This is an automated email from the ASF dual-hosted git repository.
epugh pushed a commit to branch branch_10x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_10x by this push:
new fef18289867 SOLR-17864: Solr keystore property renames (#3845)
fef18289867 is described below
commit fef1828986779d36bc0a38d31be8f458824572ad
Author: Eric Pugh <[email protected]>
AuthorDate: Mon Nov 10 20:45:41 2025 -0500
SOLR-17864: Solr keystore property renames (#3845)
* Solr keystore property renames
solr.keyStoreReload.enabled -> solr.keystore.reload.enabled
solr.jetty.sslContext.reload.scanInterval -->
solr.jetty.ssl.context.reload.scan.interval.secs
---
solr/bin/solr | 8 ++++----
solr/bin/solr.cmd | 8 ++++----
solr/packaging/test/test_ssl.bats | 6 +++---
solr/server/etc/jetty-ssl-context-reload.xml | 2 +-
solr/server/etc/jetty-ssl.xml | 12 ++++++------
.../modules/deployment-guide/pages/enabling-ssl.adoc | 4 ++--
.../org/apache/solr/client/solrj/impl/Http2SolrClient.java | 7 +++++--
.../org/apache/solr/client/solrj/impl/SolrHttpConstants.java | 2 +-
.../apache/solr/client/solrj/impl/Http2SolrClientTest.java | 8 ++++----
9 files changed, 30 insertions(+), 27 deletions(-)
diff --git a/solr/bin/solr b/solr/bin/solr
index bc2d475e6d2..4d4b4d70bf2 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -213,7 +213,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
SOLR_JETTY_CONFIG+=("--module=https"
"--lib=$DEFAULT_SERVER_DIR/solr-webapp/webapp/WEB-INF/lib/*")
if [ "${SOLR_SSL_RELOAD_ENABLED:-true}" == "true" ]; then
SOLR_JETTY_CONFIG+=("--module=ssl-reload")
- SOLR_SSL_OPTS+=" -Dsolr.keyStoreReload.enabled=true"
+ SOLR_SSL_OPTS+=" -Dsolr.keystore.reload.enabled=true"
fi
SOLR_URL_SCHEME=https
if [ -n "$SOLR_SSL_KEY_STORE" ]; then
@@ -245,10 +245,10 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
fi
if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then
- SOLR_SSL_OPTS+="
-Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH"
+ SOLR_SSL_OPTS+="
-Dsolr.jetty.ssl.need.client.auth.enabled=$SOLR_SSL_NEED_CLIENT_AUTH"
fi
if [ -n "$SOLR_SSL_WANT_CLIENT_AUTH" ]; then
- SOLR_SSL_OPTS+="
-Dsolr.jetty.ssl.wantClientAuth=$SOLR_SSL_WANT_CLIENT_AUTH"
+ SOLR_SSL_OPTS+="
-Dsolr.jetty.ssl.want.client.auth.enabled=$SOLR_SSL_WANT_CLIENT_AUTH"
fi
if [ -n "$SOLR_SSL_CLIENT_KEY_STORE" ]; then
@@ -274,7 +274,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
fi
if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then
- SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME
-Dsolr.jetty.ssl.sniHostCheck=$SOLR_SSL_CHECK_PEER_NAME"
+ SOLR_SSL_OPTS+="
-Dsolr.ssl.check.peer.name.enabled=$SOLR_SSL_CHECK_PEER_NAME
-Dsolr.jetty.ssl.sni.host.check.enabled=$SOLR_SSL_CHECK_PEER_NAME"
fi
if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 76bcab0ba83..47296a8dbd0 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -103,7 +103,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
set SOLR_URL_SCHEME=https
IF "%SOLR_SSL_RELOAD_ENABLED%"=="true" (
set "SOLR_JETTY_CONFIG=!SOLR_JETTY_CONFIG! --module=ssl-reload"
- set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keyStoreReload.enabled=true"
+ set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keystore.reload.enabled=true"
)
IF DEFINED SOLR_SSL_KEY_STORE (
set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS!
-Dsolr.jetty.keystore=%SOLR_SSL_KEY_STORE%"
@@ -133,10 +133,10 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
)
IF DEFINED SOLR_SSL_NEED_CLIENT_AUTH (
- set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS!
-Dsolr.jetty.ssl.needClientAuth=%SOLR_SSL_NEED_CLIENT_AUTH%"
+ set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS!
-Dsolr.jetty.ssl.need.client.auth.enabled=%SOLR_SSL_NEED_CLIENT_AUTH%"
)
IF DEFINED SOLR_SSL_WANT_CLIENT_AUTH (
- set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS!
-Dsolr.jetty.ssl.wantClientAuth=%SOLR_SSL_WANT_CLIENT_AUTH%"
+ set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS!
-Dsolr.jetty.ssl.want.client.auth.enabled=%SOLR_SSL_WANT_CLIENT_AUTH%"
)
IF DEFINED SOLR_SSL_CLIENT_KEY_STORE (
@@ -174,7 +174,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
)
)
IF DEFINED SOLR_SSL_CHECK_PEER_NAME (
- set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS!
-Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME%
-Dsolr.jetty.ssl.sniHostCheck=%SOLR_SSL_CHECK_PEER_NAME%"
+ set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS!
-Dsolr.ssl.check.peer.name.enabled=%SOLR_SSL_CHECK_PEER_NAME%
-Dsolr.jetty.ssl.sni.host.check.enabled=%SOLR_SSL_CHECK_PEER_NAME%"
)
) ELSE (
set SOLR_SSL_OPTS=
diff --git a/solr/packaging/test/test_ssl.bats
b/solr/packaging/test/test_ssl.bats
index 25615a6fd03..3115b7b619a 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -118,7 +118,7 @@ teardown() {
# Restart the server enabling the SNI hostcheck
export SOLR_SSL_CHECK_PEER_NAME=false
- export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sniHostCheck=true"
+ export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sni.host.check.enabled=true"
solr restart
# This should fail the SNI Hostname check
run ! solr api --verbose --solr-url
"https://localhost:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS";
@@ -526,14 +526,14 @@ teardown() {
# server1 will run on $SOLR_PORT and will use server1.keystore
export SOLR_SSL_KEY_STORE=$ssl_dir/server1.keystore.p12
export SOLR_SSL_TRUST_STORE=$ssl_dir/server1.keystore.p12
- solr start --jvm-opts "-Dsolr.jetty.sslContext.reload.scanInterval=1
-DsocketTimeout=5000"
+ solr start --jvm-opts "-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1
-DsocketTimeout=5000"
solr assert --started https://localhost:${SOLR_PORT} --timeout 5000
# server2 will run on $SOLR2_PORT and will use server2.keystore. Initially,
this is the same as server1.keystore
export SOLR_SSL_KEY_STORE=$ssl_dir/server2.keystore.p12
export SOLR_SSL_TRUST_STORE=$ssl_dir/server2.keystore.p12
- solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts
"-Dsolr.jetty.sslContext.reload.scanInterval=1 -DsocketTimeout=5000"
+ solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts
"-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1 -DsocketTimeout=5000"
solr assert --started https://localhost:${SOLR2_PORT} --timeout 5000
# "test" collection is two shards, meaning there must be communication
between shards for queries (handled by http shard handler factory)
diff --git a/solr/server/etc/jetty-ssl-context-reload.xml
b/solr/server/etc/jetty-ssl-context-reload.xml
index 827d80c3529..d3084fbac54 100644
--- a/solr/server/etc/jetty-ssl-context-reload.xml
+++ b/solr/server/etc/jetty-ssl-context-reload.xml
@@ -6,7 +6,7 @@
<Arg>
<New id="keyStoreScanner"
class="org.eclipse.jetty.util.ssl.KeyStoreScanner">
<Arg><Ref refid="sslContextFactory"/></Arg>
- <Set name="scanInterval"><Property
name="solr.jetty.sslContext.reload.scanInterval" default="30"/></Set>
+ <Set name="scanInterval"><Property
name="solr.jetty.ssl.context.reload.scan.interval.secs" default="30"/></Set>
</New>
</Arg>
</Call>
diff --git a/solr/server/etc/jetty-ssl.xml b/solr/server/etc/jetty-ssl.xml
index 240cf302127..2762b8e7567 100644
--- a/solr/server/etc/jetty-ssl.xml
+++ b/solr/server/etc/jetty-ssl.xml
@@ -19,8 +19,8 @@
<Set name="KeyStorePassword"><Ref refid="keyStorePassword"/></Set>
<Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="./etc/solr-ssl.keystore.jks"/></Set>
<Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set>
- <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth"
default="false"/></Set>
- <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth"
default="false"/></Set>
+ <Set name="NeedClientAuth"><Property
name="solr.jetty.ssl.need.client.auth.enabled" default="false"/></Set>
+ <Set name="WantClientAuth"><Property
name="solr.jetty.ssl.want.client.auth.enabled" default="false"/></Set>
<Set name="KeyStoreType"><Property name="solr.jetty.keystore.type"
default="PKCS12"/></Set>
<Set name="TrustStoreType"><Property name="solr.jetty.truststore.type"
default="PKCS12"/></Set>
<Set name="EndpointIdentificationAlgorithm"><Property
name="solr.jetty.ssl.verifyClientHostName"/></Set>
@@ -42,10 +42,10 @@
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer">
- <Arg name="sniRequired" type="boolean"><Property
name="solr.jetty.ssl.sniRequired" default="false"/></Arg>
- <Arg name="sniHostCheck" type="boolean"><Property
name="solr.jetty.ssl.sniHostCheck" default="true"/></Arg>
- <Arg name="stsMaxAgeSeconds" type="int"><Property
name="solr.jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
- <Arg name="stsIncludeSubdomains" type="boolean"><Property
name="solr.jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
+ <Arg name="sniRequired" type="boolean"><Property
name="solr.jetty.ssl.sni.required.enabled" default="false"/></Arg>
+ <Arg name="sniHostCheck" type="boolean"><Property
name="solr.jetty.ssl.sni.host.check.enabled" default="true"/></Arg>
+ <Arg name="stsMaxAgeSeconds" type="int"><Property
name="solr.jetty.ssl.sts.max.age.secs" default="-1"/></Arg>
+ <Arg name="stsIncludeSubdomains" type="boolean"><Property
name="solr.jetty.ssl.sts.include.subdomains.enabled" default="false"/></Arg>
</New>
</Arg>
</Call>
diff --git
a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
index 5d49dd99fde..dc7c2341ab2 100644
--- a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
+++ b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
@@ -194,7 +194,7 @@ NOTE: If you have defined `ZK_HOST` in
`solr.in.sh`/`solr.in.cmd` (see xref:zook
Start each Solr node with the Solr control script as shown in the examples
below.
Customize the values for the parameters shown as necessary and add any used in
your system.
-If you created the SSL key without all DNS names or IP addresses on which Solr
nodes run, you can tell Solr to skip hostname verification for inter-node
communications by setting the `-Dsolr.ssl.checkPeerName=false` system property.
+If you created the SSL key without all DNS names or IP addresses on which Solr
nodes run, you can tell Solr to skip hostname verification for inter-node
communications by setting the `-Dsolr.ssl.check.peer.name.enabled=false` system
property.
[tabs#cloud]
======
@@ -249,7 +249,7 @@ C:\> bin\solr.cmd -p 8984
Solr can automatically reload KeyStore/TrustStore when certificates are
updated without restarting. This is enabled by default
when using SSL, but can be disabled by setting the environment variable
`SOLR_SSL_RELOAD_ENABLED` to `false`. By
default, Solr will check for updates in the KeyStore every 30 seconds, but
this interval can be updated by passing the
-system property `solr.jetty.sslContext.reload.scanInterval` with the new
interval in seconds on startup.
+system property `solr.jetty.ssl.context.reload.scan.interval.secs` with the
new interval in seconds on startup.
Note that the truststore file is not actively monitored, so if you need to
apply changes to the truststore, you need
to update it and after that touch the keystore to trigger a reload.
diff --git
a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
index 6f7d14c702e..dab3e979517 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
@@ -55,6 +55,7 @@ import org.apache.solr.common.params.ModifiableSolrParams;
import org.apache.solr.common.params.SolrParams;
import org.apache.solr.common.params.UpdateParams;
import org.apache.solr.common.util.ContentStream;
+import org.apache.solr.common.util.EnvUtils;
import org.apache.solr.common.util.ExecutorUtil;
import org.apache.solr.common.util.NamedList;
import org.apache.solr.common.util.ObjectReleaseTracker;
@@ -238,8 +239,10 @@ public class Http2SolrClient extends HttpSolrClientBase {
: sslConfig.createClientContextFactory();
Long keyStoreReloadIntervalSecs = builder.keyStoreReloadIntervalSecs;
- if (keyStoreReloadIntervalSecs == null &&
Boolean.getBoolean("solr.keyStoreReload.enabled")) {
- keyStoreReloadIntervalSecs =
Long.getLong("solr.jetty.sslContext.reload.scanInterval", 30);
+ if (keyStoreReloadIntervalSecs == null
+ && EnvUtils.getPropertyAsBool("solr.keystore.reload.enabled", false)) {
+ keyStoreReloadIntervalSecs =
+
EnvUtils.getPropertyAsLong("solr.jetty.ssl.context.reload.scan.interval.secs",
30l);
}
if (sslContextFactory != null
&& sslContextFactory.getKeyStoreResource() != null
diff --git
a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java
b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java
index 8c207364594..bc2bbaf9712 100644
---
a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java
+++
b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java
@@ -52,7 +52,7 @@ public interface SolrHttpConstants {
* System property consulted to determine if HTTP based SolrClients will
require hostname
* validation of SSL Certificates. The default behavior is to enforce peer
name validation.
*/
- String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.checkPeerName";
+ String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.check.peer.name.enabled";
/** Basic auth username */
String PROP_BASIC_AUTH_USER = "httpBasicAuthUser";
diff --git
a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
index c66bd436985..92d089f5ad2 100644
---
a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
+++
b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
@@ -440,25 +440,25 @@ public class Http2SolrClientTest extends
HttpSolrClientTestBase {
System.clearProperty("javax.net.ssl.keyStoreType");
System.clearProperty("javax.net.ssl.trustStoreType");
- System.setProperty("solr.ssl.checkPeerName", "true");
+ System.setProperty("solr.ssl.check.peer.name.enabled", "true");
System.setProperty("javax.net.ssl.keyStoreType", "foo");
System.setProperty("javax.net.ssl.trustStoreType", "bar");
SslContextFactory.Client sslContextFactory2 =
Http2SolrClient.getDefaultSslContextFactory();
assertEquals("HTTPS",
sslContextFactory2.getEndpointIdentificationAlgorithm());
assertEquals("foo", sslContextFactory2.getKeyStoreType());
assertEquals("bar", sslContextFactory2.getTrustStoreType());
- System.clearProperty("solr.ssl.checkPeerName");
+ System.clearProperty("solr.ssl.check.peer.name.enabled");
System.clearProperty("javax.net.ssl.keyStoreType");
System.clearProperty("javax.net.ssl.trustStoreType");
- System.setProperty("solr.ssl.checkPeerName", "false");
+ System.setProperty("solr.ssl.check.peer.name.enabled", "false");
System.setProperty("javax.net.ssl.keyStoreType", "foo");
System.setProperty("javax.net.ssl.trustStoreType", "bar");
SslContextFactory.Client sslContextFactory3 =
Http2SolrClient.getDefaultSslContextFactory();
assertNull(sslContextFactory3.getEndpointIdentificationAlgorithm());
assertEquals("foo", sslContextFactory3.getKeyStoreType());
assertEquals("bar", sslContextFactory3.getTrustStoreType());
- System.clearProperty("solr.ssl.checkPeerName");
+ System.clearProperty("solr.ssl.check.peer.name.enabled");
System.clearProperty("javax.net.ssl.keyStoreType");
System.clearProperty("javax.net.ssl.trustStoreType");
}
