When I use the provided Apache SOLR startup script (version 6.6.0), the
script creates and then executes a java command line that has two sets
of SSL properties who's related elements are set to the same values. One
set has property names like |javax.net.ssl.*| while the other set has
names like |solr.jetty.*|. For example:
|java -server ...-Dsolr.jetty.keystore.password=secret
...-Djavax.net.ssl.keyStorePassword=secret ......-jar start.jar
--module=https|
Our security team does not allow passwords to be passed along on the
command line or in environment variables but will allow them to be
placed in a file provided the file has restricted access permissions. I
noticed that there is a |jetty-ssl.xml| file in the |solr/server/etc|
directory that can be used to provide default values for the |SOLR SSL|
related properties including the |solr.jetty.keystore.password|. When I
remove the |javax.net.ssl.keyStorePassword| and
|solr.jetty.keystore.password| properties from the java command line and
update the |jetty-ssl.xml| file with my default keystore password, SOLR
appears to start properly with the default keystore password contained
in that file. I can then connect with my browser to
|https://localhost:8983/solr/#| and access the SOLR Admin page just fine.
Are the |javax.net.ssl.*| properties used at all in the SOLR standalone
or SOLR cloud products?
Do I need to provide the javax.net.ssl.* properties on the command line
for proper operation or can I get away with simply providing them in the
jetty-ssl.xml file?
I am concerned that they are used behind the scenes outside of the
browser to SOLR server connections to connect to other processes like
zookeeper and that by doing this I will uncover some problem down the
road that my simple testing has not revealed. The only direct reference
to the properties I can see in the source code is in the solr embedded
code that is part of the solrj client inside the SSLConfig Java class.
Thanks for your help,
Bob
