[11/50] [abbrv] lucene-solr:jira/http2: SOLR-11690: Improve documentation about DIH password encryption

[da...@apache.org]

SOLR-11690: Improve documentation about DIH password encryption


Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/d997e8b4
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/d997e8b4
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/d997e8b4

Branch: refs/heads/jira/http2
Commit: d997e8b4a2717e000437953c9d66ad1f84229afd
Parents: 94776bf
Author: Jan Høydahl <ja...@apache.org>
Authored: Tue Sep 4 14:22:32 2018 +0200
Committer: Jan Høydahl <ja...@apache.org>
Committed: Tue Sep 4 14:22:32 2018 +0200

----------------------------------------------------------------------
 ...store-data-with-the-data-import-handler.adoc | 28 +++++++++++++-------
 1 file changed, 18 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/d997e8b4/solr/solr-ref-guide/src/uploading-structured-data-store-data-with-the-data-import-handler.adoc
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/uploading-structured-data-store-data-with-the-data-import-handler.adoc b/solr/solr-ref-guide/src/uploading-structured-data-store-data-with-the-data-import-handler.adoc
index 7cf50ee..cdfee7d 100644
--- a/solr/solr-ref-guide/src/uploading-structured-data-store-data-with-the-data-import-handler.adoc
+++ b/solr/solr-ref-guide/src/uploading-structured-data-store-data-with-the-data-import-handler.adoc
@@ -141,21 +141,29 @@ http://localhost:8983/solr/dih/dataimport?command=full-import&jdbcurl=jdbc:hsqld
 
 ==== Encrypting a Database Password
 
-The database password can be encrypted if necessary to avoid plaintext passwords being exposed in unsecured files. To do this, follow these steps:
-
-. In a terminal window, run the command `openssl enc -aes-128-cbc -a -salt -in pwd.txt`.
-..This assumes the password is in a file named `pwd.txt`. If you don't have the password in this file yet, you can do `echo "mypassword" > pwd.txt`.
-.. The openssl session will ask for a password to use for the decryption. You will use this file with a `encryptKeyFile` parameter in `data-config.xml`.
-.. The output of the process will be a long string such as `U2FsdGVkX18QMjY0yfCqlfBMvAB4d3XkwY96L7gfO2o=`. This will be the password you put in your `data-config.xml` file.
-. Save the password you used as the decryption password in the previous step to a file, and determine the location of the file on the Solr server. You could use a command such as `echo myencrypfilepwd > /location/of/encryptionkey`. Replace "myencrypfilepwd" with the password you used while generating the key.
-. If the file is not yet on the Solr server, move it there. Also make sure the encryption key file permissions do not allow it to be read by unauthorized users. The `chmod 0600` command should set the permissions sufficiently.
+The database password can be encrypted if necessary to avoid plaintext passwords being exposed in unsecured files. To do this, we will replace the password in `data-config.xml` with an encrypted password. We will use the `openssl` tool for the encryption, and the encryption key will be stored in a file which is only readable to the `solr` process. Please follow these steps:
+
+. Create a strong encryption password and store it in a file. Then make sure it is readable only for the `solr` user. Example commands:  
+
+  echo -n "a-secret" > /var/solr/data/dih-encryptionkey
+  chown solr:solr /var/solr/data/dih-encryptionkey
+  chmod 600 /var/solr/data/dih-encryptionkey 
+
+. Encrypt the JDBC database password using `openssl` as follows:
+
+  echo -n "my-jdbc-password" | openssl enc -aes-128-cbc -a -salt -md md5 -pass file:/var/solr/data/dih-encryptionkey
+
+.. The output of the command will be a long string such as `U2FsdGVkX18QMjY0yfCqlfBMvAB4d3XkwY96L7gfO2o=`. You will use this as `password` in your `data-config.xml` file.
 . In your `data-config.xml`, you'll add the `password` and `encryptKeyFile` parameters to the `<datasource>` configuration, as in this example:
 +
 [source,xml]
 <dataSource driver="org.hsqldb.jdbcDriver"
     url="jdbc:hsqldb:./example-DIH/hsqldb/ex"
-    user="sa" password="U2FsdGVkX18QMjY0yfCqlfBMvAB4d3XkwY96L7gfO2o="
-    encryptKeyFile="/location/of/encryptionkey />
+    user="sa" 
+    password="U2FsdGVkX18QMjY0yfCqlfBMvAB4d3XkwY96L7gfO2o="
+    encryptKeyFile="/var/solr/data/dih-encryptionkey" />
+
+NOTE: Note that we use the `-n` argument to `echo` to avoid including a newline character at the end of the password. If you use another method to generate the encrypted password, make sure to avoid newlines as well. 
 
 == DataImportHandler Commands