Hi Chris, Thanks a lot for sharing the steps . I tried few of them .Actually we already have been using solr in our application since an year or so .We just want to encrypt it to use secure solr now .So ,I followed the steps where you have created the certificates ,etc .But when I go to start the solr back ,it doesnt start . We are using zookeeper .Following is the error I get ,on running solr start command.
Command:./solr -c -m 1g -p 8984 -z <localhost>:2181 -s <path till folder containing data> Error: lsof 4.55 (latest revision at ftp://vic.cc.purdue.edu/pub/tools/unix/lsof) usage: [-?abhlnNoOPRstUvVX] [-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]] [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names] Use the ``-h'' option to get more help information. Still not seeing Solr listening on 8984 after 30 seconds! at java.security.KeyStore.load(KeyStore.java:1456) at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55) at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:871) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:273) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:256) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.server.Server.doStart(Server.java:366) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1255) at java.security.AccessController.doPrivileged(AccessController.java:594) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1174) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at org.eclipse.jetty.start.Main.invokeMain(Main.java:321) at org.eclipse.jetty.start.Main.start(Main.java:817) at org.eclipse.jetty.start.Main.main(Main.java:112) 2018-05-24 09:05:16.714 INFO (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] o.a.s.c.c.ZkStateReader A cluster state change: WatchedEvent state:SyncConnected type:NodeDataChanged path:/clusterstate.json, has occurred - updating... (live nodes size: 1) 2018-05-24 09:05:17.018 INFO (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] o.a.s.c.c.ZkStateReader Updated cluster state version to 9702 2018-05-24 09:05:17.153 INFO (coreLoadExecutor-7-thread-2-processing-n:9.109.122.113:8984_solr) [c:document r:core_node1 x:document] o.a.s.u.SolrIndexConfig IndexWriter infoStream solr logging is enabled [\] sleep: bad character in argument Thanks & Regards, ------------------------------------------------- Anchal Sharma e-Pricer Development ES Team Mobile: +9871290248 -----Christopher Schultz <ch...@christopherschultz.net> wrote: ----- To: solr-user@lucene.apache.org From: Christopher Schultz <ch...@christopherschultz.net> Date: 05/23/2018 07:29PM Subject: Re: Question regarding TLS version for solr -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Anchal, On 5/23/18 2:38 AM, Anchal Sharma2 wrote: > Thank you for replying .But ,I checked the java version solr using > ,and it is already version 1.8. > > @Christopher ,can you let me know what steps you followed for TLS > authentication on solr version 7.3.0. Sure. Here are my deployment notes. You may have to adjust them slightly for your environment. Note that we are using standalone Solr without any Zookeeper, clustering, etc. This is just about configuring a single instance. Also, this guide says 7.3.0, but 7.3.1 would be better as it contains a fix for a CVE. === CUT === ======================================================== Instructions for installing Solr and working with Cores ======================================================== Installation - ------------ Installing Solr is fairly simple. One can simply untar the distribution tarball and work from that directory, but it is better to install it in a somewhat more centralized place with a separate data directory to facilitate upgrades, etc. 1. Obtain the distribution tarball Go to https://lucene.apache.org/solr/mirrors-solr-latest-redir.html and obtain the latest supported version of Solr. (7.3.0 as of this writing). 2. Untar the archive $ tar xzf solr-x.y.x.tgz 3. Install Solr $ cd solr-x.y.z $ sudo bin/install_solr_service.sh ../solr-x.y.z.tgz \ -i /usr/local \ -d /mnt/securefs/solr \ -n (that last -n says "don't start Solr") 4. Configure Solr Settings Edit the file /etc/default/solr.in.sh Settings you may want to explicitly set: SOLR_JAVA_HOME=(java home) SOLR_HEAP="1024M" 5. Configure Solr for TLS Create a server key and certificate: $ sudo mkdir /etc/solr $ sudo keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 -validity 730 \ -alias 'solr-ssl' -keystore /etc/solr/solr.p12 -storetype PKCS12 \ -ext san=dns:localhost,ip:192.168.10.20 Use the following information for the certificate: First and Last name: 192.168.10.20 (or "localhost", or your IP address) Org unit: [whatever] Everything else should be obvious Now, export the public key from the keystore. $ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore /etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl Copy that certificate and paste it into this command's stdin: $ sudo keytool -importcert -keystore /etc/solr/solr-server.p12 - -storetype PKCS12 -alias 'solr-ssl' Now, fix the ownership and permissions on these files: $ sudo chown root:solr /etc/solr/solr.p12 /etc/solr/solr-server.p12 $ sudo chmod 0640 /etc/solr/solr.p12 Edit the file /etc/default/solr.in.sh Set the following settings: SOLR_SSL_KEY_STORE=/etc/solr/solr.p12 SOLR_SSL_KEY_STORE_TYPE=PKCS12 SOLR_SSL_KEY_STORE_PASSWORD=whatever # You MUST set the trust store for some reason. SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12 SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE_PASSWORD=whatever Then, patch the file bin/post; you are going to need this, later. - --- bin/post 2017-09-03 13:29:15.000000000 -0400 +++ /usr/local/solr/bin/post 2018-04-11 20:08:17.000000000 -0400 @@ -231,8 +231,8 @@ PROPS+=('-Drecursive=yes') fi - -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" org.apache.solr.util.SimplePostTool "${PARAMS[@]}" - -"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}" 6. Configure Solr to Require Client TLS Certificates On each client, create a client key and certificate: $ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 \ -validity 730 -alias 'solr-client-ssl' Now dump the certificate for the next step: $ keytool -exportcert -keystore [client-key-store] -storetype PKCS12 \ -alias 'solr-client-ssl' Don't forget that you might want to generate your own client certifica te to use from you own web browser if you want to be able to connect to t he server's dashboard. Use the output of that command on each client to put the cert(s) into this trust store on the server: $ sudo keytool -importcert -keystore /etc/solr/solr-trusted-clients.p12 \ -storetype PKCS12 -alias '[client key alias]' Edit /etc/default/solr.in.sh and add the following entries: SOLR_SSL_NEED_CLIENT_AUTH=true SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12 SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE_PASSWORD=whatever Summary of Files in /etc/solr - ----------------------------- solr-client.p12 Client keystore. Contains client key and certificate. Used by clients to identify themselves to the server. solr.p12 Server keystore. Contains server key and certificate. Used by server to identify itself to clients. solr-server.p12 Client trust store. Contains server's certificate. Used by clients to identify and trust the server. solr-trusted-clients.p12 Server trust store. Contains trusted client certificates. Used by server to trust clients. Starting and Stopping Solr - -------------------------- If you've installed Solr as a service, you can simply run: $ sudo /etc/init.d/solr [cmd] If you haven't installed Solr as a service, you can run the Solr script directly from the expanded tarball directory: $ ${SOLR_HOME}/bin/solr start (or stop) Creating a New Core (Index) - --------------------------- If you have installed Solr as a service, you will have to use sudo to create your core so that the directories and files get the correct ownership and permissions. $ sudo -u solr /usr/local/solr/bin/solr -c [corename] If you haven't install Solr as a service, this is nominally easier: $ ${SOLR_HOME}/bin/solr -c [corename] Loading Data into a Core (Index) - -------------------------------- If you have installed Solr as a service using TLS, you will need to do some additional work to call Solr's "post" program. First, ensure you have patched bin/post according to the installation instructions above. Then: $ SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12 - -Djavax.net.ssl.trustStoreType=PKCS12 - -Djavax.net.ssl.trustStorePassword=[whatever] - -Djavax.net.ssl.keyStore=/etc/solr/solr-client.p12 - -Djavax.net.ssl.keyStoreType=PKCS12 - -Djavax.net.ssl.keyStorePassword=[whatever]" \ /usr/local/solr/bin/post \ -url https://localhost:8983/solr/[corename]/update [file-to-pos t] If you haven't configured Solr with TLS, you can simply do: $ ${SOLR_HOME}/bin/post -c [corename] [file-to-post] === CUT === I hope that helps. I give permission to anyone on the Solr team to adapt the above content into a TLS guide for the Solr documentation. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFc60ACgkQHPApP6U8 pFiYVRAAoqGk392FleZhD4UpVJXkEQpCWQSTpiF+H5a6Rc5Juj972kxv85ZbLpn2 vPmuIqqXkClRZYPGiPOqmPMDKRRQiTEX86ILrVLjRLgO0TPBvpboJcuMFlt0NvK3 JhZ/yjJjp1CiQSBfoigg7KAFwalxXjPxAUu1TLS3pQBP3gRljpMAJ5tYdbnFNC1Q IzqBpcBuzGsd16DstAXE4nj+2u0mvGds+Srrf62LHhQmsxBm4yecQKG6OiU3OY0i XR3NewUkyrUQrhgJx19WBiNTm3jzZ2PXd4Q1hNdNnAAc98QW1PQR0+parA9luU32 BZnJi1mvQvBDPGAT0zIbr+G94A/PB2g/UEFWCGpKRhOUVJI4l1SQlZICrfXKcoj2 L0vMjSxKUEr7KbFVS9Puy53a7O1F1jq6wcSzJf4X/1JxuaemFAyYXy9xloLRHqwu ISAbvE+w1FwnvctcOwj2e5yMs5zMyNXNaUjJnYBUBNsrByixoAS3srfryRWqdJEA g3sMgFdTF4+V2lSEzIvzVbdQKarZaUs/NRFKASFIokqVa6ylhIiqoQ715XmGIgRW eKjtSDLituBM7eUNZUbocG85d5trlOz9ZaCAC7yRo7+OV6hNPHL+22lEJ58PF49L uMLWsnHkRjldOTrZE0ysMZJ5ws+1r3gdD4Fll7P478ZK/qtKJ30= =34tT -----END PGP SIGNATURE-----
