Start FileCloud FREE Trial
Log in

SOLR With SSL

To setup SSL with Solr, you would need the following :

  • Private or Self Signed SSL certificates
  • A working Solr installation

Option (1) To configure SSL using private certificates, the steps below need to be followed

  1. Combine the SSL certificate, intermediate certificates and root CA certificate (if any) into one file

cat server.crt <(echo) server-ca.crt <(echo) root-ca.crt > server-chain.crt

It is required to put the server certificate file first, and then if applicable, the intermediate certificate file(s) ending with the root CA certificate file

       2. Combine the private key and the above created certificate chain file into a PKCS12 format file to load into a new keystore. Enter a password when OpenSSL asks for an export password.

openssl pkcs12 -export -inkey server.key -in server-chain.crt -out server.pkcs12

       3.  Load the resulting PKCS12 file into a JSSE keystore. The keystore file should ideally be stored in "server/etc" folder under solr installation directory. Enter the export password for source password and a destination password.

keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype PKCS12 -destkeystore /opt/solr-7.6.0/server/etc/keystore.jks

       4. Add/Modify as required the following properties into the file /etc/default/solr.in.sh. Replace key store password and trust store password below with the destination password provided above

# Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
SOLR_SSL_ENABLED=true
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=etc/keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=etc/keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
# this to false can be useful to disable these checks when re-using a certificate on many hosts
SOLR_SSL_CHECK_PEER_NAME=true
# Override Key/Trust Store types if necessary
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS

       5. Restart Solr

service solr restart

Option (2) To configure SSL using self-signed certificates, the steps below need to be followed

  1. Create a self-signed keystore file. Replace <private-ip> with the private IP of machine running Solr in -ext parameter (Example: IP:192.168.1.2). Enter a keystore password and key password when prompted.

keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -validity 9999 -keystore /opt/solr-7.6.0/server/etc/solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:<private-ip>,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"

       2. Add/Modify as required the following properties into the file /etc/default/solr.in.sh. Replace key store password and trust store password below with the keystore password provided above

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
SOLR_SSL_ENABLED=true
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
# this to false can be useful to disable these checks when re-using a certificate on many hosts
SOLR_SSL_CHECK_PEER_NAME=true
# Override Key/Trust Store types if necessary
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS

       3. Restart Solr

service solr restart