Hi, Thanks for your proposal. I think it warrants a new JIRA issue as a feature request. Patches to both code and documentation are highly welcome!
-- Jan Høydahl, search solution architect Cominvent AS - www.cominvent.com > 5. apr. 2019 kl. 10:53 skrev Herbert Hackelsberger <h...@technodat.at>: > > Hi, > > I managed to get Windows-MY (SSL Personal Store) and Windows-ROOT (Root CA > Store) with Solr 8.0.0 to work. > How? > > I enabled the following in solr.in.cmd: > > set SOLR_SSL_CHECK_PEER_NAME=true > set SOLR_SSL_ENABLED=true > set SOLR_SSL_KEY_STORE=NONE > set SOLR_SSL_KEY_STORE_PASSWORD=<snip> > set SOLR_SSL_TRUST_STORE=NONE > set SOLR_SSL_TRUST_STORE_PASSWORD=<snip> > set SOLR_SSL_NEED_CLIENT_AUTH=true > set SOLR_SSL_WANT_CLIENT_AUTH=false > set SOLR_SSL_KEY_STORE_TYPE=Windows-MY > set SOLR_SSL_TRUST_STORE_TYPE=Windows-ROOT > > A also edited solr.cmd in the following way: > set "SOLR_SSL_OPTS= -Djavax.net.ssl.keyStoreProvider=SunMSCAPI > -Djavax.net.ssl.trustStoreProvider=SunMSCAPI" > > But there is one problem: > The Microsoft Key Store is not a file based Keystore. > > What happens: > SOLR logs a missing KEYSTORE File "NONE" > > The official documentation at > https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html > tells me: > > * javax.net.ssl.keyStore system property. > Note that the value NONE may be specified. This setting is appropriate if the > keystore is not file-based (for example, it resides in a hardware token) > > The same is valid for trustStore. > > So my workaround here is to place an empty PKCS#12 keystore File called > "NONE" in the \server directory, where start.jar resides. > Solr 4.4 was happy with just an empty 0 byte NONE file. > > It seems to me, that currently only file based key stores are working without > manual workarounds. > A proper solution would be very nice for other so it can be easily configured. > > When I specify null, Solr requires the keystore file to be called null. > And if not password specified at all, you won't get it to work. > > The Solr Reference Guide also lacks information here. > > > The solution would be in the code to specify null when loading the keystore > file, and password also null. > I found that while searching: > > https://stackoverflow.com/questions/13697934/windows-keystores-and-certificates/29534497 > > > Other software also seems to have problems with this: > https://github.com/gradle/gradle/issues/6584 > > > It would be great to see better integration of the Windows keystore I the > future, as it was very difficulty to analyze find out, when you start from > zero. >
