Windows SSL.Keystore and Windows TrustStore requires an empty PKCS#12 Key Store
I managed to get Windows-MY (SSL Personal Store) and Windows-ROOT (Root CA Store) with Solr 8.0.0 to work.
I enabled the following in solr.in.cmd:
A also edited solr.cmd in the following way:
set "SOLR_SSL_OPTS= -Djavax.net.ssl.keyStoreProvider=SunMSCAPI -Djavax.net.ssl.trustStoreProvider=SunMSCAPI"
But there is one problem:
The Microsoft Key Store is not a file based Keystore.
SOLR logs a missing KEYSTORE File "NONE"
Re: Windows SSL.Keystore and Windows TrustStore requires an empty PKCS#12 Key Store
Thanks for your proposal. I think it warrants a new JIRA issue as a feature request.
Patches to both code and documentation are highly welcome!
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com
> 5. apr. 2019 kl. 10:53 skrev Herbert Hackelsberger <[hidden email]>:
> I managed to get Windows-MY (SSL Personal Store) and Windows-ROOT (Root CA Store) with Solr 8.0.0 to work.
> I enabled the following in solr.in.cmd:
> set SOLR_SSL_CHECK_PEER_NAME=true
> set SOLR_SSL_ENABLED=true
> set SOLR_SSL_KEY_STORE=NONE
> set SOLR_SSL_KEY_STORE_PASSWORD=<snip>
> set SOLR_SSL_TRUST_STORE=NONE
> set SOLR_SSL_TRUST_STORE_PASSWORD=<snip>
> set SOLR_SSL_NEED_CLIENT_AUTH=true
> set SOLR_SSL_WANT_CLIENT_AUTH=false
> set SOLR_SSL_KEY_STORE_TYPE=Windows-MY
> set SOLR_SSL_TRUST_STORE_TYPE=Windows-ROOT
> A also edited solr.cmd in the following way:
> set "SOLR_SSL_OPTS= -Djavax.net.ssl.keyStoreProvider=SunMSCAPI -Djavax.net.ssl.trustStoreProvider=SunMSCAPI"
> But there is one problem:
> The Microsoft Key Store is not a file based Keystore.
> What happens:
> SOLR logs a missing KEYSTORE File "NONE"
> The official documentation at
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html > tells me:
> * javax.net.ssl.keyStore system property.
> Note that the value NONE may be specified. This setting is appropriate if the keystore is not file-based (for example, it resides in a hardware token)
> The same is valid for trustStore.
> So my workaround here is to place an empty PKCS#12 keystore File called "NONE" in the \server directory, where start.jar resides.
> Solr 4.4 was happy with just an empty 0 byte NONE file.
> It seems to me, that currently only file based key stores are working without manual workarounds.
> A proper solution would be very nice for other so it can be easily configured.
> When I specify null, Solr requires the keystore file to be called null.
> And if not password specified at all, you won't get it to work.
> The Solr Reference Guide also lacks information here.
> The solution would be in the code to specify null when loading the keystore file, and password also null.
> I found that while searching:
> https://stackoverflow.com/questions/13697934/windows-keystores-and-certificates/29534497 >
> Other software also seems to have problems with this:
> https://github.com/gradle/gradle/issues/6584 >
> It would be great to see better integration of the Windows keystore I the future, as it was very difficulty to analyze find out, when you start from zero.