This is what helped me:
https://gist.github.com/jankronquist/6412839
-Original Message-
From: Kostas [mailto:k...@dataverse.gr]
Sent: Tuesday, July 26, 2016 3:22 PM
To: solr-user@lucene.apache.org
Subject: solr-6.1.0 - Using different client and server certificates for
authentication doesn't work
Hello.
I have setup Solr 6.1.0 to use SSL (on Windows) and to do client
authentication based on the client certificate.
When I use the same certificate for both the server and the client
authentication, everything works OK :
== solr.in.cmd
set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=password
set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=password
set SOLR_SSL_NEED_CLIENT_AUTH=true
set SOLR_SSL_WANT_CLIENT_AUTH=false
REM (Client settings residing below are commented out.)
== server\etc\jetty-ssl.xml
== This works :
curl ^
--cert "solr-ssl.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"
However, when I try to use different server and client certificates, it
doesn't work (it seems that it still uses the server certificate for client
authorizations) :
== solr.in.cmd
set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=password
set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=password
set SOLR_SSL_NEED_CLIENT_AUTH=true
set SOLR_SSL_WANT_CLIENT_AUTH=false
set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks
set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password
set
SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks
set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password
== server\etc\jetty-ssl.xml
== This fails (!!!):
curl ^
--cert "solr-ssl-client.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"
== This STILL works (!!!):
curl ^
--cert "solr-ssl.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS=json;
indent=on"
I run Solr like this:
"%ROO%\bin\solr" start -c -V -f -p 8898^
-Dsolr.ssl.checkPeerName=false
>From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml `
and totally discards the ones form `solr.in.cmd`.
Naturally, I would try to set the client certificate inside there
(jetty-ssl.xml), but I don't see any setting available for that.
Is what I am trying to do (use different certificates for server and client
authentication) supported or I waste my time?
Also, why don't the docs say that jetty-ssl.xml overrides the settings in
`solr.in.cmd`? Am I missing something?
Thanks,
Kostas