Both SolrCloud and single-node Solr can encrypt communications to and from clients, and in SolrCloud between nodes, with SSL. This section describes enabling SSL with the example Jetty server using a self-signed certificate.
For background on SSL certificates and keys, see http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/.
Basic SSL Setup
Generate a self-signed certificate and a key
To generate a self-signed certificate and a single key that will be used to authenticate both the server and the client, we'll use the JDK
keytool command and create a separate keystore. This keystore will also be used as a truststore below. It's possible to use the keystore that comes with the JDK for these purposes, and to use a separate truststore, but those options aren't covered here.
Run the commands below in the
server/etc/ directory in the binary Solr distribution. It's assumed that you have the JDK
keytool utility on your
PATH, and that
openssl is also on your
PATH. See https://www.openssl.org/related/binaries.html for OpenSSL binaries for Windows and Solaris.
keytool option allows you to specify all the DNS names and/or IP addresses that will be allowed during hostname verification (but see below for how to skip hostname verification between Solr nodes so that you don't have to specify all hosts here). In addition to
127.0.0.1, this example includes a LAN IP address
192.168.1.3 for the machine the Solr nodes will be running on:
The above command will create a keystore file named
solr-ssl.keystore.jks in the current directory.
Convert the certificate and key to PEM format for use with cURL
cURL isn't capable of using JKS formatted keystores, so the JKS keystore needs to be converted to PEM format, which cURL understands.
First convert the JKS keystore into PKCS12 format using
The keytool application will prompt you to create a destination keystore password and for the source keystore password, which was set when creating the keystore ("secret" in the example shown above).
Next convert the PKCS12 format keystore, including both the certificate and the key, into PEM format using the
If you want to use cURL on OS X Yosemite (10.10), you'll need to create a certificate-only version of the PEM format, as follows:
Set common SSL related system properties
The Solr Control Script is already setup to pass SSL-related Java system properties to the JVM. To activate the SSL settings, uncomment and update the set of properties beginning with SOLR_SSL_* in
bin\solr.in.cmd on Windows). Note, if you setup Solr as a service on Linux using the steps outlined in Taking Solr to Production, then make these changes in
When you start Solr, the
bin/solr script includes the settings in
bin/solr.in.sh and will pass these SSL-related system properties to the JVM.
Enable either SOLR_SSL_NEED_CLIENT_AUTH or SOLR_SSL_WANT_CLIENT_AUTH but not both at the same time. They are mutually exclusive and Jetty will select one of them which may not be what you expect.
Similarly, when you start Solr on Windows, the
bin\solr.cmd script includes the settings in
bin\solr.in.cmd - uncomment and update the set of properties beginning with
SOLR_SSL_* to pass these SSL-related system properties to the JVM:
Run Single Node Solr using SSL
Start Solr using the command shown below; by default clients will not be required to authenticate:
This section describes how to run a two-node SolrCloud cluster with no initial collections and a single-node external ZooKeeper. The commands below assume you have already created the keystore described above.
ZooKeeper does not support encrypted communication with clients like Solr. There are several related JIRA tickets where SSL support is being planned/worked on: ZOOKEEPER-235; ZOOKEEPER-236; ZOOKEEPER-1000; and ZOOKEEPER-2120.
Before you start any SolrCloud nodes, you must configure your solr cluster properties in ZooKeeper, so that Solr nodes know to communicate via SSL.
This section assumes you have created and started a single-node external ZooKeeper on port 2181 on localhost - see Setting Up an External ZooKeeper Ensemble
urlScheme cluster-wide property needs to be set to
https before any Solr node starts up. The example below uses the
zkcli tool that comes with the binary Solr distribution to do this:
If you have set up your ZooKeeper cluster to use a chroot for Solr , make sure you use the correct
zkhost string with
Run SolrCloud with SSL
Create Solr home directories for two nodes
Create two copies of the
server/solr/ directory which will serve as the Solr home directories for each of your two SolrCloud nodes:
Start the first Solr node
Next, start the first Solr node on port 8984. Be sure to stop the standalone server first if you started it when working through the previous section on this page.
Notice the use of the
-s option to set the location of the Solr home directory for node1.
If you created your SSL key without all DNS names/IP addresses on which Solr nodes will run, you can tell Solr to skip hostname verification for inter-Solr-node communications by setting the
solr.ssl.checkPeerName system property to
Start the second Solr node
Finally, start the second Solr node on port 7574 - again, to skip hostname verification, add
Example Client Actions
cURL on OS X Mavericks (10.9) has degraded SSL support. For more information and workarounds to allow 1-way SSL, see http://curl.haxx.se/mail/archive-2013-10/0036.html . cURL on OS X Yosemite (10.10) is improved - 2-way SSL is possible - see http://curl.haxx.se/mail/archive-2014-10/0053.html .
The cURL commands in the following sections will not work with the system
curl on OS X Yosemite (10.10). Instead, the certificate supplied with the
-E param must be in PKCS12 format, and the file supplied with the
--cacert param must contain only the CA certificate, and no key (see above for instructions on creating this file):
If your operating system does not include cURL, you can download binaries here: http://curl.haxx.se/download.html
Create a SolrCloud collection using
Create a 2-shard, replicationFactor=1 collection named mycollection using the default configset (data_driven_schema_configs):
create action will pass the
SOLR_SSL_* properties set in your include file to the SolrJ code used to create the collection.
Retrieve SolrCloud cluster status using cURL
To get the resulting cluster status (again, if you have not enabled client authentication, remove the
-E solr-ssl.pem:secret option):
You should get a response that looks like this:
Index documents using
post.jar to index some example documents to the SolrCloud collection created above:
Query using cURL
Use cURL to query the SolrCloud collection created above, from a directory containing the PEM formatted certificate and key created above (e.g.
example/etc/) - if you have not enabled client authentication (system property
-Djetty.ssl.clientAuth=true), then you can remove the
-E solr-ssl.pem:secret option:
Index a document using
From a java client using Solrj, index a document. In the code below, the
javax.net.ssl.* system properties are set programmatically, but you could instead specify them on the java command line, as in the
post.jar example above: