You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ian (JIRA)" <ji...@apache.org> on 2018/06/26 14:53:00 UTC
[jira] [Commented] (SOLR-8897) SSL-related passwords in solr.in.sh
are in plain text
[ https://issues.apache.org/jira/browse/SOLR-8897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523832#comment-16523832 ]
Ian commented on SOLR-8897:
---------------------------
Thanks [~pluk77] for pointing out that the Jetty password utility doesn't work with the collection API.
That was one of the suggestions I was looking into from this thread from 2016
[http://lucene.472066.n3.nabble.com/Prevent-the-SSL-Keystore-and-Truststore-password-from-showing-up-in-the-Solr-Admin-and-Linux-process-td4257422.html]
[~janhoy] Is there an open ticket about not showing the password in the Solr Portal UI as you suggest?
Also this solution from SOLR-10307 which has marked this issue as a duplicate, resolves the issue by using environment variables.
I don't think this is much of an improvement, see [https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/
(|https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/]There is another solution referenced of using Hadoop, but that doesn't apply to me)
For reference I'm using Solr 6.6 on Windows.
This is my first time posting here, so not sure on the protocols.
Can this ticket be re-raised/split?
To solve storing the password securely at rest (If that the Jetty password Utility or other mechanism, my main language is not Java, what's best practice?)
Not exposed in the UI.
Not expose the password to other processes, likely to be caught in memory/crash dumps.
Update the documentation to show how can configure Solr HTTPS password certificates securely, (Even 7.2 still shows setting the password in plain text in solr.in.cmd - [https://lucene.apache.org/solr/guide/7_2/enabling-ssl.html)]
Thanks in advance, let me know how I can help.
> SSL-related passwords in solr.in.sh are in plain text
> -----------------------------------------------------
>
> Key: SOLR-8897
> URL: https://issues.apache.org/jira/browse/SOLR-8897
> Project: Solr
> Issue Type: Improvement
> Components: scripts and tools, security
> Reporter: Esther Quansah
> Priority: Major
>
> As per the steps mentioned at following URL, one needs to store the plain text password for the keystore to configure SSL for Solr, which is not a good idea from security perspective.
> URL: https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties (https://cwiki.apache.org/confluence/display/solr/Enabling+SSL#EnablingSSL-SetcommonSSLrelatedsystemproperties)
> Is there any way so that the encrypted password can be stored (instead of plain password) in solr.in.cmd/solr.in.sh to configure SSL?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org