SSL communication and certificate authentication
SSL authentication can be configured between the Integration Service domain and the Solr master cores, Solr slave cores and between the Solr master and Solr slave cores. The configuration is done in the ImageMaster AdminClient, see Fulltext configuration in [UM AdminClient] for more details.
In the configuration script bin/solr.in.sh (or in bin/solr.in.cmd for Windows) the following parameters can be set:
|
Property |
Default Value |
Description |
|---|---|---|
|
SOLR_SSL_ENABLED |
false |
Set to true to enable HTTPS. It is implicitly true if SOLR_SSL_KEY_STORE is set. Use this to enable HTTPS for a custom Jetty configuration. |
|
SOLR_SSL_KEY_STORE |
|
The standard key store of the Solr environment |
|
SOLR_SSL_KEY_STORE_PASSWORD |
|
The password of the standard keystore |
|
SOLR_SSL_KEY_STORE_TYPE |
JKS |
Override keystore type if necessary |
|
SOLR_SSL_TRUST_STORE |
|
The standard truststore of the Solr environment |
|
SOLR_SSL_TRUST_STORE_PASSWORD |
|
The password of the standard truststore |
|
SOLR_SSL_TRUST_STORE_TYPE |
JKS |
Override truststore type if necessary |
|
SOLR_SSL_NEED_CLIENT_AUTH |
false |
Require clients to authenticate |
|
SOLR_SSL_WANT_CLIENT_AUTH |
false |
Enable clients to authenticate (but not require) |
|
SOLR_SSL_CHECK_PEER_NAME |
true |
Activate a host name validation if desired |
|
Table 337: SSL configuration properties for the Solr server |
||
The certificates of the ImageMaster application server and Solr must be interchanged. This can be done with the Java Keytool.
The shared cores and the master core definition in the solrcore.properties in the Solr home subfolders must be configured to use the HTTPS port.
…. # This is the url of the Solr servlet: # solrUrl=http://localhost:8983/solr solrUrl=https://localhost:8984/solr # These are all shared slaves separated by ',' # This shard list includes the slave for the current core. # Attention this property looks like a list of urls, but it is a list # of parts of urls. Do not the mistake to prefix it with <92>http://<92> # shards=localhost:8983/solr/slave0,localhost:8983/solr/slave1 shards= localhost:8984/solr/slave0,localhost:8984/solr/slave1
An HTTPS URL scheme must be added in the “shardHandlerFactory” defined in the solr.xml configuration in the root of the Solr home directory:
<solr>
…
</solrcloud>
<shardHandlerFactory name="shardHandlerFactory" class="HttpShardHandlerFactory">
<str name="urlScheme">https://</str>
…
</shardHandlerFactory>
</solr>
Further details about the SSL configuration of Solr can be found in [Solr Enable SSL].
Basic authentication
Solr supports basic authentication with the use of the “BasicAuthPlugin”. Follow the publicly available instructions to set this up [Solr Basic Auth].
The combination of basic authentication with distributed search is impossible because of a known Solr defect (see https://issues.apache.org/jira/browse/SOLR-15237).
Related access credentials (“Solr User” and “Solr Password Alias”) then also have to be set up via the AdminClient [UM AdminClient]