Configure SSL for Standalone Index Search Server (Solr)
Before you can begin, you must have a certificate and key converted into PEM format as a single file.
|
If a certificate-only file is not available, you can optionally generate one from the certificate and key file:
1. Convert the JKS keystore into PKCS12 format using the keytool utility:
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
2. Convert the PKCS12 formatted keystore, including only the certificate and not the key, into PEM format using the openssl command:
openssl pkcs12 -nokeys -in solr-ssl.keystore.p12 -out solr-ssl.cacert.pem
|
Configure the Windchill Index Search Client
1. Open a Windchill shell and execute the following command to set the protocol as HTTPS to be used by the index search client when it connects to the index search server:
xconfmanager -s wt.index.solrProtocol=https -t codebase/wt.properties -p
2. Restart Windchill.
Configure the Windchill Index Search Server
1. Copy the certificate (JKS) file to <Index_Search_Home>/solr/server/etc.
2. Set common SSL-related system properties.
To activate the SSL settings, uncomment and update the set of properties beginning with SOLR_SSL_* in the following file:
◦ Windows: bin\solr.in.cmd
For example:
set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=<password>
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=<password>
REM Require clients to authenticate
set SOLR_SSL_NEED_CLIENT_AUTH=false
REM Enable clients to authenticate (but not require)
set SOLR_SSL_WANT_CLIENT_AUTH=false
◦ Unix: bin/solr.in.sh
For example:
bin/solr.in.sh example SOLR_SSL_* configuration
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=<password>
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=<password>
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
Where <password> is the password given when creating the certificate.
If you wish to modify the default password of Solr keystore, perform the following steps to avoid Solr server startup issue:
a. Ensure that the password is correct either in solr.in.cmd for Windows or solr.in.sh for Unix.
b. Open the <INDEX_SEARCH_HOME>/solr/server/etc/jetty-ssl.xml file
c. Update the following property values with the correct password:
<Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password"
default="<enter the correct password>"/></Set>
<Set name="TrustStorePassword"><Property name="solr.jetty.truststore.password"
default="<enter the correct password>"/></Set>
d. Save the jetty-ssl.xml file and start the Solr Server.
3. Add the certificate file to the JVM trust store (JDK/JVM of Windchill only).
a. Navigate to the Java location that is used by Windchill to verify the path of the cacerts file under <JAVA_HOME>/lib/security.
b. Navigate to <JAVA_HOME>/bin to import the new certificate. Run the keytool utility as a user who has permission to write to cacerts:
keytool -import -file <certificate file> -alias <unique name> -keystore <path to cacerts file>
For example:
keytool -import -file D:\SolrWithSSL\solr-5.4.1\server\etc\solr-ssl.cacert.pem -alias Key_Alias -keystore ../lib/security/cacerts
4. When Solr server is configured as non-SSL andWindchill is configured to use SSL, any Java client that is being used outside Windchill needs a certificate to connect.
For this, you must import the certificate to the JVM that is being used by the index search server. This allows the Index Search Server to connect to Windchill and download documents for indexing.
The steps to add the certificate file to the JVM trust store (JDK/JVM of the Solr server) are as follows:
a. Navigate to the Java location that is used by the Solr server to verify the path of the cacerts file under <JAVA_HOME>/lib/security.
b. Navigate to <JAVA_HOME>/bin to import the certificate. Run the keytool utility as a user who has permission to write to cacerts:
keytool -import -file <certificate file> -alias <unique name> -keystore <path to cacerts file>
For example:
keytool -import -file D:\SolrWithSSL\solr-5.4.1\server\etc\solr-ssl.cacert.pem -alias Key_Alias -keystore ../lib/security/cacerts
5. When both Solr Server and Windchill are configured to use SSL, add certificate file(in pem or pkcs12 format) to the trust store of Solr server. By default, jetty refers trust and key store from <Solr Server Home>/solr/server/etc/solr-ssl.keystore.jks which gets created in above steps.
Run the keytool utility:
keytool -import -file <windchill certificate file in pem or pkcs12 format>
-alias <unique name> -keystore <Solr Server Home>/solr/server/etc/solr-ssl.keystore.jks
For example:
keytool -import -file D:\ptc\Windchill\certificates\windchillserver.pem
-alias Key_Alias -keystore D:\SolrWithSSL\SolrServer\solr\server\etc\solr-ssl.keystore.jks
6. Restart Windchill and the index search server, and then navigate to the Solr administrative interface to verify that Solr is running with SSL.
|
• Out of the box, Solr does not include any configuration for cipher suite, and it uses the default cipher suites provided by Jetty. For more information, see the applicable Jetty : The Definitive Reference (eclipse.dev). It is recommended to reference your internal security requirements and security policies for guidelines on use of secure cipher suites.
|