Hi Chris; thank you for your reply (much appreciated)! :-) I am still having issues setting up SSL with Solr, as described below.
The following is lengthy, but should include most / all? relevant information. ============================================================================== 1. SOLR BASIC AUTHENTICATION ============================ Working. "security.json" wouldn't work however with plain-text (plainly viewed) passwords, and the Solr docs provided no guidance on the generation of hashed passwords. https://solr.apache.org/guide/8_11/basic-authentication-plugin.html Solutions for generating salted SHA256 password hashes can be found online, e.g. ** SolrPasswordHash https://github.com/ansgarwiechers/solrpasswordhash https://github.com/ansgarwiechers/solrpasswordhash/blob/master/src/SolrPasswordHash.java *** How does Apache Solr authenticate passwords? https://systemrequest.net/index.php/31/ ** Online Solr password encryption tool for the Basic Authentication plugin https://github.com/clemente-biondo/clemente-biondo.github.io I used the following (works). ---------------------------------------- GENERATE SALTED PASSWORD HASH: ------------------------------ * Per: rmalchow/solr_pw_hash.md https://gist.github.com/rmalchow/51f5b23c2f59c687b001bfcdbf4bad5c [victoria]$ SALT=$(pwgen 48 -1) [victoria]$ echo $SALT ieXaeghaiM6jaemue9Eig0eigiez5iesh8Ohng5aireeliuT [victoria]$ PW='<solr_auth_password>' ## obfuscated here [victoria]$ echo $PW *** ## obfuscated here [victoria]$ echo "hash: $(echo -n "$SALT$PW" | sha256sum -b | xxd -r -p | sha256sum -b | xxd -r -p | base64 -w 1024) $(echo -n "$SALT" | base64 -w1024)" hash: p***= a*** ## obfuscated here Authenticated user:pass works in Solr, available at http://localhost:8983 ============================================================================== 2. SSL [https://localhost:8983] =============================== ======================================== ISSUES: ======= * Basic authentication (non-SSL | http://localhost:8983) works fine. * SSL authorization is failing (Solr instance appears, then immediately disappears). The current configuration above throws the following warning during Solr startup, despite setting the KEY STORE | TRUST STORE passwords to the <secret> password used during "keytool -genkeypair ..." self-signed certificate creation (above). [victoria]$ solr stop -all; sleep 4; solr start ... Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?] ... ---------------------------------------- LIKELY CAUSES: -------------- ** solr.in.sh" / "jetty-ssl.xml" incongruity? ** not reading key store | trust store? ** PEM certificate issue? ** other? ======================================== PATHS (ARCH LINUX): =================== SOLR_HOME : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/ solr.xml: /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/solr.xml security.json : /mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/security.json solr.in.sh : /mnt/Vancouver/apps/solr/solr-8.11.1/bin/solr.in.sh jetty-ssl.xml : /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/jetty-ssl.xml ~/.bashrc ## allows {solr start | solr restart | solr status | solr stop -all} export PATH=/mnt/Vancouver/apps/solr/solr-8.11.1/bin/:$PATH ======================================== SSL KEYGEN: =========== [victoria]$ date; pwd; ls -l 2022-04-19 09:34:02 -0700 (PST) /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc total 80K -rw-r--r-- 1 victoria victoria 2.0K Dec 7 17:01 jetty-gzip.xml -rw-r--r-- 1 victoria victoria 3.6K Dec 7 17:01 jetty-https8.xml -rw-r--r-- 1 victoria victoria 3.7K Dec 7 17:01 jetty-https.xml -rw-r--r-- 1 victoria victoria 2.7K Dec 7 17:01 jetty-http.xml -rw-r--r-- 1 victoria victoria 1.9K Dec 7 17:01 jetty-requestlog.xml -rw-r--r-- 1 victoria victoria 3.0K Apr 19 08:49 jetty-ssl.xml -rw-r--r-- 1 victoria victoria 12K Apr 14 09:28 jetty.xml -rw-r--r-- 1 victoria victoria 12K Dec 7 17:01 security.policy -rw-r--r-- 1 victoria victoria 1.3K Dec 7 17:01 security.properties -rw-r--r-- 1 victoria victoria 24K Dec 7 17:01 webdefault.xml ## The following command failed when including the "-keypass <secret> -storepass <secret>" ## arguments, hence I left them out (immediately below), and entered <secret> when prompted. [victoria]$ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -validity 9999 -keystore solr-ssl.keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, ... <etc.>" Enter keystore password: ## <secret> Re-enter new password: ## <secret> Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 9,999 days for: CN=localhost, ... <etc.> [victoria]$ openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem Enter Import Password: ## <secret> (obfuscated here) Enter PEM pass phrase: ## <my_pem_pass> (obfuscated here) Verifying - Enter PEM pass phrase: ## <my_pem_pass> (obfuscated here) [victoria]$ openssl pkcs12 -nokeys -in solr-ssl.keystore.p12 -out solr-ssl.cacert.pem Enter Import Password: ## <secret> ## Manually edited PEM ("solr-ssl.pem" >> "solr-ssl.cert_only.pem"), leaving only: ## "-----BEGIN CERTIFICATE-----*** (obfuscated here)***-----END CERTIFICATE-----" ## The following should add the SSL certificate (only) to JAVA / JVM Trust Store? [victoria]$ sudo keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias solr_ssl -file /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem [sudo] password for victoria: ## <my Arch Linux root password> (obfuscated here) Certificate was added to keystore [victoria]$ ======================================== PEM FILES: ========== /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.pem /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert_only.pem ---------------------------------------- solr-ssl.pem: ------------- Bag Attributes friendlyName: solr-ssl localKeyID: *** Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- *** (obfuscated here) -----END ENCRYPTED PRIVATE KEY----- Bag Attributes friendlyName: solr-ssl localKeyID: *** (obfuscated here) ... (obfuscated here) -----BEGIN CERTIFICATE----- *** (obfuscated here) -----END CERTIFICATE----- ---------------------------------------- solr-ssl-cert_only.pem: ----------------------- -----BEGIN CERTIFICATE----- *** (obfuscated here) -----END CERTIFICATE----- ======================================== solr.in.sh (EXCERPTED): ======================= ## Since Solr paths in Arch Linux appear to differ slightly from Debian / other ## distros, for configuration / troubleshooting I reverted to absolute paths. SOLR_SSL_ENABLED=true SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 ## relative path would be: ## SOLR_SSL_KEY_STORE=../server/etc/solr-ssl.keystore.p12 SOLR_SSL_KEY_STORE_PASSWORD=<secret> ## (obfuscated here) SOLR_SSL_KEY_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 ## relative path would be: ## SOLR_SSL_TRUST_STORE=../server/etc/solr-ssl.keystore.p12 SOLR_SSL_TRUST_STORE_PASSWORD=<secret> (obfuscated here) SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_AUTH_TYPE="basic" SOLR_AUTHENTICATION_OPTS="-Dbasicauth=user:pass" ## (obfuscated here) where ## user = my Solr admin username, ## pass = my salted, hashed password ## (Solr Basic Authentication) SOLR_SSL_NEED_CLIENT_AUTH=false SOLR_SSL_WANT_CLIENT_AUTH=false SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true SOLR_SSL_CHECK_PEER_NAME=true # ---------------------------------------------------------------------------- ## Per the earlier response (Chris) to this question, Although I don't have ## "client" SSL settings set up, downstream (if possible) I will want to set ## up users with access to one of either two Solr cores: ## 1. guest / demo access to Solr core with demo documents indexed ## 2. registered users with access granted to separate Solr core (all documents indexed) ======================================== jetty-ssl.xml ============= <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd";> <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> <Call class="org.apache.solr.util.configuration.SSLConfigurationsFactory" name="current"> <Get name="keyStorePassword" id="keyStorePassword"/> <Get name="trustStorePassword" id="trustStorePassword"/> </Call> <Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="./etc/solr-ssl.keystore.p12"/></Set> <Set name="KeyStorePassword"><Ref refid="keyStorePassword"/></Set> <Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="./etc/solr-ssl.keystore.p12"/></Set> <Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set> <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set> <Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set> <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg> </Call> </New> </Configure> ============================================================================== ============================================================================== ----- Original Message(s): ----- Date: 2022 Apr 18 (Mon) 12:37 From: Christopher Schultz <[email protected]> To: [email protected], "Victoria Stuart (VictoriasJourney.com)" <[email protected]> Subject: Re: Setting up SSL on standalone Solr 8.11.1 Victoria, On 4/16/22 15:10, Victoria Stuart (VictoriasJourney.com) wrote: > I am securing a standalone Solr 8.11.1 instance on Arch Linux. > > The instructions at > > https://solr.apache.org/guide/8_11/enabling-ssl.html > > are incomplete, in that I cannot import the certificate to the Java Trust > Store. > > $ solr status > Found 1 Solr nodes: > > Solr process 1729782 running on port 8983 > > INFO - 2022-04-16 12:01:09.124; > org.apache.solr.util.configuration.SSLConfigurations; \ > Setting javax.net.ssl.keyStorePassword > > ERROR: Failed to get system information from https://localhost:8983/solr > due to: \ > javax.net.ssl.SSLException: Unexpected error: > java.security.InvalidAlgorithmParameterException: \ > the trustAnchors parameter must be non-empty > $ > > Can someone post the commands, and settings in > > solr.in.sh > solr-ssl.xml > solr.*.pem ## includes private key, or only certificate? > > and any other suggestions? > > I am getting keytool errors of the type: > > keytool error: java.lang.Exception: Input not an X.509 certificate > > ============================================================================== > "solr status" does not try to import a certificate. The error message "trustAnchors must be non-empty" usually means that you have not specified a trust store. What command are you trying to use in order to import your certificate? What does the cert itself look like? It should start with a line like this: -----BEGIN CERTIFICATE----- and end with a line like this: -----END CERTIFICATE----- If it starts with "-----BEGIN PRIVATE KEY-----" then you are trying to load a key into a trust store, which isn't what you want to do. I have the following in my //etc/default/solr.in.sh file (which is where config for Solr goes on my Debian-based Linux environment) SOLR_SSL_KEY_STORE=/etc/solr/solr.p12 SOLR_SSL_KEY_STORE_PASSWORD=[password] SOLR_SSL_KEY_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12 SOLR_SSL_TRUST_STORE_PASSWORD=[password] SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_SSL_NEED_CLIENT_AUTH=true I am using mutual TLS (client certs); you may not need that last line. For client stuff (including "solr status", I suspect), I have: SOLR_SSL_CLIENT_KEY_STORE=/etc/solr/solr-client.p12 SOLR_SSL_CLIENT_KEY_STORE_TYPE=PKCS12 SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=[password] SOLR_SSL_CLIENT_TRUST_STORE=/etc/solr/solr-server.p12 SOLR_SSL_CLIENT_TRUST_STORE_TYPE=PKCS12 SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=[password] The file /etc/solr/solr.p12 contains the server's key and certificate. It could be used as the client's trust store because only the certificate will be used. The key will be ignored. But instead I have the cert-only in /etc/solr/solr-server.p12 The file /etc/solr/solr-trusted-clients.p12 contains all certificates for all clients who will be contacting the Solr server. The file /etc/solr/solr-client.p12 contains the key+cert for the client. I hope that helps, -chris ==============================================================================
