You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Kostas <kg...@dataverse.gr> on 2016/07/26 12:21:39 UTC
solr-6.1.0 - Using different client and server certificates for authentication doesn't work
Hello.
I have setup Solr 6.1.0 to use SSL (on Windows) and to do client
authentication based on the client certificate.
When I use the same certificate for both the server and the client
authentication, everything works OK :
----------------------------------------------------------------
========== solr.in.cmd
set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=password
set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=password
set SOLR_SSL_NEED_CLIENT_AUTH=true
set SOLR_SSL_WANT_CLIENT_AUTH=false
REM (Client settings residing below are commented out.)
========== server\etc\jetty-ssl.xml
<Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>
<Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>
========== This works :
curl ^
--cert "solr-ssl.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"
----------------------------------------------------------------
However, when I try to use different server and client certificates, it
doesn't work (it seems that it still uses the server certificate for client
authorizations) :
----------------------------------------------------------------
========== solr.in.cmd
set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=password
set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=password
set SOLR_SSL_NEED_CLIENT_AUTH=true
set SOLR_SSL_WANT_CLIENT_AUTH=false
set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks
set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password
set
SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks
set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password
========== server\etc\jetty-ssl.xml
<Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>
<Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>
========== This fails (!!!):
curl ^
--cert "solr-ssl-client.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"
========== This STILL works (!!!):
curl ^
--cert "solr-ssl.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"
----------------------------------------------------------------
I run Solr like this:
"%ROO%\bin\solr" start -c -V -f -p 8898^
-Dsolr.ssl.checkPeerName=false
From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml `
and totally discards the ones form `solr.in.cmd`.
Naturally, I would try to set the client certificate inside there
(jetty-ssl.xml), but I don't see any setting available for that.
Is what I am trying to do (use different certificates for server and client
authentication) supported or I waste my time?
Also, why don't the docs say that jetty-ssl.xml overrides the settings in
`solr.in.cmd`? Am I missing something?
Thanks,
Kostas
RE: solr-6.1.0 - Using different client and server certificates for authentication doesn't work
Posted by Kostas <kg...@dataverse.gr>.
This is what helped me:
https://gist.github.com/jankronquist/6412839
-----Original Message-----
From: Kostas [mailto:kgk@dataverse.gr]
Sent: Tuesday, July 26, 2016 3:22 PM
To: solr-user@lucene.apache.org
Subject: solr-6.1.0 - Using different client and server certificates for
authentication doesn't work
Hello.
I have setup Solr 6.1.0 to use SSL (on Windows) and to do client
authentication based on the client certificate.
When I use the same certificate for both the server and the client
authentication, everything works OK :
----------------------------------------------------------------
========== solr.in.cmd
set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=password
set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=password
set SOLR_SSL_NEED_CLIENT_AUTH=true
set SOLR_SSL_WANT_CLIENT_AUTH=false
REM (Client settings residing below are commented out.)
========== server\etc\jetty-ssl.xml
<Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>
<Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>
========== This works :
curl ^
--cert "solr-ssl.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"
----------------------------------------------------------------
However, when I try to use different server and client certificates, it
doesn't work (it seems that it still uses the server certificate for client
authorizations) :
----------------------------------------------------------------
========== solr.in.cmd
set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=password
set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=password
set SOLR_SSL_NEED_CLIENT_AUTH=true
set SOLR_SSL_WANT_CLIENT_AUTH=false
set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks
set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password
set
SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks
set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password
========== server\etc\jetty-ssl.xml
<Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="password"/></Set>
<Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto
re.jks"/></Set>
<Set name="TrustStorePassword"><Property
name="solr.jetty.truststore.password" default="password"/></Set>
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="true"/></Set>
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>
========== This fails (!!!):
curl ^
--cert "solr-ssl-client.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"
========== This STILL works (!!!):
curl ^
--cert "solr-ssl.keystore.pem" ^
--cacert "solr-ssl.keystore.pem" ^
"https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json&
indent=on"
----------------------------------------------------------------
I run Solr like this:
"%ROO%\bin\solr" start -c -V -f -p 8898^
-Dsolr.ssl.checkPeerName=false
From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml `
and totally discards the ones form `solr.in.cmd`.
Naturally, I would try to set the client certificate inside there
(jetty-ssl.xml), but I don't see any setting available for that.
Is what I am trying to do (use different certificates for server and client
authentication) supported or I waste my time?
Also, why don't the docs say that jetty-ssl.xml overrides the settings in
`solr.in.cmd`? Am I missing something?
Thanks,
Kostas