Question regarding TLS version for solr

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding TLS version for solr

Anchal Sharma2
 Hi All,

We are using solr version 5.3.0 and  have been  trying to enable security on our solr .We followed steps mentioned on site -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But by default it picks ,TLS version  1.0,which is causing an issue as our application uses TLSv 1.2.We tried using online resources ,but could not find anything regarding TLS enablement for solr .

It will be a huge help if anyone can provide some suggestions as to how we can enable TLS v 1.2 for solr.


Thanks & Regards,
-------------------------------------------------
Anchal Sharma

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding TLS version for solr

Shawn Heisey-2
On 5/17/2018 1:53 AM, Anchal Sharma2 wrote:
> We are using solr version 5.3.0 and  have been  trying to enable security on our solr .We followed steps mentioned on site -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But by default it picks ,TLS version  1.0,which is causing an issue as our application uses TLSv 1.2.We tried using online resources ,but could not find anything regarding TLS enablement for solr .
>
> It will be a huge help if anyone can provide some suggestions as to how we can enable TLS v 1.2 for solr.

The choice of ciphers and encryption protocols is mostly made by Java. 
The servlet container might influence it as well. The only servlet
container that is supported since Solr 5.0 is the Jetty that is bundled
in the Solr download.

TLS 1.2 was added in Java 7, and it became default in Java 8.  If you
can install the latest version of Java 8 and make sure that it has the
policy files for unlimited crypto strength installed, support for TLS
1.2 might happen automatically.

Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11. 
Information for 9.2.x versions is hard to find, so although I think it
probably CAN do TLS 1.2 if the Java version supports it, I can't be
absolutely sure.  You'll need to upgrade Solr to get an upgraded Jetty.

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding TLS version for solr

Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Shawn,

On 5/17/18 4:23 AM, Shawn Heisey wrote:

> On 5/17/2018 1:53 AM, Anchal Sharma2 wrote:
>> We are using solr version 5.3.0 and  have been  trying to enable
>> security on our solr .We followed steps mentioned on site
>> -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But
>> by default it picks ,TLS version  1.0,which is causing an issue
>> as our application uses TLSv 1.2.We tried using online resources
>> ,but could not find anything regarding TLS enablement for solr .
>>
>> It will be a huge help if anyone can provide some suggestions as
>> to how we can enable TLS v 1.2 for solr.
>
> The choice of ciphers and encryption protocols is mostly made by
> Java. The servlet container might influence it as well. The only
> servlet container that is supported since Solr 5.0 is the Jetty
> that is bundled in the Solr download.
>
> TLS 1.2 was added in Java 7, and it became default in Java 8. If
> you can install the latest version of Java 8 and make sure that it
> has the policy files for unlimited crypto strength installed,
> support for TLS 1.2 might happen automatically.

There is no "default" TLS version for either the client or the server:
the two endpoints always negotiate the highest mutual version they
both support. The key agreement, authentication, and cipher suites are
the items that are negotiated during the handshake.

> Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11.
> Information for 9.2.x versions is hard to find, so although I think
> it probably CAN do TLS 1.2 if the Java version supports it, I can't
> be absolutely sure.  You'll need to upgrade Solr to get an upgraded
> Jetty.

I would be shocked if Jetty ships with its own crypto libraries; it
should be using JSSE.

Anchal,

Java 1.7 or later is an absolute requirement if you want to use
TLSv1.2 (and you SHOULD want to use it).

I have recently spent a lot of time getting Solr 7.3.0 running with
TLS mutual-authentication, but I haven't worked with the 5.3.x line. I
can tell you have I've done things for my version, but they may need
some adjustments for yours.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr9fKYACgkQHPApP6U8
pFh8lRAAmmvBMUSk35keW0OG0/SHpUy/ExJK69JGIKGwi96ddbz2yH8MG+OjjE3G
GNq/o5+EMT7tP/nW6XuPQou5UQvA2nlA9jsskox3A+CqOH7e6cbSxfxIkTqf9YDl
Kxr4J6mYjvTIjJAqLXGF+ghJfswS6RjZezDgo1PdSUox+gUOvmY61tlSjuYTaAYw
vH1i1DRzb8PkkR4ULePF48Y4r5+ZYz/4ZwSvnJTTkyl97KCw93rZ/kI5v9p3cCHK
Ycuwi/ZirO/VNf/9ruAOtgET3aojNfuNCX/A+vrSbJfiY7mXo05lYKN+eT80elQr
X8OKQaqHP6haF2aNPHrqXGtY2YoiGrdyaGtrXkUHFDfXgQeOmlk/eSVWemcSsatk
eEHSWW9NALMaalRAM7NuXQtgqq1badJhKysiJwSqFgcdgVKcSt8SsQ/09qTPjaNE
Ce1/EHdR6j1hM0Bnv5Hzf85cZjM7PfLmh7P8fnUD5d8eSbBpeWYVBDsS+fXp8WWv
FO5axbnSYIScOIz33i0UZyxpJgcsAkABLGghL6WWQSkfBf4ANgdTumS7K9Pn7Thz
Uq+lD9QPEPWJ91Fc0gnCWtDAEIRjOyLLbYzgI4ebV5qo41GO1WDDHfQZEcqA0Vod
+K8oAMD8nnwU+TprTFkjlQwbDnW1q1efTD6IrpEL5H7h6Xw2cgg=
=RpO6
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding TLS version for solr

Anchal Sharma2
 Hi Christopher /Shawn ,

Thank you for replying .But ,I checked the java version solr using ,and it is already  version 1.8.

@Christopher ,can you let me know what steps you followed for TLS authentication on solr version 7.3.0.

Thanks & Regards,
-------------------------------------------------
Anchal Sharma
e-Pricer Development
ES Team
Mobile: +9871290248

-----Christopher Schultz <[hidden email]> wrote: -----
To: [hidden email]
From: Christopher Schultz <[hidden email]>
Date: 05/17/2018 06:29PM
Subject: Re: Question regarding TLS version for solr

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Shawn,

On 5/17/18 4:23 AM, Shawn Heisey wrote:

> On 5/17/2018 1:53 AM, Anchal Sharma2 wrote:
>> We are using solr version 5.3.0 and  have been  trying to enable
>> security on our solr .We followed steps mentioned on site
>> -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But
>> by default it picks ,TLS version  1.0,which is causing an issue
>> as our application uses TLSv 1.2.We tried using online resources
>> ,but could not find anything regarding TLS enablement for solr .
>>
>> It will be a huge help if anyone can provide some suggestions as
>> to how we can enable TLS v 1.2 for solr.
>
> The choice of ciphers and encryption protocols is mostly made by
> Java. The servlet container might influence it as well. The only
> servlet container that is supported since Solr 5.0 is the Jetty
> that is bundled in the Solr download.
>
> TLS 1.2 was added in Java 7, and it became default in Java 8. If
> you can install the latest version of Java 8 and make sure that it
> has the policy files for unlimited crypto strength installed,
> support for TLS 1.2 might happen automatically.

There is no "default" TLS version for either the client or the server:
the two endpoints always negotiate the highest mutual version they
both support. The key agreement, authentication, and cipher suites are
the items that are negotiated during the handshake.

> Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11.
> Information for 9.2.x versions is hard to find, so although I think
> it probably CAN do TLS 1.2 if the Java version supports it, I can't
> be absolutely sure.  You'll need to upgrade Solr to get an upgraded
> Jetty.

I would be shocked if Jetty ships with its own crypto libraries; it
should be using JSSE.

Anchal,

Java 1.7 or later is an absolute requirement if you want to use
TLSv1.2 (and you SHOULD want to use it).

I have recently spent a lot of time getting Solr 7.3.0 running with
TLS mutual-authentication, but I haven't worked with the 5.3.x line. I
can tell you have I've done things for my version, but they may need
some adjustments for yours.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr9fKYACgkQHPApP6U8
pFh8lRAAmmvBMUSk35keW0OG0/SHpUy/ExJK69JGIKGwi96ddbz2yH8MG+OjjE3G
GNq/o5+EMT7tP/nW6XuPQou5UQvA2nlA9jsskox3A+CqOH7e6cbSxfxIkTqf9YDl
Kxr4J6mYjvTIjJAqLXGF+ghJfswS6RjZezDgo1PdSUox+gUOvmY61tlSjuYTaAYw
vH1i1DRzb8PkkR4ULePF48Y4r5+ZYz/4ZwSvnJTTkyl97KCw93rZ/kI5v9p3cCHK
Ycuwi/ZirO/VNf/9ruAOtgET3aojNfuNCX/A+vrSbJfiY7mXo05lYKN+eT80elQr
X8OKQaqHP6haF2aNPHrqXGtY2YoiGrdyaGtrXkUHFDfXgQeOmlk/eSVWemcSsatk
eEHSWW9NALMaalRAM7NuXQtgqq1badJhKysiJwSqFgcdgVKcSt8SsQ/09qTPjaNE
Ce1/EHdR6j1hM0Bnv5Hzf85cZjM7PfLmh7P8fnUD5d8eSbBpeWYVBDsS+fXp8WWv
FO5axbnSYIScOIz33i0UZyxpJgcsAkABLGghL6WWQSkfBf4ANgdTumS7K9Pn7Thz
Uq+lD9QPEPWJ91Fc0gnCWtDAEIRjOyLLbYzgI4ebV5qo41GO1WDDHfQZEcqA0Vod
+K8oAMD8nnwU+TprTFkjlQwbDnW1q1efTD6IrpEL5H7h6Xw2cgg=
=RpO6
-----END PGP SIGNATURE-----


Reply | Threaded
Open this post in threaded view
|

Re: Question regarding TLS version for solr

Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Anchal,

On 5/23/18 2:38 AM, Anchal Sharma2 wrote:
> Thank you for replying .But ,I checked the java version solr using
> ,and it is already  version 1.8.
>
> @Christopher ,can you let me know what steps you followed for TLS
> authentication on solr version 7.3.0.

Sure. Here are my deployment notes. You may have to adjust them
slightly for your environment. Note that we are using standalone Solr
without any Zookeeper, clustering, etc. This is just about configuring
a single instance. Also, this guide says 7.3.0, but 7.3.1 would be
better as it contains a fix for a CVE.

=== CUT ===

========================================================
 Instructions for installing Solr and working with Cores
========================================================

Installation
- ------------

Installing Solr is fairly simple. One can simply untar the distribution
tarball and work from that directory, but it is better to install it
in a somewhat more centralized place with a separate data directory
to facilitate upgrades, etc.

1. Obtain the distribution tarball
   Go to https://lucene.apache.org/solr/mirrors-solr-latest-redir.html
   and obtain the latest supported version of Solr.
   (7.3.0 as of this writing).

2. Untar the archive
   $ tar xzf solr-x.y.x.tgz

3. Install Solr
   $ cd solr-x.y.z
   $ sudo bin/install_solr_service.sh ../solr-x.y.z.tgz \
     -i /usr/local \
     -d /mnt/securefs/solr \
     -n
   (that last -n says "don't start Solr")

4. Configure Solr Settings
   Edit the file /etc/default/solr.in.sh

   Settings you may want to explicitly set:

   SOLR_JAVA_HOME=(java home)
   SOLR_HEAP="1024M"

5. Configure Solr for TLS
   Create a server key and certificate:
   $ sudo mkdir /etc/solr
   $ sudo keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize
256 -validity 730 \
          -alias 'solr-ssl' -keystore /etc/solr/solr.p12 -storetype
PKCS12 \
          -ext san=dns:localhost,ip:192.168.10.20
     Use the following information for the certificate:
         First and Last name: 192.168.10.20 (or "localhost", or your
IP address)
         Org unit:  [whatever]
         Everything else should be obvious

   Now, export the public key from the keystore.

   $ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore
/etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl

   Copy that certificate and paste it into this command's stdin:

   $ sudo keytool -importcert -keystore /etc/solr/solr-server.p12
- -storetype PKCS12 -alias 'solr-ssl'

   Now, fix the ownership and permissions on these files:

   $ sudo chown root:solr /etc/solr/solr.p12 /etc/solr/solr-server.p12
   $ sudo chmod 0640 /etc/solr/solr.p12

   Edit the file /etc/default/solr.in.sh

   Set the following settings:

   SOLR_SSL_KEY_STORE=/etc/solr/solr.p12
   SOLR_SSL_KEY_STORE_TYPE=PKCS12
   SOLR_SSL_KEY_STORE_PASSWORD=whatever

   # You MUST set the trust store for some reason.
   SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12
   SOLR_SSL_TRUST_STORE_TYPE=PKCS12
   SOLR_SSL_TRUST_STORE_PASSWORD=whatever

   Then, patch the file bin/post; you are going to need this, later.

- --- bin/post    2017-09-03 13:29:15.000000000 -0400
+++ /usr/local/solr/bin/post    2018-04-11 20:08:17.000000000 -0400
@@ -231,8 +231,8 @@
   PROPS+=('-Drecursive=yes')
 fi

- -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
- -"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}"
${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}"
+"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS}
org.apache.solr.util.SimplePostTool "${PARAMS[@]}"

6. Configure Solr to Require Client TLS Certificates

  On each client, create a client key and certificate:

  $ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 \
            -validity 730 -alias 'solr-client-ssl'

  Now dump the certificate for the next step:

  $ keytool -exportcert -keystore [client-key-store] -storetype PKCS12 \
            -alias 'solr-client-ssl'

  Don't forget that you might want to generate your own client certifica
te
  to use from you own web browser if you want to be able to connect to t
he
  server's dashboard.

  Use the output of that command on each client to put the cert(s)
into this
  trust store on the server:

  $ sudo keytool -importcert -keystore
/etc/solr/solr-trusted-clients.p12 \
                 -storetype PKCS12 -alias '[client key alias]'

Edit /etc/default/solr.in.sh and add the following entries:

  SOLR_SSL_NEED_CLIENT_AUTH=true
  SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12
  SOLR_SSL_TRUST_STORE_TYPE=PKCS12
  SOLR_SSL_TRUST_STORE_PASSWORD=whatever

Summary of Files in /etc/solr
- -----------------------------

solr-client.p12   Client keystore. Contains client key and certificate.
                  Used by clients to identify themselves to the server.

solr.p12          Server keystore. Contains server key and certificate.
                  Used by server to identify itself to clients.

solr-server.p12   Client trust store. Contains server's certificate.
                  Used by clients to identify and trust the server.

solr-trusted-clients.p12
                  Server trust store. Contains trusted client
certificates.
                  Used by server to trust clients.

Starting and Stopping Solr
- --------------------------

If you've installed Solr as a service, you can simply run:

  $ sudo /etc/init.d/solr [cmd]

If you haven't installed Solr as a service, you can run the Solr script
directly from the expanded tarball directory:

  $ ${SOLR_HOME}/bin/solr start (or stop)

Creating a New Core (Index)
- ---------------------------

If you have installed Solr as a service, you will have to use sudo to
create your core so that the directories and files get the correct
ownership
and permissions.

  $ sudo -u solr /usr/local/solr/bin/solr -c [corename]

If you haven't install Solr as a service, this is nominally easier:

  $ ${SOLR_HOME}/bin/solr -c [corename]

Loading Data into a Core (Index)
- --------------------------------
If you have installed Solr as a service using TLS, you will need to do
some
additional work to call Solr's "post" program. First, ensure you have
patched
bin/post according to the installation instructions above. Then:

  $
SOLR_POST_OPTS="-Djavax.net.ssl.trustStore=/etc/solr/solr-server.p12
- -Djavax.net.ssl.trustStoreType=PKCS12
- -Djavax.net.ssl.trustStorePassword=[whatever]
- -Djavax.net.ssl.keyStore=/etc/solr/solr-client.p12
- -Djavax.net.ssl.keyStoreType=PKCS12
- -Djavax.net.ssl.keyStorePassword=[whatever]" \
         /usr/local/solr/bin/post \
         -url https://localhost:8983/solr/[corename]/update [file-to-pos
t]

If you haven't configured Solr with TLS, you can simply do:

  $ ${SOLR_HOME}/bin/post -c [corename] [file-to-post]

=== CUT ===

I hope that helps.

I give permission to anyone on the Solr team to adapt the above
content into a TLS guide for the Solr documentation.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFc60ACgkQHPApP6U8
pFiYVRAAoqGk392FleZhD4UpVJXkEQpCWQSTpiF+H5a6Rc5Juj972kxv85ZbLpn2
vPmuIqqXkClRZYPGiPOqmPMDKRRQiTEX86ILrVLjRLgO0TPBvpboJcuMFlt0NvK3
JhZ/yjJjp1CiQSBfoigg7KAFwalxXjPxAUu1TLS3pQBP3gRljpMAJ5tYdbnFNC1Q
IzqBpcBuzGsd16DstAXE4nj+2u0mvGds+Srrf62LHhQmsxBm4yecQKG6OiU3OY0i
XR3NewUkyrUQrhgJx19WBiNTm3jzZ2PXd4Q1hNdNnAAc98QW1PQR0+parA9luU32
BZnJi1mvQvBDPGAT0zIbr+G94A/PB2g/UEFWCGpKRhOUVJI4l1SQlZICrfXKcoj2
L0vMjSxKUEr7KbFVS9Puy53a7O1F1jq6wcSzJf4X/1JxuaemFAyYXy9xloLRHqwu
ISAbvE+w1FwnvctcOwj2e5yMs5zMyNXNaUjJnYBUBNsrByixoAS3srfryRWqdJEA
g3sMgFdTF4+V2lSEzIvzVbdQKarZaUs/NRFKASFIokqVa6ylhIiqoQ715XmGIgRW
eKjtSDLituBM7eUNZUbocG85d5trlOz9ZaCAC7yRo7+OV6hNPHL+22lEJ58PF49L
uMLWsnHkRjldOTrZE0ysMZJ5ws+1r3gdD4Fll7P478ZK/qtKJ30=
=34tT
-----END PGP SIGNATURE-----