You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Kostas <kg...@dataverse.gr> on 2016/07/26 12:21:39 UTC

solr-6.1.0 - Using different client and server certificates for authentication doesn't work

Hello.

 

I have setup Solr 6.1.0 to use SSL (on Windows) and to do client
authentication based on the client certificate.

When I use the same certificate for both the server and the client
authentication, everything works OK :

 

----------------------------------------------------------------

========== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

REM (Client settings residing below are commented out.)

 

========== server\etc\jetty-ssl.xml

  <Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>

  <Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>

  <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>

  <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>

 

==========  This works :

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"

----------------------------------------------------------------

 

However, when I try to use different server and client certificates, it
doesn't work (it seems that it still uses the server certificate for client
authorizations) :

 

----------------------------------------------------------------

========== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

 

set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password

set
SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password

 

 

========== server\etc\jetty-ssl.xml

  <Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>

  <Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>

  <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>

  <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>

 

 

========== This fails (!!!):

curl ^

--cert "solr-ssl-client.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"

 

========== This STILL works (!!!):

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"

----------------------------------------------------------------

 

I run Solr like this:

 

"%ROO%\bin\solr" start -c -V -f -p 8898^

-Dsolr.ssl.checkPeerName=false

 

From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml `
and totally discards the ones form `solr.in.cmd`.

Naturally, I would try to set the client certificate inside there
(jetty-ssl.xml), but I don't see any setting available for that.

Is what I am trying to do (use different certificates for server and client
authentication) supported or I waste my time?

Also, why don't the docs say that jetty-ssl.xml overrides the settings in
`solr.in.cmd`? Am I missing something?

 

Thanks,
Kostas

RE: solr-6.1.0 - Using different client and server certificates for authentication doesn't work

Posted by Kostas <kg...@dataverse.gr>.

This is what helped me:
https://gist.github.com/jankronquist/6412839




-----Original Message-----
From: Kostas [mailto:kgk@dataverse.gr] 
Sent: Tuesday, July 26, 2016 3:22 PM
To: solr-user@lucene.apache.org
Subject: solr-6.1.0 - Using different client and server certificates for
authentication doesn't work

Hello.

 

I have setup Solr 6.1.0 to use SSL (on Windows) and to do client
authentication based on the client certificate.

When I use the same certificate for both the server and the client
authentication, everything works OK :

 

----------------------------------------------------------------

========== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

REM (Client settings residing below are commented out.)

 

========== server\etc\jetty-ssl.xml

  <Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>

  <Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>

  <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>

  <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>

 

==========  This works :

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"

----------------------------------------------------------------

 

However, when I try to use different server and client certificates, it
doesn't work (it seems that it still uses the server certificate for client
authorizations) :

 

----------------------------------------------------------------

========== solr.in.cmd

set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_KEY_STORE_PASSWORD=password

set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks

set SOLR_SSL_TRUST_STORE_PASSWORD=password

set SOLR_SSL_NEED_CLIENT_AUTH=true

set SOLR_SSL_WANT_CLIENT_AUTH=false

 

set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password

set
SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks

set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password

 

 

========== server\etc\jetty-ssl.xml

  <Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>

  <Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>

  <Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>

  <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>

  <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>

 

 

========== This fails (!!!):

curl ^

--cert "solr-ssl-client.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"

 

========== This STILL works (!!!):

curl ^

--cert "solr-ssl.keystore.pem" ^

--cacert "solr-ssl.keystore.pem" ^

"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"

----------------------------------------------------------------

 

I run Solr like this:

 

"%ROO%\bin\solr" start -c -V -f -p 8898^

-Dsolr.ssl.checkPeerName=false

 

From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml `
and totally discards the ones form `solr.in.cmd`.

Naturally, I would try to set the client certificate inside there
(jetty-ssl.xml), but I don't see any setting available for that.

Is what I am trying to do (use different certificates for server and client
authentication) supported or I waste my time?

Also, why don't the docs say that jetty-ssl.xml overrides the settings in
`solr.in.cmd`? Am I missing something?

 

Thanks,
Kostas