totally discards the ones form `solr.in.cmd`.

Naturally, I would try to set the client certificate inside there
(jetty-ssl.xml), but I don't see any setting available for that.

Is what I am trying to do (use different certificates for server and client
authentication) supported or I waste my time?

Also, why don't the docs say that jetty-ssl.xml overrides the settings in
`solr.in.cmd`? Am I missing something?

 

Thanks,
Kostas