lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Question regarding TLS version for solr
Date Thu, 24 May 2018 14:40:37 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Anchal,

On 5/24/18 6:02 AM, Anchal Sharma2 wrote:
> Thanks a lot for sharing the steps . I tried few of them .Actually
> we already have been using solr in our application since an year or
> so  .We just want to encrypt it to use secure solr now .So ,I
> followed the steps where you have created the certificates ,etc
> .But when I go to start the solr back ,it doesnt start . We are
> using zookeeper .Following is the error I get ,on running solr
> start command.
> 
> Command:./solr -c -m 1g -p 8984 -z <localhost>:2181 -s <path till
> folder containing data>
> 
> Error:
> 
> lsof 4.55 (latest revision at
> ftp://vic.cc.purdue.edu/pub/tools/unix/lsof) usage:
> [-?abhlnNoOPRstUvVX] [-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]] [-F
> [f]] [-g [s]] [-i [i]] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s] 
> [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names] Use the
> ``-h'' option to get more help information. Still not seeing Solr
> listening on 8984 after 30 seconds! at
> java.security.KeyStore.load(KeyStore.java:1456) at
> org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(Certifica
teUtils.java:55)
>
> 
at
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFact
ory.java:871)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory
.java:273)
>
> 
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc
le.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif
eCycle.java:132)
>
> 
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif
eCycle.java:114)
> at
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFac
tory.java:64)
>
> 
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc
le.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif
eCycle.java:132)
>
> 
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif
eCycle.java:114)
> at
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.j
ava:256)
>
> 
at
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetwor
kConnector.java:81)
> at
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:
236)
>
> 
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc
le.java:68)
> at org.eclipse.jetty.server.Server.doStart(Server.java:366) at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeC
ycle.java:68)
>
> 
at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:12
55)
> at
> java.security.AccessController.doPrivileged(AccessController.java:594)
>
> 
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:117
4)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
ava:90)
>
> 
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:55)
> at java.lang.reflect.Method.invoke(Method.java:508) at
> org.eclipse.jetty.start.Main.invokeMain(Main.java:321) at
> org.eclipse.jetty.start.Main.start(Main.java:817) at
> org.eclipse.jetty.start.Main.main(Main.java:112) 2018-05-24
> 09:05:16.714 INFO
> (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [   ]
> o.a.s.c.c.ZkStateReader A cluster state change: WatchedEvent
> state:SyncConnected type:NodeDataChanged path:/clusterstate.json,
> has occurred - updating... (live nodes size: 1) 2018-05-24
> 09:05:17.018 INFO
> (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [   ]
> o.a.s.c.c.ZkStateReader Updated cluster state version to 9702 
> 2018-05-24 09:05:17.153 INFO
> (coreLoadExecutor-7-thread-2-processing-n:9.109.122.113:8984_solr)
> [c:document  r:core_node1 x:document] o.a.s.u.SolrIndexConfig
> IndexWriter infoStream solr logging is enabled [\]  sleep: bad
> character in argument


What does the solr.log file say? The above stack trace isn't terribly
helpful, and it's incomplete.

- -chris

> -----Christopher Schultz <chris@christopherschultz.net> wrote:
> ----- To: solr-user@lucene.apache.org From: Christopher Schultz
> <chris@christopherschultz.net> Date: 05/23/2018 07:29PM Subject:
> Re: Question regarding TLS version for solr
> 
> Anchal,
> 
> On 5/23/18 2:38 AM, Anchal Sharma2 wrote:
>> Thank you for replying .But ,I checked the java version solr
>> using ,and it is already  version 1.8.
> 
>> @Christopher ,can you let me know what steps you followed for
>> TLS authentication on solr version 7.3.0.
> 
> Sure. Here are my deployment notes. You may have to adjust them 
> slightly for your environment. Note that we are using standalone
> Solr without any Zookeeper, clustering, etc. This is just about
> configuring a single instance. Also, this guide says 7.3.0, but
> 7.3.1 would be better as it contains a fix for a CVE.
> 
> === CUT ===
> 
> ======================================================== 
> Instructions for installing Solr and working with Cores 
> ========================================================
> 
> Installation ------------
> 
> Installing Solr is fairly simple. One can simply untar the
> distribution tarball and work from that directory, but it is better
> to install it in a somewhat more centralized place with a separate
> data directory to facilitate upgrades, etc.
> 
> 1. Obtain the distribution tarball Go to
> https://lucene.apache.org/solr/mirrors-solr-latest-redir.html and
> obtain the latest supported version of Solr. (7.3.0 as of this
> writing).
> 
> 2. Untar the archive $ tar xzf solr-x.y.x.tgz
> 
> 3. Install Solr $ cd solr-x.y.z $ sudo bin/install_solr_service.sh
> ../solr-x.y.z.tgz \ -i /usr/local \ -d /mnt/securefs/solr \ -n 
> (that last -n says "don't start Solr")
> 
> 4. Configure Solr Settings Edit the file /etc/default/solr.in.sh
> 
> Settings you may want to explicitly set:
> 
> SOLR_JAVA_HOME=(java home) SOLR_HEAP="1024M"
> 
> 5. Configure Solr for TLS Create a server key and certificate: $
> sudo mkdir /etc/solr $ sudo keytool -genkey -keyalg EC -sigalg
> SHA256withECDSA -keysize 256 -validity 730 \ -alias 'solr-ssl'
> -keystore /etc/solr/solr.p12 -storetype PKCS12 \ -ext
> san=dns:localhost,ip:192.168.10.20 Use the following information
> for the certificate: First and Last name: 192.168.10.20 (or
> "localhost", or your IP address) Org unit:  [whatever] Everything
> else should be obvious
> 
> Now, export the public key from the keystore.
> 
> $ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore 
> /etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl
> 
> Copy that certificate and paste it into this command's stdin:
> 
> $ sudo keytool -importcert -keystore /etc/solr/solr-server.p12 
> -storetype PKCS12 -alias 'solr-ssl'
> 
> Now, fix the ownership and permissions on these files:
> 
> $ sudo chown root:solr /etc/solr/solr.p12
> /etc/solr/solr-server.p12 $ sudo chmod 0640 /etc/solr/solr.p12
> 
> Edit the file /etc/default/solr.in.sh
> 
> Set the following settings:
> 
> SOLR_SSL_KEY_STORE=/etc/solr/solr.p12 
> SOLR_SSL_KEY_STORE_TYPE=PKCS12 
> SOLR_SSL_KEY_STORE_PASSWORD=whatever
> 
> # You MUST set the trust store for some reason. 
> SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12 
> SOLR_SSL_TRUST_STORE_TYPE=PKCS12 
> SOLR_SSL_TRUST_STORE_PASSWORD=whatever
> 
> Then, patch the file bin/post; you are going to need this, later.
> 
> --- bin/post    2017-09-03 13:29:15.000000000 -0400 +++
> /usr/local/solr/bin/post    2018-04-11 20:08:17.000000000 -0400 @@
> -231,8 +231,8 @@ PROPS+=('-Drecursive=yes') fi
> 
> -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" 
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}" -"$JAVA"
> -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" 
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +echo "$JAVA"
> -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS}
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +"$JAVA"
> -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS} 
> org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
> 
> 6. Configure Solr to Require Client TLS Certificates
> 
> On each client, create a client key and certificate:
> 
> $ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256
> \ -validity 730 -alias 'solr-client-ssl'
> 
> Now dump the certificate for the next step:
> 
> $ keytool -exportcert -keystore [client-key-store] -storetype
> PKCS12 \ -alias 'solr-client-ssl'
> 
> Don't forget that you might want to generate your own client
> certifica te to use from you own web browser if you want to be able
> to connect to t he server's dashboard.
> 
> Use the output of that command on each client to put the cert(s) 
> into this trust store on the server:
> 
> $ sudo keytool -importcert -keystore 
> /etc/solr/solr-trusted-clients.p12 \ -storetype PKCS12 -alias
> '[client key alias]'
> 
> Edit /etc/default/solr.in.sh and add the following entries:
> 
> SOLR_SSL_NEED_CLIENT_AUTH=true 
> SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12 
> SOLR_SSL_TRUST_STORE_TYPE=PKCS12 
> SOLR_SSL_TRUST_STORE_PASSWORD=whatever
> 
> Summary of Files in /etc/solr -----------------------------
> 
> solr-client.p12   Client keystore. Contains client key and
> certificate. Used by clients to identify themselves to the server.
> 
> solr.p12          Server keystore. Contains server key and
> certificate. Used by server to identify itself to clients.
> 
> solr-server.p12   Client trust store. Contains server's
> certificate. Used by clients to identify and trust the server.
> 
> solr-trusted-clients.p12 Server trust store. Contains trusted
> client certificates. Used by server to trust clients.
> 
> Starting and Stopping Solr --------------------------
> 
> If you've installed Solr as a service, you can simply run:
> 
> $ sudo /etc/init.d/solr [cmd]
> 
> If you haven't installed Solr as a service, you can run the Solr
> script directly from the expanded tarball directory:
> 
> $ ${SOLR_HOME}/bin/solr start (or stop)
> 
> Creating a New Core (Index) ---------------------------
> 
> If you have installed Solr as a service, you will have to use sudo
> to create your core so that the directories and files get the
> correct ownership and permissions.
> 
> $ sudo -u solr /usr/local/solr/bin/solr -c [corename]
> 
> If you haven't install Solr as a service, this is nominally
> easier:
> 
> $ ${SOLR_HOME}/bin/solr -c [corename]
> 
> Loading Data into a Core (Index) -------------------------------- 
> If you have installed Solr as a service using TLS, you will need to
> do some additional work to call Solr's "post" program. First,
> ensure you have patched bin/post according to the installation
> instructions above. Then:
> 
> $ 
> SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12
>
> 
- -Djavax.net.ssl.trustStoreType=PKCS12
> -Djavax.net.ssl.trustStorePassword=[whatever] 
> -Djavax.net.ssl.keyStore=/etc/solr/solr-client.p12 
> -Djavax.net.ssl.keyStoreType=PKCS12 
> -Djavax.net.ssl.keyStorePassword=[whatever]" \ 
> /usr/local/solr/bin/post \ -url
> https://localhost:8983/solr/[corename]/update [file-to-pos t]
> 
> If you haven't configured Solr with TLS, you can simply do:
> 
> $ ${SOLR_HOME}/bin/post -c [corename] [file-to-post]
> 
> === CUT ===
> 
> I hope that helps.
> 
> I give permission to anyone on the Solr team to adapt the above 
> content into a TLS guide for the Solr documentation.
> 
> -chris
> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsGzuQACgkQHPApP6U8
pFiDHhAAjOe4Ii7yHWuBwFe0K0IJo7RDzEn5AiIK9RAQJYN5vaWU+rFzuxUxVWmU
DRQgIziWh/B3enOg1dDRLgUFe9amQdR4YM00KSGyivuTVkOXs4ZwTmKzsH1c/YYz
rhOwszMk7BRQnkdAOTFAfdHYWmN3s9n70ZsIvLixFnEhe6xFJK+BSEWzG2BtLC6l
+kCKTXL3rVj3bhrpdCkXOkpZk5nlgZ7a3Xj2qplu7+mT2zpKWPzjK7VhwQxnzbCD
jQFbeW76iwnPiRmhmRE1qG0fNBAN2bLttSk/mlwn3KhjpOGDOHBxGop+V1pjhYkx
UhoVHdPfWAyF6SPhRZT2kYnGEUs7AaaKpFChRxB4VC46f0xKwGwNDRDzx25f1qp3
Dtyw3TZZT9QMP6IhUCvVfJintxfuo0rSXCgdIzchCgep6Pdu6mO2ZFlxD8S/S0MR
3eKtYhxtBqDQMmEaZBEJGWVJqSDt/ksk85XeELCFpecUaT7HS6AnWOlTkA7wD3Ii
M6050llDeBVnz5Ghi27bwS6bcSR8LpnDZGUPjgSDIX9zAcmyWhvQlAJpeLKgrish
FO1g0IBSr6BDRExnmo0YNkpEmWHdF+b9qJJJjhX3EgNT7hTbKjlgrRERMd5Y/B9/
wjeop6o3kbEY+4xlaK48bkpC1ypyHAOJfe9Q2AdndPsJlqmZ1xo=
=QO2M
-----END PGP SIGNATURE-----

Mime
View raw message