Administer > System security > FIPS mode > Configuring FIPS mode in Service Manager > Configure FIPS mode in the Solr Search Engine

Configure FIPS mode in the Solr Search Engine

If you are using the Solr Search Engine, both the SM Server and SRC need to connect to the Solr Search Engine for knowledge management. For full FIPS compliance, you need to configure FIPS mode in the Solr Search Engine to enable FIPS validated TLS connections between the SM Server/SRC and the Solr Search Engine.

Enabling SSL in the Solr Search Engine

An option named SSL Enabled is available in the Knowledge Management Environment record (Knowledge Management > Administration > Environment).

Important If you are running Service Manager applications version 9.40 or 9.41, you need to load the QCCR1E128475_SM950_SM940.unl file into your system before you can use this option. This unload file is included in the Solr Search Engine installation package.

The SSL Enabled option is designed to enable SSL for the Solr Search Engine in both FIPS mode and non-FIPS mode:

  • When FIPS mode is enabled on the SM Server side (that is, fipsmode:2 is specified in the Server's sm.ini file): The SSL Enabled option is automatically selected and becomes read-only. The Solr Search Engine must use HTTPS connections in either FIPS mode or non-FIPS mode. However, the recommended best security practice is to run the Solr Search Engine in FIPS mode as well.
  • When FIPS mode is not enabled on the SM Server side (the SM Server's sm.ini file does not have the fipsmode parameter specified or have fipsmode:0 specified): If you select the SSL Enabled option, the Solr Search Engine requires HTTPS connections in non-FIPS mode and SSL must be enabled on the SM Server side; if you leave the SSL Enabled option unselected, the Solr Search Engine uses HTTP connections.
Whenever you have changed the state of this option, the system will prompt you to log off Service Manager and then log in again so that the change takes effect.

Prerequisites

Before you proceed, make sure of the following:

  1. You have already configured the Solr Search Engine's JRE for FIPS mode. For details, see the Solr Search Engine section in Configure Java for FIPS mode.

  2. You have already generated a CA certificates file and a client keystore for each of the SRC host and Solr Search Engine host. For details, see Generate FIPS validated certificates for the SM Server and other components.

    • The CA certificates file: \certs\smcacerts.p12
    • The SRC keystore file: \key\sun-sun-<SRC host FQDN>.p12 (for example, sun-sun-srchost.mycompany.net.p12)
    • The Solr Search Engine keystore file: \key\sun-sun-<Solr Search Engine host FQDN>.p12 (for example, sun-sun-solrhost.mycompany.net.p12)

    Note This document assumes that your SRC keystore and Solr Search Engine keystore are issued by the same root CA.

  3. You have enabled FIPS mode in both the SM Server and SRC. For details, see Configure FIPS mode in the Server and Configure FIPS mode in Service Request Catalog (SRC)

Steps to configure FIPS mode in the Solr Search Engine

Follow these steps:

  1. Copy the CA certificates file and Solr Search Engine keystore file to a directory on the search engine host. For example:

    • The CA certificates file: C:/FIPS/certs/smcacerts.p12
    • The Solr Search Engine keystore: C:/FIPS/key/sun-sun-solrhost.mycompany.net.p12
  2. Add https support in the web container of the Solr Search Engine. To do this, follow these steps:

    1. Open the <Solr Search Engine installation directory>\tomcat\conf\server.xml file in a text editor.
    2. Enable the https connector.
    3. Configure the HTTPS port if the default one is already in use.
    4. Specify the keystoreFile and truststoreFile locations and their passwords.
    5. Specify the certificate type of the keystoreFile and truststoreFile as "pkcs12".
    6. Set the ciphers parameter to "TLS_RSA_WITH_AES_128_CBC_SHA".

      The following is an example:

      Connector port="9443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
      	      clientAuth="true" sslProtocol="TLS" keystoreFile="C:/FIPS/key/sun-sun-solrhost.mycompany.net.p12" keystorePass="clientkeystore" keystoreType="pkcs12"
      		  truststoreFile="C:/FIPS/certs/smcacerts.p12" truststorePass="changeit" truststoreType="pkcs12" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" />

      Note You will need to specify this HTTPS port when configuring the search server later.

    7. Restart the Solr Search Engine.
  3. Log in to Service Manager as a system administrator, go to System Status and stop the KMUpdate background process.

    Note You need to stop this process before performing the Solr Search Engine configuration, and restart the process after the configuration is complete.

  4. Enable SSL connections for the Solr Search Engine. To do this, follow these steps:

    1. Navigate to the Knowledge Management > Administration > Environment.
    2. Check that the SSL Enabled check box at the bottom of the page is selected and read-only (grayed out).

      Note When FIPS mode is enabled on the SM Server side (fipsmode:2 is specified in the sm.ini file), the Solr Search Engine is forced to use HTTPS connections.

  5. Make sure the Solr Search Engine is started.

  6. Configure the search server and specify the HTTPS port.

    The steps vary depending on whether your search server is already configured in the system. For more information about using the Solr Search Engine, see Install the Solr Search Engine.

    If your search server is not yet configured, follow these steps:

    1. From the System Navigator, navigate to Knowledge Management > Configuration > Configure Search Servers.
    2. Enter a descriptive name for the search server. For example, enter My Search Server.
    3. Click Add.

      An information dialog appears. Click OK to close the dialog.

      The search server configuration form opens.

    4. Complete the following fields:

      • Hostname: Enter the fully qualified domain name of the Solr Search Engine host.
      • Port: Enter the http port of the search engine's embedded Tomcat.

      • Server Type: Select Master from the list.
      • HTTPS port: Enter the HTTPS port of the Tomcat (in this example, 9443), and then click Add.

      Caution Do not leave the Port field empty. When using HTTPS connections, the SM Server and the Solr Search Engine communicate with each other through the HTTPS protocol; however, when searching and indexing, the Solr search server receives requests from the HTTPS port but distributes the requests to the shards still through the HTTP protocol.

      The information you entered appears in the server information table. The following table shows an example.

      Primary Searcher Hostname Port Server TypeHTTPS port
      truesolrhost.mycompany.net8080master9443
    5. From the System Navigator, navigate to System Status and restart the KMUpdate background process so that the process switches to the HTTPS port.

    6. Click Verify Server to verify the search server connection is successful.
    7. Continue to configure knowledgebases, and then perform a full reindex of all knowledgebases attached to the search server.

      The search server is now running in FIPS mode.

    If the search server is already configured, follow these steps:

    1. Stop the Solr Search Engine.
    2. From the System Navigator, navigate to Knowledge Management > Configuration > Configure Search Servers, and click Search.
    3. Select the search server, and click Delete Server to delete it.
    4. Follow the steps for adding a new search server as described above to add the search server back (including adding the HTTPS port).
    5. Restart the Solr Search Engine.

      The search server is now running in FIPS mode.

      Tip You do not need to perform a full reindex of the search server.

Next step:

Configure FIPS mode in the Chat Server