Configure SSL for Cloud Index Search Server (Solr)
Before you can begin, you must have a certificate and key converted into PEM format as a single file.
 |
If a certificate-only file is not available, you can optionally generate one from the certificate and key file:
1. Convert the JKS keystore into PKCS12 format using the keytool utility:
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
2. Convert the PKCS12 formatted keystore, including only the certificate and not the key, into PEM format using the openssl command:
openssl pkcs12 -nokeys -in solr-ssl.keystore.p12 -out solr-ssl.cacert.pem
3. If trust store and key store is in PKCS12 format then use the p12 file by setting SOLR_SSL_KEY_STORE and SOLR_SSL_TRUST_STORE with the path of p12 file.
4. If trust store and key store is in JKS format then use the jks file by setting SOLR_SSL_KEY_STORE and SOLR_SSL_TRUST_STORE with the path of jks file and also set SOLR_SSL_KEY_STORE_TYPE and SOLR_SSL_TRUST_STORE_TYPE as JKS.
|
|
|
Starting from Solr 9.0.0, if Windchill is configured with SSL, then Solr should be configured with SSL.
|
Configure SSL for Solr
Configure the Windchill Index Search server for all nodes running Solr. Use the same certificate and key file for all nodes.
1. Copy the certificate (jks or pkcs12) file to <Index_Search_Home>/solr/server/etc.
When multiple Solr servers are deployed in a clustered setup, make sure to import the keystore file of all Solr servers in each of the nodes that run Solr, as explained in the example below:
|
Solr Server
|
Machine
|
Keystore Files to Import
|
Sample Import Command
|
|---|---|---|---|
|
SolrServerA
|
Node1
|
Import keystore files of SolrServerB and SolrServerC.
|
keytool -importkeystore -srckeystore SolrServerB.jks -destkeystore SolrServerA.jks -srcstoretype JKS -deststoretype JKS
keytool -importkeystore -srckeystore SolrServerC.jks -destkeystore SolrServerA.jks -srcstoretype JKS -deststoretype JKS
|
|
SolrServerB
|
Node2
|
Import keystore files of SolrServerA and SolrServerC.
|
keytool -importkeystore -srckeystore SolrServerA.jks -destkeystore SolrServerB.jks -srcstoretype JKS -deststoretype JKS
keytool -importkeystore -srckeystore SolrServerC.jks -destkeystore SolrServerB.jks -srcstoretype JKS -deststoretype JKS
|
|
SolrServerC
|
Node3
|
Import keystore files of SolrServerA and SolrServerB.
|
keytool -importkeystore -srckeystore SolrServerA.jks -destkeystore SolrServerC.jks -srcstoretype JKS -deststoretype JKS
keytool -importkeystore -srckeystore SolrServerB.jks -destkeystore SolrServerC.jks -srcstoretype JKS -deststoretype JKS
|
2. Set common SSL-related system properties.
To activate the SSL settings, uncomment and update the set of properties beginning with SOLR_SSL_* in the following file:
◦ Windows: bin\solr.in.cmd
For example:
set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=<password>)
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=<password>
REM Require clients to authenticate
set SOLR_SSL_NEED_CLIENT_AUTH=false
REM Enable clients to authenticate (but not require)
set SOLR_SSL_WANT_CLIENT_AUTH=false
set SOLR_SSL_KEY_STORE_PASSWORD=<password>)
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=<password>
REM Require clients to authenticate
set SOLR_SSL_NEED_CLIENT_AUTH=false
REM Enable clients to authenticate (but not require)
set SOLR_SSL_WANT_CLIENT_AUTH=false
◦ Unix: bin/solr.in.sh
For example:
bin/solr.in.sh example SOLR_SSL_* configuration
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=<password>
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=<password>
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=<password>
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=<password>
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
Where <password> is the password given when creating the certificate.
3. Open a Windchill shell and execute the following command to set the protocol as HTTPS to be used by the index search client when it connects to the index search server:
xconfmanager -s wt.index.solrProtocol=https -t codebase/wt.properties -p
4. When Windchill is configured to use SSL, any Java client that is being used outside Windchill needs a certificate to connect.
As a result, you must import the certificate to the JVM that is being used by the Solr nodes in the Solr cloud. This allows the Solr nodes to connect to Windchill and download documents for indexing.
Add the certificate file to the JVM trust store (JDK/JVM of the Solr nodes).
a. Navigate to the Java location that is used by the Solr nodes to verify the path of the cacerts file under <JAVA_HOME>/lib/security.
b. Navigate to <JAVA_HOME>/bin to import the new certificate. Run the keytool utility as a user who has permission to write to cacerts:
keytool -import -file <certificate file> -alias <unique name> -keystore <path to cacerts file>
For example:
keytool -import -file D:\SolrWithSSL\solr-5.4.1\server\etc\solr-ssl.cacert.pem -alias Key_Alias -keystore ../lib/security/cacerts
5. Restart Windchill.
Configure SSL for Zookeeper
1. The urlScheme cluster-wide property needs to be set to https before any Solr node starts.
Open a command prompt and navigate to <INDEX_SEARCH_HOME>/solr/server/scripts/cloud-scripts, and then execute the following command:
◦ Windows:
zkcli.bat -zkhost <comma-separated list of Zookeeper hostname:port entries> -cmd clusterprop -name urlScheme -val https
For example:
zkcli.bat -zkhost host1.ptcnet.ptc.com:2181,host2.ptcnet.ptc.com:2182,host3.ptcnet.ptc.com:2183 -cmd clusterprop -name urlScheme -val https
◦ Unix:
sh zkcli.sh -zkhost <comma-separated list of Zookeeper hostname:port entries> -cmd clusterprop -name urlScheme -val https
For example:
sh zkcli.sh -zkhost host1.ptcnet.ptc.com:2181,host2.ptcnet.ptc.com:2182,host3.ptcnet.ptc.com:2183 -cmd clusterprop -name urlScheme -val https
|
|
The urlScheme command should be executed whenever the Zookeeper nodes are restarted.
|
2. Restart the Solr cloud (the Zookeeper nodes and Solr nodes) and then navigate to the Solr administrative interface to verify that Solr is running with SSL.
|
|
Out of the box, Solr does not include any configuration for cipher suite, and it uses the default cipher suites provided by Jetty. For more information, see the applicable Jetty : The Definitive Reference (eclipse.dev). It is recommended to reference your internal security requirements and security policies for guidelines on use of secure cipher suites.
|