Windows SSL.Keystore and Windows TrustStore requires an empty PKCS#12 Key Store

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows SSL.Keystore and Windows TrustStore requires an empty PKCS#12 Key Store

Herbert Hackelsberger
Hi,

I managed to get Windows-MY (SSL Personal Store) and Windows-ROOT (Root CA Store) with Solr 8.0.0 to work.
How?

I enabled the following in solr.in.cmd:

set SOLR_SSL_CHECK_PEER_NAME=true
set SOLR_SSL_ENABLED=true
set SOLR_SSL_KEY_STORE=NONE
set SOLR_SSL_KEY_STORE_PASSWORD=<snip>
set SOLR_SSL_TRUST_STORE=NONE
set SOLR_SSL_TRUST_STORE_PASSWORD=<snip>
set SOLR_SSL_NEED_CLIENT_AUTH=true
set SOLR_SSL_WANT_CLIENT_AUTH=false
set SOLR_SSL_KEY_STORE_TYPE=Windows-MY
set SOLR_SSL_TRUST_STORE_TYPE=Windows-ROOT

A also edited solr.cmd in the following way:
set "SOLR_SSL_OPTS= -Djavax.net.ssl.keyStoreProvider=SunMSCAPI -Djavax.net.ssl.trustStoreProvider=SunMSCAPI"

But there is one problem:
The Microsoft Key Store is not a file based Keystore.

What happens:
SOLR logs a missing KEYSTORE File "NONE"

The official documentation at
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
tells me:

* javax.net.ssl.keyStore system property.
Note that the value NONE may be specified. This setting is appropriate if the keystore is not file-based (for example, it resides in a hardware token)

The same is valid for trustStore.

So my workaround here is to place an empty PKCS#12 keystore File called "NONE" in the \server directory, where start.jar resides.
Solr 4.4 was happy with just an empty 0 byte NONE file.

It seems to me, that currently only file based key stores are working without manual workarounds.
A proper solution would be very nice for other so it can be easily configured.

When I specify null, Solr requires the keystore file to be called null.
And if not password specified at all, you won't get it to work.

The Solr Reference Guide also lacks information here.


The solution would be in the code to specify null when loading the keystore file, and password also null.
I found that while searching:

https://stackoverflow.com/questions/13697934/windows-keystores-and-certificates/29534497


Other software also seems to have problems with this:
https://github.com/gradle/gradle/issues/6584


It would be great to see better integration of the Windows keystore I the future, as it was very difficulty to analyze find out, when you start from zero.

Reply | Threaded
Open this post in threaded view
|

Re: Windows SSL.Keystore and Windows TrustStore requires an empty PKCS#12 Key Store

Jan Høydahl / Cominvent
Hi,

Thanks for your proposal. I think it warrants a new JIRA issue as a feature request.
Patches to both code and documentation are highly welcome!

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 5. apr. 2019 kl. 10:53 skrev Herbert Hackelsberger <[hidden email]>:
>
> Hi,
>
> I managed to get Windows-MY (SSL Personal Store) and Windows-ROOT (Root CA Store) with Solr 8.0.0 to work.
> How?
>
> I enabled the following in solr.in.cmd:
>
> set SOLR_SSL_CHECK_PEER_NAME=true
> set SOLR_SSL_ENABLED=true
> set SOLR_SSL_KEY_STORE=NONE
> set SOLR_SSL_KEY_STORE_PASSWORD=<snip>
> set SOLR_SSL_TRUST_STORE=NONE
> set SOLR_SSL_TRUST_STORE_PASSWORD=<snip>
> set SOLR_SSL_NEED_CLIENT_AUTH=true
> set SOLR_SSL_WANT_CLIENT_AUTH=false
> set SOLR_SSL_KEY_STORE_TYPE=Windows-MY
> set SOLR_SSL_TRUST_STORE_TYPE=Windows-ROOT
>
> A also edited solr.cmd in the following way:
> set "SOLR_SSL_OPTS= -Djavax.net.ssl.keyStoreProvider=SunMSCAPI -Djavax.net.ssl.trustStoreProvider=SunMSCAPI"
>
> But there is one problem:
> The Microsoft Key Store is not a file based Keystore.
>
> What happens:
> SOLR logs a missing KEYSTORE File "NONE"
>
> The official documentation at
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
> tells me:
>
> * javax.net.ssl.keyStore system property.
> Note that the value NONE may be specified. This setting is appropriate if the keystore is not file-based (for example, it resides in a hardware token)
>
> The same is valid for trustStore.
>
> So my workaround here is to place an empty PKCS#12 keystore File called "NONE" in the \server directory, where start.jar resides.
> Solr 4.4 was happy with just an empty 0 byte NONE file.
>
> It seems to me, that currently only file based key stores are working without manual workarounds.
> A proper solution would be very nice for other so it can be easily configured.
>
> When I specify null, Solr requires the keystore file to be called null.
> And if not password specified at all, you won't get it to work.
>
> The Solr Reference Guide also lacks information here.
>
>
> The solution would be in the code to specify null when loading the keystore file, and password also null.
> I found that while searching:
>
> https://stackoverflow.com/questions/13697934/windows-keystores-and-certificates/29534497
>
>
> Other software also seems to have problems with this:
> https://github.com/gradle/gradle/issues/6584
>
>
> It would be great to see better integration of the Windows keystore I the future, as it was very difficulty to analyze find out, when you start from zero.
>