Solr TLS/SSL key alias configuration (with patch to come)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Solr TLS/SSL key alias configuration (with patch to come)

Bram Van Dam
Hey folks,

Context:
There's a jetty-ssl.xml config file which configures Jetty's
SslContextFactory using properties set in solr.in.sh, but it's
incomplete for some purposes.

Problem:
I've noticed that no "certAlias" property is present. This means that
when Jetty starts, it will pick an arbitrary (based on some internal
order, I guess?) key from the keystore to use. This is fine when you're
only using your keystore for Solr and it only contains one key, but it
makes life a lot more complicated in environments where keystores are
managed and distributed to servers automagically.

When you add a key to the keystore, you can assign an alias. Jetty can
then use the key with that alias by means of its certAlias config property.

The Solr documentation [1] confusingly assigns the alias "solr-ssl" to
the key, but as far as I can tell this alias isn't actually used or
referenced anywhere else.

Solution:
I'm currently dealing with a slightly more complicated TLS setup, so I
propose I patch jetty-ssl.xml, solr.in.sh|cmd and enabling-ssl.adoc to
(optionally) use the alias? Unless someone can think of a reason why I
shouldn't do this?

I'm a bit worried that adding certAlias to jetty-ssl.xml might break
existing setups which don't use an alias, but I'm guessing that only
keystores with more than one key will be affected?

 - Bram

[1] https://lucene.apache.org/solr/guide/7_5/enabling-ssl.html


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Solr TLS/SSL key alias configuration (with patch to come)

Erick Erickson
There's no reason I can imagine not to open a JIRA,
basically anyone willing to create a patch has my vote!

bq. I'm a bit worried that adding certAlias to jetty-ssl.xml might break
existing setups which don't use an alias.

Probably just add a note to the upgrade section of CHANGES.txt,
unless others disagree. I confess knowing very little about the
mechanics here.

BTW, don't know if you're familiar with asciidoc but in case not I
wanted to mention that there's an IntelliJ (and, I assume Eclipse)
plugin showing you the rendering, and you can also use Atom.

Best,
Erick
On Wed, Oct 31, 2018 at 7:41 AM Bram Van Dam <[hidden email]> wrote:

>
> Hey folks,
>
> Context:
> There's a jetty-ssl.xml config file which configures Jetty's
> SslContextFactory using properties set in solr.in.sh, but it's
> incomplete for some purposes.
>
> Problem:
> I've noticed that no "certAlias" property is present. This means that
> when Jetty starts, it will pick an arbitrary (based on some internal
> order, I guess?) key from the keystore to use. This is fine when you're
> only using your keystore for Solr and it only contains one key, but it
> makes life a lot more complicated in environments where keystores are
> managed and distributed to servers automagically.
>
> When you add a key to the keystore, you can assign an alias. Jetty can
> then use the key with that alias by means of its certAlias config property.
>
> The Solr documentation [1] confusingly assigns the alias "solr-ssl" to
> the key, but as far as I can tell this alias isn't actually used or
> referenced anywhere else.
>
> Solution:
> I'm currently dealing with a slightly more complicated TLS setup, so I
> propose I patch jetty-ssl.xml, solr.in.sh|cmd and enabling-ssl.adoc to
> (optionally) use the alias? Unless someone can think of a reason why I
> shouldn't do this?
>
> I'm a bit worried that adding certAlias to jetty-ssl.xml might break
> existing setups which don't use an alias, but I'm guessing that only
> keystores with more than one key will be affected?
>
>  - Bram
>
> [1] https://lucene.apache.org/solr/guide/7_5/enabling-ssl.html
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Solr TLS/SSL key alias configuration (with patch to come)

Bram Van Dam
On 31/10/2018 15:51, Erick Erickson wrote:
> Probably just add a note to the upgrade section of CHANGES.txt,
> unless others disagree. I confess knowing very little about the
> mechanics here.

Thanks for the quick feedback. Will try to do this tomorrow.

> BTW, don't know if you're familiar with asciidoc but in case not I
> wanted to mention that there's an IntelliJ (and, I assume Eclipse)
> plugin showing you the rendering, and you can also use Atom.

vim has wonderful asciidoc support as well :-)

 - Bram

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Solr TLS/SSL key alias configuration (with patch to come)

Bram Van Dam
In reply to this post by Erick Erickson
On 31/10/2018 15:51, Erick Erickson wrote:
> There's no reason I can imagine not to open a JIRA,
> basically anyone willing to create a patch has my vote!

Done: SOLR-12953 including a patch. Decided to do this on the 7_5
branch. Merges cleanly to master as well, but we're stickign to 7.5 for
the time being.

Thanks,

 - Bram

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]