lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noble Paul (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-7126) signing a jar and secure dynamic loading
Date Thu, 19 Feb 2015 21:13:12 GMT

     [ https://issues.apache.org/jira/browse/SOLR-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Noble Paul updated SOLR-7126:
-----------------------------
    Attachment:     (was: SOLR-7126.patch)

> signing a jar and secure dynamic loading
> ----------------------------------------
>
>                 Key: SOLR-7126
>                 URL: https://issues.apache.org/jira/browse/SOLR-7126
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>              Labels: security
>         Attachments: SOLR-7126.patch
>
>
> We need to ensure that the jars loaded into solr are trusted 
> We shall use simple PKI to protect the jars/config loaded into the system
> The following are the steps involved for doing that.
> {noformat}
> #Step 1:
> # generate a 768-bit RSA private key. or whaterver strength you would need
> $ openssl genrsa -out private_key.pem 768
> # convert private Key to PKCS#8 format (so that Java can read it)
> $ openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem  -out private_key.der
-nocrypt
> # store your private keys safely (with  a password if possible)
> # output public key portion in DER format (so Java can read it)
> $ openssl rsa -in private_key.pem -pubout -outform DER -out public_key.der
> #Step 2:
> # copy the public keys (the .DER files) to all Solr nodes under SOLR_HOME/keys . or start
all your 
> # solr servers with -Dpublic.keys.dir=/location/of/keys (where keys are stored)
> # Please note that you can store multiple public keys in that directory and all are valid
> Step3:
> # start all your servers with -Denable.dynamic.loading=true 
> Step 4:
> # sign the sha1 digest of your jar with one of your private keys and get the base64 string
of that signature . 
> $ openssl dgst -sha1 -sign key.pem myjar.jar | openssl enc -base64 
> #Step 5:
> # load your jars into blob store . refer SOLR-6787
> #Step 6:
> # use the command to add your jar to classpath as follows
> {noformat}
> {code}
> curl http://localhost:8983/solr/collection1/config -H 'Content-type:application/json'
 -d '{
> "add-runtimelib" : {"name": "jarname" , "version":2 , "sig":"mW1Gwtz2QazjfVdrLFHfbGwcr8xzFYgUOLu68LHqWRDvLG0uLcy1McQ+AzVmeZFBf1yLPDEHBWJb5KXr8bdbHN/PYgUB1nsr9pk4EFyD9KfJ8TqeH/ijQ9waa/vjqyiKEI9U550EtSzruLVZ32wJ7smvV0fj2YYhrUaaPzOn9g0="
}// output of step 4. concatenate the lines 
> }' 
> {code}
> If no keys are present , the jar is loaded without any checking. 
> Before loading a jar from blob store , each Solr node would check if there are keys present
in the keys directory. If yes, each jar's signature will be verified with all the available
public keys. If atleast one succeeds , the jar is loaded into memory. If nothing succeeds
, it will be rejected 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message