Use > Hardening > Enabling Secure Sockets Layer (SSL) Communication > Enable SSL Connection for an External Standalone Solr Environment

Enable SSL Connection for an External Standalone Solr Environment

  1. Prerequisite

    To use Solr standalone, make sure you have set cmdb.search.solr.standalone to true and cmdb.search.solr.standalone.url to point to your solr node, for example: https://192.168.1.2:8983/solr. For details, see How to Set Up an External Standalone Solr Environment.

  2. Enable SSL for Solr Standalone

    1. On the machine where you installed Apache Solr, go to the <Solr_Install_Dir>/server/etc directory.
    2. Enter the following command to create a keystore:

      keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass <your password> -storepass <your password> -validity 365 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:XX.XX.XX.XX -dname "CN=XX.XX.XX.XX, OU=MicroFocus, O=MicroFocus, C=RO"
    3. Go to the <Solr_Install_Dir>/bin directory.
    4. Open solr.in.sh (on linux) or solr.in.cmd (on Windows) in a text editor.
    5. Uncomment and edit the following lines so that they match your environment.

      SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
      SOLR_SSL_KEY_STORE_PASSWORD=YourPassword
      SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
      SOLR_SSL_TRUST_STORE_PASSWORD=YourPassword
      SOLR_SSL_NEED_CLIENT_AUTH=false
      SOLR_SSL_WANT_CLIENT_AUTH=false
    6. Save and close the file.
    7. Restart Solr.

      Now you can access the browser in order to check if SSL is enabled. Go to solr admin page using https protocol.

  3. Configure UCMDB to connect to Solr Standalone with SSL.

    To configure UCMDB to connect to Solr Standalone with SSL, we need to import the certificate from solr-ssl.keystore.jks into the cacerts truststore located in <UCDMB_Server>/bin/jre/lib/security:

    1. Download and install KeyStore Explorer from http://keystore-explorer.org/downloads.html.
    2. Open solr-ssl.keystore.jks and export the certificate chain. Right-click solr-ssl, select Export > Export Certificate Chain from the context menu.

    3. Click Browse and choose the target location where you want to export it, and then click Export.
    4. Import the solr-ssl.cer into the cacerts truststore under the <UCDMB_Server>/bin/jre/lib/security folder.

    5. In the KeyStore Explorer, select File > Open, then go to <UCDMB_Server>/bin/jre/lib/security and open the cacerts file. The password is changeit. After you open it you will see something like below:

    6. Click Import Trusted Certificate and select the file you exported previously, solr-ssl.cer.

      You should see the new certificate added into the list.

    7. Click Save .

      Now you have imported the certificate into the cacerts truststore.

    8. Restart UCMDB.

      Now UCMDB will connect to Solr using SSL.

Note  

  • According to Apache Solr documentation, SSL connection is not supported for Solr Cloud.
  • For Solr on the same machine, the connection will remain HTTP since there is no communication across the network.