[jira] [Updated] (SOLR-12953) Support for TLS/SSL key alias configuration

Wed, 07 Nov 2018 01:04:25 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bram Van Dam updated SOLR-12953:
--------------------------------
    Fix Version/s: 7.6

> Support for TLS/SSL key alias configuration
> -------------------------------------------
>
>                 Key: SOLR-12953
>                 URL: https://issues.apache.org/jira/browse/SOLR-12953
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.5
>            Reporter: Bram Van Dam
>            Priority: Major
>              Labels: patch
>             Fix For: 7.5.1, 7.6
>
>         Attachments: SOLR-12953.patch, SOLR-12953.patch
>
>
> As discussed on the mailing list:
> *Context:*
> There's a jetty-ssl.xml config file which configures Jetty's 
> SslContextFactory using properties set in solr.in.sh, but it's incomplete for 
> some purposes.
> *Problem:*
> I've noticed that no "certAlias" property is present. This means that when 
> Jetty starts, it will pick an arbitrary (based on some internal order, 
> apparently the newest?) key from the keystore to use. This is fine when 
> you're only using your keystore for Solr and it only contains one key, but it 
> makes life a lot more complicated in environments where keystores are managed 
> and distributed to servers automagically.
> When you add a key to the keystore, you can assign an alias. Jetty can then 
> use the key with that alias by means of its certAlias config property.
> The Solr documentation [1] confusingly assigns the alias "solr-ssl" to the 
> key, but as far as I can tell this alias isn't actually used or referenced 
> anywhere else. 
> *Solution:*
> I'm currently dealing with a slightly more complicated TLS setup, so I'm 
> attaching a patch which adds an extra config property in order to 
> (optionally) specify the key alias. When the option is omitted, the old 
> behaviour remains unchanged. Patch modifies the configuration and includes 
> updates to the enabling-ssl documentation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to