Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9728

Ability to specify Key Store type in solr.in.sh file for SSL

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0
    • Fix Version/s: 6.4, 7.0
    • Component/s: Server
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      At present when ssl is enabled we can't set the SSL type. It currently defaults to JCK.
      As a user I would like to configure the SSL type via the solr.in file.
      For instance "JCEKS" would be configured as:

      SOLR_SSL_KEYSTORE_TYPE=JCEKS
      SOLR_SSL_TRUSTSTORE_TYPE=JCEKS
      
      1. SOLR-9728.patch
        12 kB
        Kevin Risden
      2. SOLR-9728.patch
        4 kB
        Michael Suzuki
      3. SOLR-9728.patch
        4 kB
        Michael Suzuki

        Issue Links

          Activity

          Hide
          manokovacs Mano Kovacs added a comment -

          Hi Michael Suzuki, thanks you for the patch! I tried to add the store types manual and I experienced that only setting the property of the sslContextFactory in jetty-ssl.xml would be effective. I might be mistaken, but adding the two args below to jetty-ssl.xml would make the patch fully functioning.

          "solr/server/etc/jetty-ssl.xml"
          ...
          <Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="JCK"/></Set>
          <Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="JCK"/></Set>
          ...
          
          Show
          manokovacs Mano Kovacs added a comment - Hi Michael Suzuki , thanks you for the patch! I tried to add the store types manual and I experienced that only setting the property of the sslContextFactory in jetty-ssl.xml would be effective. I might be mistaken, but adding the two args below to jetty-ssl.xml would make the patch fully functioning. "solr/server/etc/jetty-ssl.xml" ... <Set name= "KeyStoreType" ><Property name= "solr.jetty.keystore.type" default = "JCK" /></Set> <Set name= "TrustStoreType" ><Property name= "solr.jetty.truststore.type" default = "JCK" /></Set> ...
          Hide
          michaelsuzuki Michael Suzuki added a comment -

          Mano Kovacs yes, you are correct. Appologies for not including the jetty-ssl.xml changes.

          Show
          michaelsuzuki Michael Suzuki added a comment - Mano Kovacs yes, you are correct. Appologies for not including the jetty-ssl.xml changes.
          Hide
          michaelsuzuki Michael Suzuki added a comment -

          Please note that this patch does not include the fix to issue SOLR-9727, should I redo the patch to include both jetty-ssl.xml and the fix for SOLR-9727?

          Show
          michaelsuzuki Michael Suzuki added a comment - Please note that this patch does not include the fix to issue SOLR-9727 , should I redo the patch to include both jetty-ssl.xml and the fix for SOLR-9727 ?
          Hide
          markrmiller@gmail.com Mark Miller added a comment -

          I would update this patch with the jetty-ssl.xml changes, and leave SOLR-9727 on it's own if possible. If this issue depends on that one to go in first, you can just link them with the right relationship or note it in a comment.

          Show
          markrmiller@gmail.com Mark Miller added a comment - I would update this patch with the jetty-ssl.xml changes, and leave SOLR-9727 on it's own if possible. If this issue depends on that one to go in first, you can just link them with the right relationship or note it in a comment.
          Hide
          michaelsuzuki Michael Suzuki added a comment -

          Updated patch which includes the changes to jetty-ssl.xml as per Mano Kovacs comment.

          Show
          michaelsuzuki Michael Suzuki added a comment - Updated patch which includes the changes to jetty-ssl.xml as per Mano Kovacs comment.
          Hide
          manokovacs Mano Kovacs added a comment -

          Thanks Michael Suzuki!

          I am very new to the open source development community, but my understanding so far is to keep patches as small as possible, due to several benefits it results. Which is exactly what Mark Miller advised.

          Show
          manokovacs Mano Kovacs added a comment - Thanks Michael Suzuki ! I am very new to the open source development community, but my understanding so far is to keep patches as small as possible, due to several benefits it results. Which is exactly what Mark Miller advised.
          Hide
          manokovacs Mano Kovacs added a comment -

          If anyone would have the time to review this patch, it would be greatly appreciated.

          Show
          manokovacs Mano Kovacs added a comment - If anyone would have the time to review this patch, it would be greatly appreciated.
          Hide
          risdenk Kevin Risden added a comment -

          Mano Kovacs + Michael Suzuki - I can take a look.

          Show
          risdenk Kevin Risden added a comment - Mano Kovacs + Michael Suzuki - I can take a look.
          Hide
          risdenk Kevin Risden added a comment -

          I think the default in jetty-ssl.xml should be "JKS" instead of "JCK"? Does that sound correct?

          Show
          risdenk Kevin Risden added a comment - I think the default in jetty-ssl.xml should be "JKS" instead of "JCK"? Does that sound correct?
          Hide
          risdenk Kevin Risden added a comment -

          When testing this I also think I noticed that if SOLR_SSL_KEYSTORE_TYPE or SOLR_SSL_TRUSTSTORE_TYPE isn't specified in solr.in.sh then the jetty property is set to "" instead of the default. This I think is because the java property is being set to "" instead of not being set at all. This would make the change be backwards incompatible.

          Some changes:

          • Change JCK to JKS to match the Jetty defaults
          • Change bin/solr and solr.cmd to handle SOLR_SSL_KEYSTORE_TYPE and SOLR_SSL_TRUSTSTORE_TYPE not being specified (and therefore not added to the SOLR_SSL_OPTS variable).
          Show
          risdenk Kevin Risden added a comment - When testing this I also think I noticed that if SOLR_SSL_KEYSTORE_TYPE or SOLR_SSL_TRUSTSTORE_TYPE isn't specified in solr.in.sh then the jetty property is set to "" instead of the default. This I think is because the java property is being set to "" instead of not being set at all. This would make the change be backwards incompatible. Some changes: Change JCK to JKS to match the Jetty defaults Change bin/solr and solr.cmd to handle SOLR_SSL_KEYSTORE_TYPE and SOLR_SSL_TRUSTSTORE_TYPE not being specified (and therefore not added to the SOLR_SSL_OPTS variable).
          Hide
          michaelsuzuki Michael Suzuki added a comment -

          If the SOLR_SSL_KEYSTORE_TYPE or SOLR_SSL_TRUSTSTORE_TYPE arent specified it will default to the value set in the jetty-ssl.xml.

          Show
          michaelsuzuki Michael Suzuki added a comment - If the SOLR_SSL_KEYSTORE_TYPE or SOLR_SSL_TRUSTSTORE_TYPE arent specified it will default to the value set in the jetty-ssl.xml.
          Hide
          michaelsuzuki Michael Suzuki added a comment -

          i have updated the jetty-ssl.xml to use JKS instead of JCK, good catch.

          Show
          michaelsuzuki Michael Suzuki added a comment - i have updated the jetty-ssl.xml to use JKS instead of JCK, good catch.
          Hide
          risdenk Kevin Risden added a comment -

          Here is the snippet of my solr.in.sh:

          # Uncomment to set SSL-related system properties
          # Be sure to update the paths to the correct keystore for your environment
          SOLR_SSL_KEY_STORE=/opt/solr/bin/solr-ssl.keystore.jks
          SOLR_SSL_TRUST_STORE=/opt/solr/bin/solr-ssl.keystore.jks
          SOLR_SSL_KEY_STORE_PASSWORD=secret
          SOLR_SSL_TRUST_STORE_PASSWORD=secret
          SOLR_SSL_NEED_CLIENT_AUTH=false
          SOLR_SSL_WANT_CLIENT_AUTH=false
          #SOLR_SSL_KEYSTORE_TYPE=JKS
          #SOLR_SSL_TRUSTSTORE_TYPE=JKS
          

          Here is the exception I get when SOLR_SSL_KEYSTORE_TYPE or SOLR_SSL_TRUSTSTORE_TYPE isn't specified:

          java.lang.reflect.InvocationTargetException
          	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
          	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          	at java.lang.reflect.Method.invoke(Method.java:498)
          	at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
          	at org.eclipse.jetty.start.Main.start(Main.java:457)
          	at org.eclipse.jetty.start.Main.main(Main.java:75)
          Caused by: java.security.KeyStoreException:  not found
          	at java.security.KeyStore.getInstance(KeyStore.java:851)
          	at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:44)
          	at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1016)
          	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:332)
          	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
          	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
          	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
          	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
          	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
          	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
          	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
          	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260)
          	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
          	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:244)
          	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
          	at org.eclipse.jetty.server.Server.doStart(Server.java:384)
          	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
          	at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510)
          	at java.security.AccessController.doPrivileged(Native Method)
          	at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435)
          	... 7 more
          Caused by: java.security.NoSuchAlgorithmException:  KeyStore not available
          	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
          	at java.security.Security.getImpl(Security.java:695)
          	at java.security.KeyStore.getInstance(KeyStore.java:848)
          	... 26 more
          
          Usage: java -jar start.jar [options] [properties] [configs]
                 java -jar start.jar --help  # for more information
          
          Show
          risdenk Kevin Risden added a comment - Here is the snippet of my solr.in.sh: # Uncomment to set SSL-related system properties # Be sure to update the paths to the correct keystore for your environment SOLR_SSL_KEY_STORE=/opt/solr/bin/solr-ssl.keystore.jks SOLR_SSL_TRUST_STORE=/opt/solr/bin/solr-ssl.keystore.jks SOLR_SSL_KEY_STORE_PASSWORD=secret SOLR_SSL_TRUST_STORE_PASSWORD=secret SOLR_SSL_NEED_CLIENT_AUTH= false SOLR_SSL_WANT_CLIENT_AUTH= false #SOLR_SSL_KEYSTORE_TYPE=JKS #SOLR_SSL_TRUSTSTORE_TYPE=JKS Here is the exception I get when SOLR_SSL_KEYSTORE_TYPE or SOLR_SSL_TRUSTSTORE_TYPE isn't specified: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.eclipse.jetty.start.Main.invokeMain(Main.java:214) at org.eclipse.jetty.start.Main.start(Main.java:457) at org.eclipse.jetty.start.Main.main(Main.java:75) Caused by: java.security.KeyStoreException: not found at java.security.KeyStore.getInstance(KeyStore.java:851) at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:44) at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1016) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:332) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:244) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.server.Server.doStart(Server.java:384) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435) ... 7 more Caused by: java.security.NoSuchAlgorithmException: KeyStore not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.security.Security.getImpl(Security.java:695) at java.security.KeyStore.getInstance(KeyStore.java:848) ... 26 more Usage: java -jar start.jar [options] [properties] [configs] java -jar start.jar --help # for more information
          Hide
          risdenk Kevin Risden added a comment -

          Additionally, I think we are going to want to set javax.net.ssl.trustStoreType and javax.net.ssl.keystoreStoreType in addition to the jetty settings?

          Show
          risdenk Kevin Risden added a comment - Additionally, I think we are going to want to set javax.net.ssl.trustStoreType and javax.net.ssl.keystoreStoreType in addition to the jetty settings?
          Hide
          risdenk Kevin Risden added a comment -

          This patch does a few things:

          • Splits out each ssl property to check if it is there
          • Puts *_type next to *_password where nececessary
          • Adds javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType
          • Stuck with KEY_STORE and TRUST_STORE instead of KEYSTORE and TRUSTSTORE that was previously added.

          I added the changes for Windows as well, but haven't been able to test. They are basically the same between solr.in.sh/solr and solr.in.cmd and solr.cmd

          Show
          risdenk Kevin Risden added a comment - This patch does a few things: Splits out each ssl property to check if it is there Puts *_type next to *_password where nececessary Adds javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType Stuck with KEY_STORE and TRUST_STORE instead of KEYSTORE and TRUSTSTORE that was previously added. I added the changes for Windows as well, but haven't been able to test. They are basically the same between solr.in.sh/solr and solr.in.cmd and solr.cmd
          Hide
          michaelsuzuki Michael Suzuki added a comment -

          Kevin Risden Tried and tested the patch, it works for me.

          Show
          michaelsuzuki Michael Suzuki added a comment - Kevin Risden Tried and tested the patch, it works for me.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit bf424d1ec1602dffeb33ab0acc8f470e351a6959 in lucene-solr's branch refs/heads/master from Kevin Risden
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=bf424d1 ]

          SOLR-9728: Ability to specify Key Store type in solr.in file for SSL

          Show
          jira-bot ASF subversion and git services added a comment - Commit bf424d1ec1602dffeb33ab0acc8f470e351a6959 in lucene-solr's branch refs/heads/master from Kevin Risden [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=bf424d1 ] SOLR-9728 : Ability to specify Key Store type in solr.in file for SSL
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit ec385708c6e0c47440127410c1223f14703c24e1 in lucene-solr's branch refs/heads/branch_6x from Kevin Risden
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=ec38570 ]

          SOLR-9728: Ability to specify Key Store type in solr.in file for SSL

          Show
          jira-bot ASF subversion and git services added a comment - Commit ec385708c6e0c47440127410c1223f14703c24e1 in lucene-solr's branch refs/heads/branch_6x from Kevin Risden [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=ec38570 ] SOLR-9728 : Ability to specify Key Store type in solr.in file for SSL
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit bf424d1ec1602dffeb33ab0acc8f470e351a6959 in lucene-solr's branch refs/heads/feature/metrics from Kevin Risden
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=bf424d1 ]

          SOLR-9728: Ability to specify Key Store type in solr.in file for SSL

          Show
          jira-bot ASF subversion and git services added a comment - Commit bf424d1ec1602dffeb33ab0acc8f470e351a6959 in lucene-solr's branch refs/heads/feature/metrics from Kevin Risden [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=bf424d1 ] SOLR-9728 : Ability to specify Key Store type in solr.in file for SSL

            People

            • Assignee:
              risdenk Kevin Risden
              Reporter:
              michaelsuzuki Michael Suzuki
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development