You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Anchal Sharma2 <an...@in.ibm.com> on 2018/05/17 07:53:41 UTC
Question regarding TLS version for solr
Hi All,
We are using solr version 5.3.0 and have been trying to enable security on our solr .We followed steps mentioned on site -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But by default it picks ,TLS version 1.0,which is causing an issue as our application uses TLSv 1.2.We tried using online resources ,but could not find anything regarding TLS enablement for solr .
It will be a huge help if anyone can provide some suggestions as to how we can enable TLS v 1.2 for solr.
Thanks & Regards,
-------------------------------------------------
Anchal Sharma
Re: Question regarding TLS version for solr
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Anchal,
On 5/24/18 6:02 AM, Anchal Sharma2 wrote:
> Thanks a lot for sharing the steps . I tried few of them .Actually
> we already have been using solr in our application since an year or
> so .We just want to encrypt it to use secure solr now .So ,I
> followed the steps where you have created the certificates ,etc
> .But when I go to start the solr back ,it doesnt start . We are
> using zookeeper .Following is the error I get ,on running solr
> start command.
>
> Command:./solr -c -m 1g -p 8984 -z <localhost>:2181 -s <path till
> folder containing data>
>
> Error:
>
> lsof 4.55 (latest revision at
> ftp://vic.cc.purdue.edu/pub/tools/unix/lsof) usage:
> [-?abhlnNoOPRstUvVX] [-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]] [-F
> [f]] [-g [s]] [-i [i]] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s]
> [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names] Use the
> ``-h'' option to get more help information. Still not seeing Solr
> listening on 8984 after 30 seconds! at
> java.security.KeyStore.load(KeyStore.java:1456) at
> org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(Certifica
teUtils.java:55)
>
>
at
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFact
ory.java:871)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory
.java:273)
>
>
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc
le.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif
eCycle.java:132)
>
>
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif
eCycle.java:114)
> at
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFac
tory.java:64)
>
>
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc
le.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif
eCycle.java:132)
>
>
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif
eCycle.java:114)
> at
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.j
ava:256)
>
>
at
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetwor
kConnector.java:81)
> at
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:
236)
>
>
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc
le.java:68)
> at org.eclipse.jetty.server.Server.doStart(Server.java:366) at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeC
ycle.java:68)
>
>
at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:12
55)
> at
> java.security.AccessController.doPrivileged(AccessController.java:594)
>
>
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:117
4)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
ava:90)
>
>
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:55)
> at java.lang.reflect.Method.invoke(Method.java:508) at
> org.eclipse.jetty.start.Main.invokeMain(Main.java:321) at
> org.eclipse.jetty.start.Main.start(Main.java:817) at
> org.eclipse.jetty.start.Main.main(Main.java:112) 2018-05-24
> 09:05:16.714 INFO
> (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ]
> o.a.s.c.c.ZkStateReader A cluster state change: WatchedEvent
> state:SyncConnected type:NodeDataChanged path:/clusterstate.json,
> has occurred - updating... (live nodes size: 1) 2018-05-24
> 09:05:17.018 INFO
> (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ]
> o.a.s.c.c.ZkStateReader Updated cluster state version to 9702
> 2018-05-24 09:05:17.153 INFO
> (coreLoadExecutor-7-thread-2-processing-n:9.109.122.113:8984_solr)
> [c:document r:core_node1 x:document] o.a.s.u.SolrIndexConfig
> IndexWriter infoStream solr logging is enabled [\] sleep: bad
> character in argument
What does the solr.log file say? The above stack trace isn't terribly
helpful, and it's incomplete.
- -chris
> -----Christopher Schultz <ch...@christopherschultz.net> wrote:
> ----- To: solr-user@lucene.apache.org From: Christopher Schultz
> <ch...@christopherschultz.net> Date: 05/23/2018 07:29PM Subject:
> Re: Question regarding TLS version for solr
>
> Anchal,
>
> On 5/23/18 2:38 AM, Anchal Sharma2 wrote:
>> Thank you for replying .But ,I checked the java version solr
>> using ,and it is already version 1.8.
>
>> @Christopher ,can you let me know what steps you followed for
>> TLS authentication on solr version 7.3.0.
>
> Sure. Here are my deployment notes. You may have to adjust them
> slightly for your environment. Note that we are using standalone
> Solr without any Zookeeper, clustering, etc. This is just about
> configuring a single instance. Also, this guide says 7.3.0, but
> 7.3.1 would be better as it contains a fix for a CVE.
>
> === CUT ===
>
> ========================================================
> Instructions for installing Solr and working with Cores
> ========================================================
>
> Installation ------------
>
> Installing Solr is fairly simple. One can simply untar the
> distribution tarball and work from that directory, but it is better
> to install it in a somewhat more centralized place with a separate
> data directory to facilitate upgrades, etc.
>
> 1. Obtain the distribution tarball Go to
> https://lucene.apache.org/solr/mirrors-solr-latest-redir.html and
> obtain the latest supported version of Solr. (7.3.0 as of this
> writing).
>
> 2. Untar the archive $ tar xzf solr-x.y.x.tgz
>
> 3. Install Solr $ cd solr-x.y.z $ sudo bin/install_solr_service.sh
> ../solr-x.y.z.tgz \ -i /usr/local \ -d /mnt/securefs/solr \ -n
> (that last -n says "don't start Solr")
>
> 4. Configure Solr Settings Edit the file /etc/default/solr.in.sh
>
> Settings you may want to explicitly set:
>
> SOLR_JAVA_HOME=(java home) SOLR_HEAP="1024M"
>
> 5. Configure Solr for TLS Create a server key and certificate: $
> sudo mkdir /etc/solr $ sudo keytool -genkey -keyalg EC -sigalg
> SHA256withECDSA -keysize 256 -validity 730 \ -alias 'solr-ssl'
> -keystore /etc/solr/solr.p12 -storetype PKCS12 \ -ext
> san=dns:localhost,ip:192.168.10.20 Use the following information
> for the certificate: First and Last name: 192.168.10.20 (or
> "localhost", or your IP address) Org unit: [whatever] Everything
> else should be obvious
>
> Now, export the public key from the keystore.
>
> $ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore
> /etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl
>
> Copy that certificate and paste it into this command's stdin:
>
> $ sudo keytool -importcert -keystore /etc/solr/solr-server.p12
> -storetype PKCS12 -alias 'solr-ssl'
>
> Now, fix the ownership and permissions on these files:
>
> $ sudo chown root:solr /etc/solr/solr.p12
> /etc/solr/solr-server.p12 $ sudo chmod 0640 /etc/solr/solr.p12
>
> Edit the file /etc/default/solr.in.sh
>
> Set the following settings:
>
> SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
> SOLR_SSL_KEY_STORE_TYPE=PKCS12
> SOLR_SSL_KEY_STORE_PASSWORD=whatever
>
> # You MUST set the trust store for some reason.
> SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12
> SOLR_SSL_TRUST_STORE_TYPE=PKCS12
> SOLR_SSL_TRUST_STORE_PASSWORD=whatever
>
> Then, patch the file bin/post; you are going to need this, later.
>
> --- bin/post 2017-09-03 13:29:15.000000000 -0400 +++
> /usr/local/solr/bin/post 2018-04-11 20:08:17.000000000 -0400 @@
> -231,8 +231,8 @@ PROPS+=('-Drecursive=yes') fi
>
> -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}" -"$JAVA"
> -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +echo "$JAVA"
> -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS}
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +"$JAVA"
> -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS}
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
>
> 6. Configure Solr to Require Client TLS Certificates
>
> On each client, create a client key and certificate:
>
> $ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256
> \ -validity 730 -alias 'solr-client-ssl'
>
> Now dump the certificate for the next step:
>
> $ keytool -exportcert -keystore [client-key-store] -storetype
> PKCS12 \ -alias 'solr-client-ssl'
>
> Don't forget that you might want to generate your own client
> certifica te to use from you own web browser if you want to be able
> to connect to t he server's dashboard.
>
> Use the output of that command on each client to put the cert(s)
> into this trust store on the server:
>
> $ sudo keytool -importcert -keystore
> /etc/solr/solr-trusted-clients.p12 \ -storetype PKCS12 -alias
> '[client key alias]'
>
> Edit /etc/default/solr.in.sh and add the following entries:
>
> SOLR_SSL_NEED_CLIENT_AUTH=true
> SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
> SOLR_SSL_TRUST_STORE_TYPE=PKCS12
> SOLR_SSL_TRUST_STORE_PASSWORD=whatever
>
> Summary of Files in /etc/solr -----------------------------
>
> solr-client.p12 Client keystore. Contains client key and
> certificate. Used by clients to identify themselves to the server.
>
> solr.p12 Server keystore. Contains server key and
> certificate. Used by server to identify itself to clients.
>
> solr-server.p12 Client trust store. Contains server's
> certificate. Used by clients to identify and trust the server.
>
> solr-trusted-clients.p12 Server trust store. Contains trusted
> client certificates. Used by server to trust clients.
>
> Starting and Stopping Solr --------------------------
>
> If you've installed Solr as a service, you can simply run:
>
> $ sudo /etc/init.d/solr [cmd]
>
> If you haven't installed Solr as a service, you can run the Solr
> script directly from the expanded tarball directory:
>
> $ ${SOLR_HOME}/bin/solr start (or stop)
>
> Creating a New Core (Index) ---------------------------
>
> If you have installed Solr as a service, you will have to use sudo
> to create your core so that the directories and files get the
> correct ownership and permissions.
>
> $ sudo -u solr /usr/local/solr/bin/solr -c [corename]
>
> If you haven't install Solr as a service, this is nominally
> easier:
>
> $ ${SOLR_HOME}/bin/solr -c [corename]
>
> Loading Data into a Core (Index) --------------------------------
> If you have installed Solr as a service using TLS, you will need to
> do some additional work to call Solr's "post" program. First,
> ensure you have patched bin/post according to the installation
> instructions above. Then:
>
> $
> SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12
>
>
- -Djavax.net.ssl.trustStoreType=PKCS12
> -Djavax.net.ssl.trustStorePassword=[whatever]
> -Djavax.net.ssl.keyStore=/etc/solr/solr-client.p12
> -Djavax.net.ssl.keyStoreType=PKCS12
> -Djavax.net.ssl.keyStorePassword=[whatever]" \
> /usr/local/solr/bin/post \ -url
> https://localhost:8983/solr/[corename]/update [file-to-pos t]
>
> If you haven't configured Solr with TLS, you can simply do:
>
> $ ${SOLR_HOME}/bin/post -c [corename] [file-to-post]
>
> === CUT ===
>
> I hope that helps.
>
> I give permission to anyone on the Solr team to adapt the above
> content into a TLS guide for the Solr documentation.
>
> -chris
>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsGzuQACgkQHPApP6U8
pFiDHhAAjOe4Ii7yHWuBwFe0K0IJo7RDzEn5AiIK9RAQJYN5vaWU+rFzuxUxVWmU
DRQgIziWh/B3enOg1dDRLgUFe9amQdR4YM00KSGyivuTVkOXs4ZwTmKzsH1c/YYz
rhOwszMk7BRQnkdAOTFAfdHYWmN3s9n70ZsIvLixFnEhe6xFJK+BSEWzG2BtLC6l
+kCKTXL3rVj3bhrpdCkXOkpZk5nlgZ7a3Xj2qplu7+mT2zpKWPzjK7VhwQxnzbCD
jQFbeW76iwnPiRmhmRE1qG0fNBAN2bLttSk/mlwn3KhjpOGDOHBxGop+V1pjhYkx
UhoVHdPfWAyF6SPhRZT2kYnGEUs7AaaKpFChRxB4VC46f0xKwGwNDRDzx25f1qp3
Dtyw3TZZT9QMP6IhUCvVfJintxfuo0rSXCgdIzchCgep6Pdu6mO2ZFlxD8S/S0MR
3eKtYhxtBqDQMmEaZBEJGWVJqSDt/ksk85XeELCFpecUaT7HS6AnWOlTkA7wD3Ii
M6050llDeBVnz5Ghi27bwS6bcSR8LpnDZGUPjgSDIX9zAcmyWhvQlAJpeLKgrish
FO1g0IBSr6BDRExnmo0YNkpEmWHdF+b9qJJJjhX3EgNT7hTbKjlgrRERMd5Y/B9/
wjeop6o3kbEY+4xlaK48bkpC1ypyHAOJfe9Q2AdndPsJlqmZ1xo=
=QO2M
-----END PGP SIGNATURE-----
Re: Question regarding TLS version for solr
Posted by Anchal Sharma2 <an...@in.ibm.com>.
Hi Chris,
Thanks a lot for sharing the steps .
I tried few of them .Actually we already have been using solr in our application since an year or so .We just want to encrypt it to use secure solr now .So ,I followed the steps where you have created the certificates ,etc .But when I go to start the solr back ,it doesnt start .
We are using zookeeper .Following is the error I get ,on running solr start command.
Command:./solr -c -m 1g -p 8984 -z <localhost>:2181 -s <path till folder containing data>
Error:
lsof 4.55 (latest revision at ftp://vic.cc.purdue.edu/pub/tools/unix/lsof)
usage: [-?abhlnNoOPRstUvVX] [-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names]
Use the ``-h'' option to get more help information.
Still not seeing Solr listening on 8984 after 30 seconds!
at java.security.KeyStore.load(KeyStore.java:1456)
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:871)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:273)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:256)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:366)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1255)
at java.security.AccessController.doPrivileged(AccessController.java:594)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:321)
at org.eclipse.jetty.start.Main.start(Main.java:817)
at org.eclipse.jetty.start.Main.main(Main.java:112)
2018-05-24 09:05:16.714 INFO (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] o.a.s.c.c.ZkStateReader A cluster state change: WatchedEvent state:SyncConnected type:NodeDataChanged path:/clusterstate.json, has occurred - updating... (live nodes size: 1)
2018-05-24 09:05:17.018 INFO (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] o.a.s.c.c.ZkStateReader Updated cluster state version to 9702
2018-05-24 09:05:17.153 INFO (coreLoadExecutor-7-thread-2-processing-n:9.109.122.113:8984_solr) [c:document r:core_node1 x:document] o.a.s.u.SolrIndexConfig IndexWriter infoStream solr logging is enabled
[\] sleep: bad character in argument
Thanks & Regards,
-------------------------------------------------
Anchal Sharma
e-Pricer Development
ES Team
Mobile: +9871290248
-----Christopher Schultz <ch...@christopherschultz.net> wrote: -----
To: solr-user@lucene.apache.org
From: Christopher Schultz <ch...@christopherschultz.net>
Date: 05/23/2018 07:29PM
Subject: Re: Question regarding TLS version for solr
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Anchal,
On 5/23/18 2:38 AM, Anchal Sharma2 wrote:
> Thank you for replying .But ,I checked the java version solr using
> ,and it is already version 1.8.
>
> @Christopher ,can you let me know what steps you followed for TLS
> authentication on solr version 7.3.0.
Sure. Here are my deployment notes. You may have to adjust them
slightly for your environment. Note that we are using standalone Solr
without any Zookeeper, clustering, etc. This is just about configuring
a single instance. Also, this guide says 7.3.0, but 7.3.1 would be
better as it contains a fix for a CVE.
=== CUT ===
========================================================
Instructions for installing Solr and working with Cores
========================================================
Installation
- ------------
Installing Solr is fairly simple. One can simply untar the distribution
tarball and work from that directory, but it is better to install it
in a somewhat more centralized place with a separate data directory
to facilitate upgrades, etc.
1. Obtain the distribution tarball
Go to https://lucene.apache.org/solr/mirrors-solr-latest-redir.html
and obtain the latest supported version of Solr.
(7.3.0 as of this writing).
2. Untar the archive
$ tar xzf solr-x.y.x.tgz
3. Install Solr
$ cd solr-x.y.z
$ sudo bin/install_solr_service.sh ../solr-x.y.z.tgz \
-i /usr/local \
-d /mnt/securefs/solr \
-n
(that last -n says "don't start Solr")
4. Configure Solr Settings
Edit the file /etc/default/solr.in.sh
Settings you may want to explicitly set:
SOLR_JAVA_HOME=(java home)
SOLR_HEAP="1024M"
5. Configure Solr for TLS
Create a server key and certificate:
$ sudo mkdir /etc/solr
$ sudo keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize
256 -validity 730 \
-alias 'solr-ssl' -keystore /etc/solr/solr.p12 -storetype
PKCS12 \
-ext san=dns:localhost,ip:192.168.10.20
Use the following information for the certificate:
First and Last name: 192.168.10.20 (or "localhost", or your
IP address)
Org unit: [whatever]
Everything else should be obvious
Now, export the public key from the keystore.
$ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore
/etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl
Copy that certificate and paste it into this command's stdin:
$ sudo keytool -importcert -keystore /etc/solr/solr-server.p12
- -storetype PKCS12 -alias 'solr-ssl'
Now, fix the ownership and permissions on these files:
$ sudo chown root:solr /etc/solr/solr.p12 /etc/solr/solr-server.p12
$ sudo chmod 0640 /etc/solr/solr.p12
Edit the file /etc/default/solr.in.sh
Set the following settings:
SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_KEY_STORE_PASSWORD=whatever
# You MUST set the trust store for some reason.
SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE_PASSWORD=whatever
Then, patch the file bin/post; you are going to need this, later.
- --- bin/post 2017-09-03 13:29:15.000000000 -0400
+++ /usr/local/solr/bin/post 2018-04-11 20:08:17.000000000 -0400
@@ -231,8 +231,8 @@
PROPS+=('-Drecursive=yes')
fi
- -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
- -"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS}
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
6. Configure Solr to Require Client TLS Certificates
On each client, create a client key and certificate:
$ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 \
-validity 730 -alias 'solr-client-ssl'
Now dump the certificate for the next step:
$ keytool -exportcert -keystore [client-key-store] -storetype PKCS12 \
-alias 'solr-client-ssl'
Don't forget that you might want to generate your own client certifica
te
to use from you own web browser if you want to be able to connect to t
he
server's dashboard.
Use the output of that command on each client to put the cert(s)
into this
trust store on the server:
$ sudo keytool -importcert -keystore
/etc/solr/solr-trusted-clients.p12 \
-storetype PKCS12 -alias '[client key alias]'
Edit /etc/default/solr.in.sh and add the following entries:
SOLR_SSL_NEED_CLIENT_AUTH=true
SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE_PASSWORD=whatever
Summary of Files in /etc/solr
- -----------------------------
solr-client.p12 Client keystore. Contains client key and certificate.
Used by clients to identify themselves to the server.
solr.p12 Server keystore. Contains server key and certificate.
Used by server to identify itself to clients.
solr-server.p12 Client trust store. Contains server's certificate.
Used by clients to identify and trust the server.
solr-trusted-clients.p12
Server trust store. Contains trusted client
certificates.
Used by server to trust clients.
Starting and Stopping Solr
- --------------------------
If you've installed Solr as a service, you can simply run:
$ sudo /etc/init.d/solr [cmd]
If you haven't installed Solr as a service, you can run the Solr script
directly from the expanded tarball directory:
$ ${SOLR_HOME}/bin/solr start (or stop)
Creating a New Core (Index)
- ---------------------------
If you have installed Solr as a service, you will have to use sudo to
create your core so that the directories and files get the correct
ownership
and permissions.
$ sudo -u solr /usr/local/solr/bin/solr -c [corename]
If you haven't install Solr as a service, this is nominally easier:
$ ${SOLR_HOME}/bin/solr -c [corename]
Loading Data into a Core (Index)
- --------------------------------
If you have installed Solr as a service using TLS, you will need to do
some
additional work to call Solr's "post" program. First, ensure you have
patched
bin/post according to the installation instructions above. Then:
$
SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12
- -Djavax.net.ssl.trustStoreType=PKCS12
- -Djavax.net.ssl.trustStorePassword=[whatever]
- -Djavax.net.ssl.keyStore=/etc/solr/solr-client.p12
- -Djavax.net.ssl.keyStoreType=PKCS12
- -Djavax.net.ssl.keyStorePassword=[whatever]" \
/usr/local/solr/bin/post \
-url https://localhost:8983/solr/[corename]/update [file-to-pos
t]
If you haven't configured Solr with TLS, you can simply do:
$ ${SOLR_HOME}/bin/post -c [corename] [file-to-post]
=== CUT ===
I hope that helps.
I give permission to anyone on the Solr team to adapt the above
content into a TLS guide for the Solr documentation.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFc60ACgkQHPApP6U8
pFiYVRAAoqGk392FleZhD4UpVJXkEQpCWQSTpiF+H5a6Rc5Juj972kxv85ZbLpn2
vPmuIqqXkClRZYPGiPOqmPMDKRRQiTEX86ILrVLjRLgO0TPBvpboJcuMFlt0NvK3
JhZ/yjJjp1CiQSBfoigg7KAFwalxXjPxAUu1TLS3pQBP3gRljpMAJ5tYdbnFNC1Q
IzqBpcBuzGsd16DstAXE4nj+2u0mvGds+Srrf62LHhQmsxBm4yecQKG6OiU3OY0i
XR3NewUkyrUQrhgJx19WBiNTm3jzZ2PXd4Q1hNdNnAAc98QW1PQR0+parA9luU32
BZnJi1mvQvBDPGAT0zIbr+G94A/PB2g/UEFWCGpKRhOUVJI4l1SQlZICrfXKcoj2
L0vMjSxKUEr7KbFVS9Puy53a7O1F1jq6wcSzJf4X/1JxuaemFAyYXy9xloLRHqwu
ISAbvE+w1FwnvctcOwj2e5yMs5zMyNXNaUjJnYBUBNsrByixoAS3srfryRWqdJEA
g3sMgFdTF4+V2lSEzIvzVbdQKarZaUs/NRFKASFIokqVa6ylhIiqoQ715XmGIgRW
eKjtSDLituBM7eUNZUbocG85d5trlOz9ZaCAC7yRo7+OV6hNPHL+22lEJ58PF49L
uMLWsnHkRjldOTrZE0ysMZJ5ws+1r3gdD4Fll7P478ZK/qtKJ30=
=34tT
-----END PGP SIGNATURE-----
Re: Question regarding TLS version for solr
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Anchal,
On 5/23/18 2:38 AM, Anchal Sharma2 wrote:
> Thank you for replying .But ,I checked the java version solr using
> ,and it is already version 1.8.
>
> @Christopher ,can you let me know what steps you followed for TLS
> authentication on solr version 7.3.0.
Sure. Here are my deployment notes. You may have to adjust them
slightly for your environment. Note that we are using standalone Solr
without any Zookeeper, clustering, etc. This is just about configuring
a single instance. Also, this guide says 7.3.0, but 7.3.1 would be
better as it contains a fix for a CVE.
=== CUT ===
========================================================
Instructions for installing Solr and working with Cores
========================================================
Installation
- ------------
Installing Solr is fairly simple. One can simply untar the distribution
tarball and work from that directory, but it is better to install it
in a somewhat more centralized place with a separate data directory
to facilitate upgrades, etc.
1. Obtain the distribution tarball
Go to https://lucene.apache.org/solr/mirrors-solr-latest-redir.html
and obtain the latest supported version of Solr.
(7.3.0 as of this writing).
2. Untar the archive
$ tar xzf solr-x.y.x.tgz
3. Install Solr
$ cd solr-x.y.z
$ sudo bin/install_solr_service.sh ../solr-x.y.z.tgz \
-i /usr/local \
-d /mnt/securefs/solr \
-n
(that last -n says "don't start Solr")
4. Configure Solr Settings
Edit the file /etc/default/solr.in.sh
Settings you may want to explicitly set:
SOLR_JAVA_HOME=(java home)
SOLR_HEAP="1024M"
5. Configure Solr for TLS
Create a server key and certificate:
$ sudo mkdir /etc/solr
$ sudo keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize
256 -validity 730 \
-alias 'solr-ssl' -keystore /etc/solr/solr.p12 -storetype
PKCS12 \
-ext san=dns:localhost,ip:192.168.10.20
Use the following information for the certificate:
First and Last name: 192.168.10.20 (or "localhost", or your
IP address)
Org unit: [whatever]
Everything else should be obvious
Now, export the public key from the keystore.
$ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore
/etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl
Copy that certificate and paste it into this command's stdin:
$ sudo keytool -importcert -keystore /etc/solr/solr-server.p12
- -storetype PKCS12 -alias 'solr-ssl'
Now, fix the ownership and permissions on these files:
$ sudo chown root:solr /etc/solr/solr.p12 /etc/solr/solr-server.p12
$ sudo chmod 0640 /etc/solr/solr.p12
Edit the file /etc/default/solr.in.sh
Set the following settings:
SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_KEY_STORE_PASSWORD=whatever
# You MUST set the trust store for some reason.
SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE_PASSWORD=whatever
Then, patch the file bin/post; you are going to need this, later.
- --- bin/post 2017-09-03 13:29:15.000000000 -0400
+++ /usr/local/solr/bin/post 2018-04-11 20:08:17.000000000 -0400
@@ -231,8 +231,8 @@
PROPS+=('-Drecursive=yes')
fi
- -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
- -"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS}
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
6. Configure Solr to Require Client TLS Certificates
On each client, create a client key and certificate:
$ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 \
-validity 730 -alias 'solr-client-ssl'
Now dump the certificate for the next step:
$ keytool -exportcert -keystore [client-key-store] -storetype PKCS12 \
-alias 'solr-client-ssl'
Don't forget that you might want to generate your own client certifica
te
to use from you own web browser if you want to be able to connect to t
he
server's dashboard.
Use the output of that command on each client to put the cert(s)
into this
trust store on the server:
$ sudo keytool -importcert -keystore
/etc/solr/solr-trusted-clients.p12 \
-storetype PKCS12 -alias '[client key alias]'
Edit /etc/default/solr.in.sh and add the following entries:
SOLR_SSL_NEED_CLIENT_AUTH=true
SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE_PASSWORD=whatever
Summary of Files in /etc/solr
- -----------------------------
solr-client.p12 Client keystore. Contains client key and certificate.
Used by clients to identify themselves to the server.
solr.p12 Server keystore. Contains server key and certificate.
Used by server to identify itself to clients.
solr-server.p12 Client trust store. Contains server's certificate.
Used by clients to identify and trust the server.
solr-trusted-clients.p12
Server trust store. Contains trusted client
certificates.
Used by server to trust clients.
Starting and Stopping Solr
- --------------------------
If you've installed Solr as a service, you can simply run:
$ sudo /etc/init.d/solr [cmd]
If you haven't installed Solr as a service, you can run the Solr script
directly from the expanded tarball directory:
$ ${SOLR_HOME}/bin/solr start (or stop)
Creating a New Core (Index)
- ---------------------------
If you have installed Solr as a service, you will have to use sudo to
create your core so that the directories and files get the correct
ownership
and permissions.
$ sudo -u solr /usr/local/solr/bin/solr -c [corename]
If you haven't install Solr as a service, this is nominally easier:
$ ${SOLR_HOME}/bin/solr -c [corename]
Loading Data into a Core (Index)
- --------------------------------
If you have installed Solr as a service using TLS, you will need to do
some
additional work to call Solr's "post" program. First, ensure you have
patched
bin/post according to the installation instructions above. Then:
$
SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12
- -Djavax.net.ssl.trustStoreType=PKCS12
- -Djavax.net.ssl.trustStorePassword=[whatever]
- -Djavax.net.ssl.keyStore=/etc/solr/solr-client.p12
- -Djavax.net.ssl.keyStoreType=PKCS12
- -Djavax.net.ssl.keyStorePassword=[whatever]" \
/usr/local/solr/bin/post \
-url https://localhost:8983/solr/[corename]/update [file-to-pos
t]
If you haven't configured Solr with TLS, you can simply do:
$ ${SOLR_HOME}/bin/post -c [corename] [file-to-post]
=== CUT ===
I hope that helps.
I give permission to anyone on the Solr team to adapt the above
content into a TLS guide for the Solr documentation.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFc60ACgkQHPApP6U8
pFiYVRAAoqGk392FleZhD4UpVJXkEQpCWQSTpiF+H5a6Rc5Juj972kxv85ZbLpn2
vPmuIqqXkClRZYPGiPOqmPMDKRRQiTEX86ILrVLjRLgO0TPBvpboJcuMFlt0NvK3
JhZ/yjJjp1CiQSBfoigg7KAFwalxXjPxAUu1TLS3pQBP3gRljpMAJ5tYdbnFNC1Q
IzqBpcBuzGsd16DstAXE4nj+2u0mvGds+Srrf62LHhQmsxBm4yecQKG6OiU3OY0i
XR3NewUkyrUQrhgJx19WBiNTm3jzZ2PXd4Q1hNdNnAAc98QW1PQR0+parA9luU32
BZnJi1mvQvBDPGAT0zIbr+G94A/PB2g/UEFWCGpKRhOUVJI4l1SQlZICrfXKcoj2
L0vMjSxKUEr7KbFVS9Puy53a7O1F1jq6wcSzJf4X/1JxuaemFAyYXy9xloLRHqwu
ISAbvE+w1FwnvctcOwj2e5yMs5zMyNXNaUjJnYBUBNsrByixoAS3srfryRWqdJEA
g3sMgFdTF4+V2lSEzIvzVbdQKarZaUs/NRFKASFIokqVa6ylhIiqoQ715XmGIgRW
eKjtSDLituBM7eUNZUbocG85d5trlOz9ZaCAC7yRo7+OV6hNPHL+22lEJ58PF49L
uMLWsnHkRjldOTrZE0ysMZJ5ws+1r3gdD4Fll7P478ZK/qtKJ30=
=34tT
-----END PGP SIGNATURE-----
Re: Question regarding TLS version for solr
Posted by Anchal Sharma2 <an...@in.ibm.com>.
Hi Christopher /Shawn ,
Thank you for replying .But ,I checked the java version solr using ,and it is already version 1.8.
@Christopher ,can you let me know what steps you followed for TLS authentication on solr version 7.3.0.
Thanks & Regards,
-------------------------------------------------
Anchal Sharma
e-Pricer Development
ES Team
Mobile: +9871290248
-----Christopher Schultz <ch...@christopherschultz.net> wrote: -----
To: solr-user@lucene.apache.org
From: Christopher Schultz <ch...@christopherschultz.net>
Date: 05/17/2018 06:29PM
Subject: Re: Question regarding TLS version for solr
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Shawn,
On 5/17/18 4:23 AM, Shawn Heisey wrote:
> On 5/17/2018 1:53 AM, Anchal Sharma2 wrote:
>> We are using solr version 5.3.0 and have been trying to enable
>> security on our solr .We followed steps mentioned on site
>> -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But
>> by default it picks ,TLS version 1.0,which is causing an issue
>> as our application uses TLSv 1.2.We tried using online resources
>> ,but could not find anything regarding TLS enablement for solr .
>>
>> It will be a huge help if anyone can provide some suggestions as
>> to how we can enable TLS v 1.2 for solr.
>
> The choice of ciphers and encryption protocols is mostly made by
> Java. The servlet container might influence it as well. The only
> servlet container that is supported since Solr 5.0 is the Jetty
> that is bundled in the Solr download.
>
> TLS 1.2 was added in Java 7, and it became default in Java 8. If
> you can install the latest version of Java 8 and make sure that it
> has the policy files for unlimited crypto strength installed,
> support for TLS 1.2 might happen automatically.
There is no "default" TLS version for either the client or the server:
the two endpoints always negotiate the highest mutual version they
both support. The key agreement, authentication, and cipher suites are
the items that are negotiated during the handshake.
> Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11.
> Information for 9.2.x versions is hard to find, so although I think
> it probably CAN do TLS 1.2 if the Java version supports it, I can't
> be absolutely sure. You'll need to upgrade Solr to get an upgraded
> Jetty.
I would be shocked if Jetty ships with its own crypto libraries; it
should be using JSSE.
Anchal,
Java 1.7 or later is an absolute requirement if you want to use
TLSv1.2 (and you SHOULD want to use it).
I have recently spent a lot of time getting Solr 7.3.0 running with
TLS mutual-authentication, but I haven't worked with the 5.3.x line. I
can tell you have I've done things for my version, but they may need
some adjustments for yours.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr9fKYACgkQHPApP6U8
pFh8lRAAmmvBMUSk35keW0OG0/SHpUy/ExJK69JGIKGwi96ddbz2yH8MG+OjjE3G
GNq/o5+EMT7tP/nW6XuPQou5UQvA2nlA9jsskox3A+CqOH7e6cbSxfxIkTqf9YDl
Kxr4J6mYjvTIjJAqLXGF+ghJfswS6RjZezDgo1PdSUox+gUOvmY61tlSjuYTaAYw
vH1i1DRzb8PkkR4ULePF48Y4r5+ZYz/4ZwSvnJTTkyl97KCw93rZ/kI5v9p3cCHK
Ycuwi/ZirO/VNf/9ruAOtgET3aojNfuNCX/A+vrSbJfiY7mXo05lYKN+eT80elQr
X8OKQaqHP6haF2aNPHrqXGtY2YoiGrdyaGtrXkUHFDfXgQeOmlk/eSVWemcSsatk
eEHSWW9NALMaalRAM7NuXQtgqq1badJhKysiJwSqFgcdgVKcSt8SsQ/09qTPjaNE
Ce1/EHdR6j1hM0Bnv5Hzf85cZjM7PfLmh7P8fnUD5d8eSbBpeWYVBDsS+fXp8WWv
FO5axbnSYIScOIz33i0UZyxpJgcsAkABLGghL6WWQSkfBf4ANgdTumS7K9Pn7Thz
Uq+lD9QPEPWJ91Fc0gnCWtDAEIRjOyLLbYzgI4ebV5qo41GO1WDDHfQZEcqA0Vod
+K8oAMD8nnwU+TprTFkjlQwbDnW1q1efTD6IrpEL5H7h6Xw2cgg=
=RpO6
-----END PGP SIGNATURE-----
Re: Question regarding TLS version for solr
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Shawn,
On 5/17/18 4:23 AM, Shawn Heisey wrote:
> On 5/17/2018 1:53 AM, Anchal Sharma2 wrote:
>> We are using solr version 5.3.0 and have been trying to enable
>> security on our solr .We followed steps mentioned on site
>> -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But
>> by default it picks ,TLS version 1.0,which is causing an issue
>> as our application uses TLSv 1.2.We tried using online resources
>> ,but could not find anything regarding TLS enablement for solr .
>>
>> It will be a huge help if anyone can provide some suggestions as
>> to how we can enable TLS v 1.2 for solr.
>
> The choice of ciphers and encryption protocols is mostly made by
> Java. The servlet container might influence it as well. The only
> servlet container that is supported since Solr 5.0 is the Jetty
> that is bundled in the Solr download.
>
> TLS 1.2 was added in Java 7, and it became default in Java 8. If
> you can install the latest version of Java 8 and make sure that it
> has the policy files for unlimited crypto strength installed,
> support for TLS 1.2 might happen automatically.
There is no "default" TLS version for either the client or the server:
the two endpoints always negotiate the highest mutual version they
both support. The key agreement, authentication, and cipher suites are
the items that are negotiated during the handshake.
> Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11.
> Information for 9.2.x versions is hard to find, so although I think
> it probably CAN do TLS 1.2 if the Java version supports it, I can't
> be absolutely sure. You'll need to upgrade Solr to get an upgraded
> Jetty.
I would be shocked if Jetty ships with its own crypto libraries; it
should be using JSSE.
Anchal,
Java 1.7 or later is an absolute requirement if you want to use
TLSv1.2 (and you SHOULD want to use it).
I have recently spent a lot of time getting Solr 7.3.0 running with
TLS mutual-authentication, but I haven't worked with the 5.3.x line. I
can tell you have I've done things for my version, but they may need
some adjustments for yours.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr9fKYACgkQHPApP6U8
pFh8lRAAmmvBMUSk35keW0OG0/SHpUy/ExJK69JGIKGwi96ddbz2yH8MG+OjjE3G
GNq/o5+EMT7tP/nW6XuPQou5UQvA2nlA9jsskox3A+CqOH7e6cbSxfxIkTqf9YDl
Kxr4J6mYjvTIjJAqLXGF+ghJfswS6RjZezDgo1PdSUox+gUOvmY61tlSjuYTaAYw
vH1i1DRzb8PkkR4ULePF48Y4r5+ZYz/4ZwSvnJTTkyl97KCw93rZ/kI5v9p3cCHK
Ycuwi/ZirO/VNf/9ruAOtgET3aojNfuNCX/A+vrSbJfiY7mXo05lYKN+eT80elQr
X8OKQaqHP6haF2aNPHrqXGtY2YoiGrdyaGtrXkUHFDfXgQeOmlk/eSVWemcSsatk
eEHSWW9NALMaalRAM7NuXQtgqq1badJhKysiJwSqFgcdgVKcSt8SsQ/09qTPjaNE
Ce1/EHdR6j1hM0Bnv5Hzf85cZjM7PfLmh7P8fnUD5d8eSbBpeWYVBDsS+fXp8WWv
FO5axbnSYIScOIz33i0UZyxpJgcsAkABLGghL6WWQSkfBf4ANgdTumS7K9Pn7Thz
Uq+lD9QPEPWJ91Fc0gnCWtDAEIRjOyLLbYzgI4ebV5qo41GO1WDDHfQZEcqA0Vod
+K8oAMD8nnwU+TprTFkjlQwbDnW1q1efTD6IrpEL5H7h6Xw2cgg=
=RpO6
-----END PGP SIGNATURE-----
Re: Question regarding TLS version for solr
Posted by Shawn Heisey <ap...@elyograg.org>.
On 5/17/2018 1:53 AM, Anchal Sharma2 wrote:
> We are using solr version 5.3.0 and have been trying to enable security on our solr .We followed steps mentioned on site -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But by default it picks ,TLS version 1.0,which is causing an issue as our application uses TLSv 1.2.We tried using online resources ,but could not find anything regarding TLS enablement for solr .
>
> It will be a huge help if anyone can provide some suggestions as to how we can enable TLS v 1.2 for solr.
The choice of ciphers and encryption protocols is mostly made by Java.
The servlet container might influence it as well. The only servlet
container that is supported since Solr 5.0 is the Jetty that is bundled
in the Solr download.
TLS 1.2 was added in Java 7, and it became default in Java 8. If you
can install the latest version of Java 8 and make sure that it has the
policy files for unlimited crypto strength installed, support for TLS
1.2 might happen automatically.
Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11.
Information for 9.2.x versions is hard to find, so although I think it
probably CAN do TLS 1.2 if the Java version supports it, I can't be
absolutely sure. You'll need to upgrade Solr to get an upgraded Jetty.
Thanks,
Shawn