You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Zheng Lin Edwin Yeo <ed...@gmail.com> on 2018/06/08 03:11:25 UTC
Collections unable to load after setting up SSL
Hi,
I am running SolrCloud on Solr 7.3.1 on External ZooKeeper 3.4.11, and I am
setting up the security aspect of Solr.
After setting up the SSL based on the steps from
https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html, the collections
that are with 2 replica are no longer able to be loaded.
What could be causing the issue?
I remember that wasn't this problem when I tried the same thing in Solr 6
and even Solr 7.1.
Regards,
Edwin
Re: Collections unable to load after setting up SSL
Posted by Zheng Lin Edwin Yeo <ed...@gmail.com>.
Hi Chris,
File permissions on /etc/solr-* ?
- The permissions are set to full control for all users.
Effective user-id of the process trying to connect to Solr?
- I am connecting from the Solr Admin UI. I have set the Basic
Authentication, and that the Basic Authentication is working on its own
without the SSL
If you use relative paths, do you have any idea what the paths are relative
TO?
- Yes. I have also tried setting the full path, and I still get the same
issue.
Regards,
Edwin
On 12 June 2018 at 02:01, Christopher Schultz <ch...@christopherschultz.net>
wrote:
> Edwin,
>
> On 6/10/18 10:22 PM, Zheng Lin Edwin Yeo wrote:
> > I have found that we can't set it this way either, as we will get the
> below
> > error on "no valid keystore".
> >
> > set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> > set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >
> > Error:
> > java.lang.reflect.InvocationTargetException
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> > at java.lang.reflect.Method.invoke(Unknown Source)
> > at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
> > at org.eclipse.jetty.start.Main.start(Main.java:504)
> > at org.eclipse.jetty.start.Main.main(Main.java:78)
> > Caused by: java.lang.IllegalStateException: no valid keystore
> >
> >
> > Any other ways can that we set or to generate the keystore?
>
> File permissions on /etc/solr-*?
>
> Effective user-id of the process trying to connect to Solr?
>
> If you use relative paths, do you have any idea what the paths are
> relative TO?
>
> -chris
>
> > On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <ed...@gmail.com>
> wrote:
> >
> >> Hi Chris,
> >>
> >> I have deployed these files on the {SolrHome}\server\etc folder.
> >>
> >> Currently this is the setting of the path in edm.in.cmd.
> >>
> >> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
> >>
> >> For your meaning of absolute paths actually start with a slash, meaning
> >> we have to set it like this?
> >>
> >> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >>
> >> Regards,
> >> Edwin
> >>
> >>
> >> On 9 June 2018 at 00:15, Christopher Schultz <
> chris@christopherschultz.net
> >>> wrote:
> >>
> >>> Edwin,
> >>>
> >>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
> >>>> I followed the steps from
> >>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
> >>>>
> >>>> 1)
> >>>>
> >>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> >>>> secret -storepass secret -validity 9999 -keystore
> >>>> solr-ssl.keystore.jks -ext
> >>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> >>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
> >>>> C=Country"
> >>>>
> >>>>
> >>>> 2)
> >>>>
> >>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> >>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> >>>> pkcs12
> >>>>
> >>>>
> >>>> 3)
> >>>>
> >>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
> >>>>
> >>>>
> >>>>
> >>>> I have also set these in solr.in.cmd:
> >>>>
> >>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
> >>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
> >>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> >>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false#
> Enable
> >>>> clients to authenticate (but not
> >>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> >>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
> >>>
> >>> You didn't describe how you have deployed each of these files on each
> of
> >>> your servers.
> >>>
> >>> You might want to make sure that all your (attempted) absolute paths
> >>> actually start with a slash, though.
> >>>
> >>> -chris
> >>>
> >>>
> >>
> >
>
>
Re: Collections unable to load after setting up SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Edwin,
On 6/10/18 10:22 PM, Zheng Lin Edwin Yeo wrote:
> I have found that we can't set it this way either, as we will get the below
> error on "no valid keystore".
>
> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>
> Error:
> java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
> at org.eclipse.jetty.start.Main.start(Main.java:504)
> at org.eclipse.jetty.start.Main.main(Main.java:78)
> Caused by: java.lang.IllegalStateException: no valid keystore
>
>
> Any other ways can that we set or to generate the keystore?
File permissions on /etc/solr-*?
Effective user-id of the process trying to connect to Solr?
If you use relative paths, do you have any idea what the paths are
relative TO?
-chris
> On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <ed...@gmail.com> wrote:
>
>> Hi Chris,
>>
>> I have deployed these files on the {SolrHome}\server\etc folder.
>>
>> Currently this is the setting of the path in edm.in.cmd.
>>
>> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
>>
>> For your meaning of absolute paths actually start with a slash, meaning
>> we have to set it like this?
>>
>> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>>
>> Regards,
>> Edwin
>>
>>
>> On 9 June 2018 at 00:15, Christopher Schultz <chris@christopherschultz.net
>>> wrote:
>>
>>> Edwin,
>>>
>>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
>>>> I followed the steps from
>>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>>>>
>>>> 1)
>>>>
>>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
>>>> secret -storepass secret -validity 9999 -keystore
>>>> solr-ssl.keystore.jks -ext
>>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
>>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
>>>> C=Country"
>>>>
>>>>
>>>> 2)
>>>>
>>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
>>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
>>>> pkcs12
>>>>
>>>>
>>>> 3)
>>>>
>>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>>>>
>>>>
>>>>
>>>> I have also set these in solr.in.cmd:
>>>>
>>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
>>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
>>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
>>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
>>>> clients to authenticate (but not
>>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
>>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>>>
>>> You didn't describe how you have deployed each of these files on each of
>>> your servers.
>>>
>>> You might want to make sure that all your (attempted) absolute paths
>>> actually start with a slash, though.
>>>
>>> -chris
>>>
>>>
>>
>
Re: Collections unable to load after setting up SSL
Posted by Zheng Lin Edwin Yeo <ed...@gmail.com>.
Hi Vincenzo,
Thanks for your reply.
The original error of that t he collections that are with 2 replica are not
able to be loaded. came from without the leading slash from the path.
I also got the same error as the original when I specify the absolute path.
Regards,
Edwin
On 11 June 2018 at 14:40, Vincenzo D'Amore <v....@gmail.com> wrote:
> Hi Edwin,
>
> I think you should specify the absolute path when setting the environment
> variables or remove the leading slash from the path.
>
> Ciao,
> Vincenzo
>
>
> > On 11 Jun 2018, at 04:22, Zheng Lin Edwin Yeo <ed...@gmail.com>
> wrote:
> >
> > I have found that we can't set it this way either, as we will get the
> below
> > error on "no valid keystore".
> >
> > set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> > set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >
> > Error:
> > java.lang.reflect.InvocationTargetException
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> > at java.lang.reflect.Method.invoke(Unknown Source)
> > at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
> > at org.eclipse.jetty.start.Main.start(Main.java:504)
> > at org.eclipse.jetty.start.Main.main(Main.java:78)
> > Caused by: java.lang.IllegalStateException: no valid keystore
> >
> >
> > Any other ways can that we set or to generate the keystore?
> >
> > Regards,
> > Edwin
> >
> >
> >> On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <ed...@gmail.com>
> wrote:
> >>
> >> Hi Chris,
> >>
> >> I have deployed these files on the {SolrHome}\server\etc folder.
> >>
> >> Currently this is the setting of the path in edm.in.cmd.
> >>
> >> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
> >>
> >> For your meaning of absolute paths actually start with a slash, meaning
> >> we have to set it like this?
> >>
> >> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> >> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
> >>
> >> Regards,
> >> Edwin
> >>
> >>
> >> On 9 June 2018 at 00:15, Christopher Schultz <
> chris@christopherschultz.net
> >>> wrote:
> >>
> >>> Edwin,
> >>>
> >>>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
> >>>> I followed the steps from
> >>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
> >>>>
> >>>> 1)
> >>>>
> >>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> >>>> secret -storepass secret -validity 9999 -keystore
> >>>> solr-ssl.keystore.jks -ext
> >>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> >>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
> >>>> C=Country"
> >>>>
> >>>>
> >>>> 2)
> >>>>
> >>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> >>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> >>>> pkcs12
> >>>>
> >>>>
> >>>> 3)
> >>>>
> >>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
> >>>>
> >>>>
> >>>>
> >>>> I have also set these in solr.in.cmd:
> >>>>
> >>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
> >>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
> >>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> >>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false#
> Enable
> >>>> clients to authenticate (but not
> >>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> >>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
> >>>
> >>> You didn't describe how you have deployed each of these files on each
> of
> >>> your servers.
> >>>
> >>> You might want to make sure that all your (attempted) absolute paths
> >>> actually start with a slash, though.
> >>>
> >>> -chris
> >>>
> >>>
> >>
>
Re: Collections unable to load after setting up SSL
Posted by Vincenzo D'Amore <v....@gmail.com>.
Hi Edwin,
I think you should specify the absolute path when setting the environment variables or remove the leading slash from the path.
Ciao,
Vincenzo
> On 11 Jun 2018, at 04:22, Zheng Lin Edwin Yeo <ed...@gmail.com> wrote:
>
> I have found that we can't set it this way either, as we will get the below
> error on "no valid keystore".
>
> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>
> Error:
> java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
> at org.eclipse.jetty.start.Main.start(Main.java:504)
> at org.eclipse.jetty.start.Main.main(Main.java:78)
> Caused by: java.lang.IllegalStateException: no valid keystore
>
>
> Any other ways can that we set or to generate the keystore?
>
> Regards,
> Edwin
>
>
>> On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <ed...@gmail.com> wrote:
>>
>> Hi Chris,
>>
>> I have deployed these files on the {SolrHome}\server\etc folder.
>>
>> Currently this is the setting of the path in edm.in.cmd.
>>
>> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
>>
>> For your meaning of absolute paths actually start with a slash, meaning
>> we have to set it like this?
>>
>> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
>> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>>
>> Regards,
>> Edwin
>>
>>
>> On 9 June 2018 at 00:15, Christopher Schultz <chris@christopherschultz.net
>>> wrote:
>>
>>> Edwin,
>>>
>>>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
>>>> I followed the steps from
>>>> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>>>>
>>>> 1)
>>>>
>>>> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
>>>> secret -storepass secret -validity 9999 -keystore
>>>> solr-ssl.keystore.jks -ext
>>>> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
>>>> OU=Organizational Unit, O=Organization, L=Location, ST=State,
>>>> C=Country"
>>>>
>>>>
>>>> 2)
>>>>
>>>> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
>>>> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
>>>> pkcs12
>>>>
>>>>
>>>> 3)
>>>>
>>>> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>>>>
>>>>
>>>>
>>>> I have also set these in solr.in.cmd:
>>>>
>>>> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
>>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
>>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
>>>> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
>>>> clients to authenticate (but not
>>>> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
>>>> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>>>
>>> You didn't describe how you have deployed each of these files on each of
>>> your servers.
>>>
>>> You might want to make sure that all your (attempted) absolute paths
>>> actually start with a slash, though.
>>>
>>> -chris
>>>
>>>
>>
Re: Collections unable to load after setting up SSL
Posted by Zheng Lin Edwin Yeo <ed...@gmail.com>.
I have found that we can't set it this way either, as we will get the below
error on "no valid keystore".
set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
Error:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
at org.eclipse.jetty.start.Main.start(Main.java:504)
at org.eclipse.jetty.start.Main.main(Main.java:78)
Caused by: java.lang.IllegalStateException: no valid keystore
Any other ways can that we set or to generate the keystore?
Regards,
Edwin
On 9 June 2018 at 21:30, Zheng Lin Edwin Yeo <ed...@gmail.com> wrote:
> Hi Chris,
>
> I have deployed these files on the {SolrHome}\server\etc folder.
>
> Currently this is the setting of the path in edm.in.cmd.
>
> set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
>
> For your meaning of absolute paths actually start with a slash, meaning
> we have to set it like this?
>
> set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
> set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
>
> Regards,
> Edwin
>
>
> On 9 June 2018 at 00:15, Christopher Schultz <chris@christopherschultz.net
> > wrote:
>
>> Edwin,
>>
>> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
>> > I followed the steps from
>> > https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>> >
>> > 1)
>> >
>> > keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
>> > secret -storepass secret -validity 9999 -keystore
>> > solr-ssl.keystore.jks -ext
>> > SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
>> > OU=Organizational Unit, O=Organization, L=Location, ST=State,
>> > C=Country"
>> >
>> >
>> > 2)
>> >
>> > keytool -importkeystore -srckeystore solr-ssl.keystore.jks
>> > -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
>> > pkcs12
>> >
>> >
>> > 3)
>> >
>> > openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>> >
>> >
>> >
>> > I have also set these in solr.in.cmd:
>> >
>> > SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STO
>> RE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore
>> .jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
>> > Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
>> > clients to authenticate (but not
>> > require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
>> > necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>>
>> You didn't describe how you have deployed each of these files on each of
>> your servers.
>>
>> You might want to make sure that all your (attempted) absolute paths
>> actually start with a slash, though.
>>
>> -chris
>>
>>
>
Re: Collections unable to load after setting up SSL
Posted by Zheng Lin Edwin Yeo <ed...@gmail.com>.
Hi Chris,
I have deployed these files on the {SolrHome}\server\etc folder.
Currently this is the setting of the path in edm.in.cmd.
set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
For your meaning of absolute paths actually start with a slash, meaning we
have to set it like this?
set SOLR_SSL_KEY_STORE=/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE=/etc/solr-ssl.keystore.jks
Regards,
Edwin
On 9 June 2018 at 00:15, Christopher Schultz <ch...@christopherschultz.net>
wrote:
> Edwin,
>
> On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
> > I followed the steps from
> > https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
> >
> > 1)
> >
> > keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> > secret -storepass secret -validity 9999 -keystore
> > solr-ssl.keystore.jks -ext
> > SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> > OU=Organizational Unit, O=Organization, L=Location, ST=State,
> > C=Country"
> >
> >
> > 2)
> >
> > keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> > -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> > pkcs12
> >
> >
> > 3)
> >
> > openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
> >
> >
> >
> > I have also set these in solr.in.cmd:
> >
> > SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_
> STORE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.
> keystore.jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> > Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
> > clients to authenticate (but not
> > require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> > necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
>
> You didn't describe how you have deployed each of these files on each of
> your servers.
>
> You might want to make sure that all your (attempted) absolute paths
> actually start with a slash, though.
>
> -chris
>
>
Re: Collections unable to load after setting up SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Edwin,
On 6/8/18 12:02 PM, Zheng Lin Edwin Yeo wrote:
> I followed the steps from
> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
>
> 1)
>
> keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
> secret -storepass secret -validity 9999 -keystore
> solr-ssl.keystore.jks -ext
> SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
> OU=Organizational Unit, O=Organization, L=Location, ST=State,
> C=Country"
>
>
> 2)
>
> keytool -importkeystore -srckeystore solr-ssl.keystore.jks
> -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
> pkcs12
>
>
> 3)
>
> openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
>
>
>
> I have also set these in solr.in.cmd:
>
> SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STORE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
> Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
> clients to authenticate (but not
> require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
> necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
You didn't describe how you have deployed each of these files on each of
your servers.
You might want to make sure that all your (attempted) absolute paths
actually start with a slash, though.
-chris
Re: Collections unable to load after setting up SSL
Posted by Zheng Lin Edwin Yeo <ed...@gmail.com>.
Hi Chris,
I followed the steps from
https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html.
1)
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass
secret -storepass secret -validity 9999 -keystore
solr-ssl.keystore.jks -ext
SAN=DNS:localhost,IP:192.168.1.3,IP:127.0.0.1 -dname "CN=localhost,
OU=Organizational Unit, O=Organization, L=Location, ST=State,
C=Country"
2)
keytool -importkeystore -srckeystore solr-ssl.keystore.jks
-destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype
pkcs12
3)
openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
I have also set these in solr.in.cmd:
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_KEY_STORE_PASSWORD=secretSOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jksSOLR_SSL_TRUST_STORE_PASSWORD=secret#
Require clients to authenticateSOLR_SSL_NEED_CLIENT_AUTH=false# Enable
clients to authenticate (but not
require)SOLR_SSL_WANT_CLIENT_AUTH=false# Define Key Store type if
necessarySOLR_SSL_KEY_STORE_TYPE=JKSSOLR_SSL_TRUST_STORE_TYPE=JKS
Regards,
Edwin
On 8 June 2018 at 22:41, Christopher Schultz <ch...@christopherschultz.net>
wrote:
> Edwin,
>
> On 6/7/18 11:11 PM, Zheng Lin Edwin Yeo wrote:
> > Hi,
> >
> > I am running SolrCloud on Solr 7.3.1 on External ZooKeeper 3.4.11, and I
> am
> > setting up the security aspect of Solr.
> >
> > After setting up the SSL based on the steps from
> > https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html, the
> collections
> > that are with 2 replica are no longer able to be loaded.
> >
> > What could be causing the issue?
> >
> > I remember that wasn't this problem when I tried the same thing in Solr 6
> > and even Solr 7.1.
>
> I've fought a bit to get Solr running on a single instance with SSL, so
> I can imagine that ZK might be an issue for you.
>
> Can you describe how each server's truststores and keystores are
> configured? Are you using client-validated servers (e.g. one-way TLS
> like you would with most public web sites) or are you using
> mutual-authentication where the server is also checking the client's
> certificate?
>
> -chris
>
>
Re: Collections unable to load after setting up SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Edwin,
On 6/7/18 11:11 PM, Zheng Lin Edwin Yeo wrote:
> Hi,
>
> I am running SolrCloud on Solr 7.3.1 on External ZooKeeper 3.4.11, and I am
> setting up the security aspect of Solr.
>
> After setting up the SSL based on the steps from
> https://lucene.apache.org/solr/guide/7_3/enabling-ssl.html, the collections
> that are with 2 replica are no longer able to be loaded.
>
> What could be causing the issue?
>
> I remember that wasn't this problem when I tried the same thing in Solr 6
> and even Solr 7.1.
I've fought a bit to get Solr running on a single instance with SSL, so
I can imagine that ZK might be an issue for you.
Can you describe how each server's truststores and keystores are
configured? Are you using client-validated servers (e.g. one-way TLS
like you would with most public web sites) or are you using
mutual-authentication where the server is also checking the client's
certificate?
-chris