ImportantLucidworks recommends not virus scanning the fusion/data folder. Virus scanning can cause slow performance, and it can cause downtime if it quarantines an index file identified as a possible virus.
Fusion uses a number of security measures:
  • Authenticating UI users – Fusion authenticates users when they log in. Logging in creates a new Fusion session. Fusion also authenticates users when the Sessions REST API creates a session.
  • Authorizing UI users – Fusion authorizes users to use specific parts of the Fusion UI.
    UI users must also be authorized to make API requests, because the UI makes API requests.
  • Audit trail (log) with USERID generated for all successful and failed login attempts. Audit logs are sent to a Solr collection system logs. These logs are distinguished from other system logs in the collection by the following attribute:
    • logger_class_s:"com.lucidworks.cloud.gateway.audit"
  • Authenticating and authorizing users who make API requests
  • Password Encryption- Fusion uses 128-bit AES keys to encrypt passwords and “AES/CBC/PKCS7Padding” for the cipher. The ciphertext is also signed.
  • Using session cookies
  • Using an external authentication provider (optional) - A security realm can specify use of an external authentication provider, such as LDAP, JWT, or SAML.
  • Using SSL/TLS to ensure that data in flight between your application and Fusion is not observable (optional) - See SSL Security (Unix) or SSL Security (Windows).
  • Constraining the documents that are indexed (optional)
  • Trimming the documents that are returned by queries based on authorization (optional)
Fusion’s UI (which is accessed through the Fusion Proxy service) can run over SSL for secure communication with any HTTP client, using the Java Secure Socket Extension (JSSE) framework. You configure Fusion for SSL by configuring Fusion’s Proxy and UI services.
Fusion 4.0.2 or later is required to enable SSL security. Version 4.0.2 fixed a bug in the authentication proxy that incorrectly redirected some requests when SSL is enabled.

Required software

Configuring Fusion for SSL requires the following software:
  • Java Development Kit. To store certificates, you can use the Java keytool Key and Certificate Management utility which is a part of the JDK. The JDK is also a requirement for Fusion Server.
  • OpenSSL. You might need the openssl command line tool:
    • If you have the certificate chain and private key as separate files, then you can use the openssl command line tool to create a PKCS #12 file.
    • If you have an intermediate CA certificate, then you can use it and openssl to generate the certificate chain and private key files.

Load an SSL certificate into a Fusion keystore

The SSL protocol is based on public-key cryptography where encryption keys come in public key/private key pairs. An SSL certificate is used to verify the authenticity of a particular server. It contains the web site name, contact email address, company information and the public key used to encrypt the communication which is shared with the entities that communicate with the owner of the public/private key pair.The server has a locally-protected private key that is accessible via a JSEE keystore.The keystore maintains both the server certificate and the private key, so that when a server authenticates itself to the client, it uses the private key from its keystore for the initial SSL handshake.Load the certificate into a Fusion keystore. Perform the tasks in the appropriate section:
  • Self-signed certificate. If Fusion is behind a firewall, you can use a self-signed certificate for SSL communication with other hosts in your internal network. Create a keystore for the Fusion Proxy service and load the keystore with the self-signed PKCS #12 certificate.
  • Certificate signed by a certificate authority. In a production environment, SSL certificates typically originate with certificate signing requests (CSRs) and are signed by a trusted third-party Certificate Authority (CA). Create a keystore for the Fusion Proxy service and load the keystore with the PKCS #12 certificate from a CA.

Alternative 1: Self-signed certificate

If you are using a CSR-originated certificate from a trusted certificate authority, proceed to Alternative 2: CA-signed certificate.
If Fusion is behind a firewall, you can use a self-signed certificate for SSL communication with other hosts in your internal network. Create a keystore for the Fusion Proxy service and load the keystore with the self-signed PKCS #12 certificate.To store certificates, you can use the Java keytool Key and Certificate Management utility which is a part of the JDK.How to create a keystore and load a self-signed certificate
  1. Set environment variables: 
    export JAVA_HOME=JavaHomeDirectory
export FUSION_HOME=FusionHomeDirectory
    For example, in Fusion 4.1: 
    export JAVA_HOME=/usr/java/jdk1.8.0_171
export FUSION_HOME=/opt/lucidworks/fusion/4.1.2
    In Fusion 4.0.x: 
    export JAVA_HOME=/usr/java/jdk1.8.0_171
export FUSION_HOME=/opt/lucidworks/fusion/4.0.2
  2. Create the Fusion Proxy service keystore, generate the key pair and self-signed certificate, and load them into the keystore: 
    "$JAVA_HOME/bin/keytool" -genkeypair -keystore "$FUSION_HOME/apps/jetty/proxy/etc/keystore" -dname "CN=CommonName, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass KeyPassword -storepass KeystorePassword -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:ServerFqdn,ip:ServerIpAddress
    You must include the qualified domain name and/or the IP address of the Fusion server in the -ext SAN part of the command. Failure to do so results in SSL validation errors.
    Example command: 
    "$JAVA_HOME/bin/keytool" -genkeypair -keystore "$FUSION_HOME/apps/jetty/proxy/etc/keystore" -dname "CN=search.mycorp, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass 59Winter.Is.Long45 -storepass 46I.Prefer.Vanilla24 -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:search.mycorp,ip:192.168.1.40,dns:localhost
The resulting certificate enables validated SSL transport to these hosts:
https://search.mycorp:ProxyPort
https://192.168.1.40:ProxyPort
https://localhost:ProxyPort
Where ProxyPort is the Fusion Proxy port.

Alternative 2: CA-signed certificate

If Fusion is behind a firewall and you are using a self-signed certificate, skip this section. Perform the tasks in Alternative 1: Self-signed certificate.
In a production environment, SSL certificates typically originate with certificate signing requests (CSRs) and are signed by a trusted third-party Certificate Authority (CA).The steps here assume that you are the person who will be obtaining the SSL certificate chain and private key files. If you are not that person, contact your system administrator.

Preliminary steps

  1. Obtain a domain from a domain registrar.
  2. Change the A record of your domain to the public IP address of your web server instance.

Generate SSL certificate files

Use an SSL certificate provider to generate the certificate chain and private key files, or a PKCS #12 certificate, from a trusted CA:
  • Certificate chain and private key files. In this case, you will need to convert these files into a single certificate file in PKCS #12 format.
  • A PKCS #12 certificate. This must contain both the certificate chain and private key. In this case, no conversion is necessary.
How to obtain certificate files
  1. In most cases, you will need to temporarily open ports 80 and 443 in your firewall configuration. The SSL certificate provider must be able to make successful HTTP and HTTPS requests to your server through the Domain Name System (DNS).
  2. Use an SSL certificate provider to generate the certificate chain (fullchain.pem) and private key (privkey.pem) files, or the PKCS #12 certificate, from a trusted CA. Steps will vary based on the certificate provider. Contact your certificate provider for details.
  3. Close ports 80 and 443 in your firewall configuration.
  4. Change the A record of your domain to the public domain-name address of your web server instance.
Proceed to the next sections as follows:

Convert the certificate chain and private key files to a PKCS #12 certificate

If you have a PKCS #12 certificate, skip this section and proceed to the section Import the PKCS #12 certificate into the Fusion Proxy service keystore.
With the certificate chain and private key as separate files, use the openssl command line tool in OpenSSL to create a PKCS #12 certificate.
openssl pkcs12 -export -out /path/to/keystore.p12 -in /path/to/fullchain.pem -inkey /path/to/privkey.pem
Do not enter a blank password.

Create the Fusion Proxy service keystore and import the PKCS #12 certificate

Use the Java keytool Key and Certificate Management utility to create a keystore for the Fusion Proxy service ($FUSION_HOME/apps/jetty/proxy/etc/keystore) and import the PKCS #12 certificate file. Fusion uses this certificate to perform SSL.
  1. To create the keystore and import the PKCS #12 certificate:
  2. Use the keytool import command to create a JSSE keystore. 
    keytool -importkeystore -srckeystore /path/to/keystore.p12 -srcstoretype PKCS12 -destkeystore "$FUSION_HOME/apps/jetty/proxy/etc/keystore" -deststoretype PKCS12
  3. (Optional) If desired, delete the PKCS #12 certificate file that resides outside of the Fusion Proxy service keystore (the one you created from the certificate chain and private key files, or obtained from a trusted CA. 
    rm /path/to/keystore.p12

Enable HTTPS in the Fusion Proxy service

Before beginning these steps, load an SSL certificate into a Fusion keystore.How to enable HTTPS in the Fusion Proxy service:
  1. (Only for Fusion Server 4.0.x and 4.1.0) Prevent the start.jar program from downloading a default keystore file, which is not needed. Edit $FUSION_HOME/apps/jetty/home/modules/ssl.mod. Comment out the indicated line using #. Change: 
    [files]
https://raw.githubusercontent.com/eclipse/jetty.project/master/jetty-server/src/test/config/etc/keystore?id=${jetty.tag.version}|etc/keystore
    To: 
    [files]
# https://raw.githubusercontent.com/eclipse/jetty.project/master/jetty-server/src/test/config/etc/keystore?id=${jetty.tag.version}|etc/keystore
  2. Set environment variables: 
    export JAVA_HOME=JavaHomeDirectory
export FUSION_HOME=FusionHomeDirectory
    For example, in Fusion 4.1: 
    export JAVA_HOME=/usr/java/jdk1.8.0_171
export FUSION_HOME=/opt/lucidworks/fusion/4.1.2
    In Fusion 4.0: 
    export JAVA_HOME=/usr/java/jdk1.8.0_171
export FUSION_HOME=/opt/lucidworks/fusion/4.0.2
  3. Add HTTPS protocol support to the Jetty TLS (SSL) connector: 
    cd "$FUSION_HOME/apps/jetty/proxy/"
java -jar "$FUSION_HOME/apps/jetty/home/start.jar" --add-to-start=https
    Example output: 
    INFO: ssl             initialized (transitively) in ${jetty.base}/start.ini
INFO: https           initialized in ${jetty.base}/start.ini
INFO: Base directory was modified
  4. Get the obfuscated version of your keystore password: 
    java -cp "$FUSION_HOME/apps/jetty/home/lib/*" org.eclipse.jetty.util.security.Password PASSWORD
    Replace PASSWORD with the password you used for the keystore. If the password contains special characters, URL encode them. Example output: 
    2018-05-15 12:32:48.988:INFO::main: Logging initialized @133ms
password345XYZ
OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
MD5:b91cd1a54781790beaa2baf741fa6789
  5. Edit the file $FUSION_HOME/apps/jetty/proxy/start.ini:
    1. Include obfuscated passwords by adding these properties to the end of the file: 
      * `jetty.sslContext.keyStorePassword`
* `jetty.sslContext.keyManagerPassword`
* `jetty.sslContext.trustStorePassword`
    2. Use the OBF-encrypted password from step 4 (including the OBF: string) as the value for all three of the properties.
      For example:       
      ## Keystore password
jetty.sslContext.keyStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg

...

## KeyManager password
jetty.sslContext.keyManagerPassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg

## Truststore password
jetty.sslContext.trustStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
    3. Set the local SSL port by adding the jetty.ssl.port property to the end of the file, and providing the port number. For example: 
      ## Connector port to listen on
jetty.ssl.port=8443
    4. Save the file $FUSION_HOME/apps/jetty/proxy/start.ini.

Restart Fusion and test access through HTTPS

  1. Restart all Fusion services: 
    ./bin/fusion restart
    HTTPS should now be enabled in the Fusion Proxy service.
  2. Sign in to the Fusion UI. Specify the HTTPS URL scheme and SSL port, for example, https://search.mycorp:8443.

Disable HTTP access to the Fusion Proxy service

Disable HTTP access. You have a choice. Perform the tasks in the appropriate section:

Alternative 1: Disable HTTP access on the firewall or load balancer

Disable HTTP access to the Fusion Proxy service on the firewall or load balancer:
  1. Disallow all requests for port 8764 from the outside world. Only localhost should be able to communicate with Fusion on the non-SSL port 8764. Block all other requestors.
  2. If you are using a firewall or load balancer in front of Fusion, use it to redirect all HTTP requests to use HTTPS instead. For example, Apache would redirect all incoming HTTP traffic to HTTPS.

Alternative 2: Disable listening for HTTP requests in the Fusion Proxy service

Ideally, you should disable HTTP access using the firewall or load balancer. Follow the steps in this section only if disabling HTTP access on the firewall or load balancer is not feasible.
You can only use this alternative if your SSL certificate covers a hostname that can be accessed from the local host. For example, if your certificate only covers https://fusion.com, then your local machine must be able to access Fusion from that exact host. If necessary, change the hosts file so that this can work.How to disable HTTP
  1. Edit /opt/lucidworks/fusion/latest.x/apps/jetty/proxy/start.d/http.ini.
    1. Change this line: 
      --module=http
      To: 
      #--module=http
    2. Save the file.
  2. Edit the Fusion configuration file, /opt/lucidworks/fusion/latest.x/conf/fusion.cors (fusion.properties in Fusion 4.x).
    1. Ensure that the Agent JVM uses the Fusion Proxy service’s keystore by adding this to the end of the file: 
      agent.jvmOptions=-Djavax.net.ssl.trustStore="${FUSION_HOME}/apps/jetty/proxy/etc/keystore" -Djavax.net.ssl.trustStorePassword=PASSWORD -Djavax.net.ssl.keyStore="${FUSION_HOME}/apps/jetty/proxy/etc/keystore" -Djavax.net.ssl.keyStorePassword=PASSWORD
      Replace PASSWORD with your Fusion keystore password.
    2. Uncomment the default.address and change it to the hostname of the server that is validated by your SSL certificate.
      If the hostname saved in default.address is not validated by your SSL certificate, then the Fusion Proxy service will not start, because the agent’s liveness detector will not be able to access the HTTPS port to determine whether Fusion is running.
      If you self-signed the certificate, then the default.address must match the hostname you specified while signing the certificate. Failure to do this will result in the Fusion Proxy service not starting after you have disabled HTTP.
      For example, if your SSL certificate’s validated hostname is search.mycorp, then change: 
      #default.address = 127.0.0.1
      To: 
      default.address = search.mycorp
    3. Change the proxy.port to the SSL port you chose.
    4. Uncomment proxy.ssl and change its value to true. Change: 
      # proxy.ssl=false
      To: 
      proxy.ssl=true
Stopping and starting Fusion is needed for these changes to take effect. But there is a bit more to do concerning the Fusion Agent before restarting Fusion.

References and tutorials

Fusion’s UI (which is accessed through the Fusion Proxy service) can run over SSL for secure communication with any HTTP client, using the Java Secure Socket Extension (JSSE) framework. You configure Fusion for SSL by configuring Fusion’s Proxy and UI services.
Fusion 4.0.2 or later is required to enable SSL security. Version 4.0.2 fixed a bug in the authentication proxy that incorrectly redirected some requests when SSL is enabled.

Required software

Configuring Fusion for SSL requires the following software:
  • Java Development Kit. To store certificates, you can use the Java keytool Key and Certificate Management utility which is a part of the JDK. The JDK is also a requirement for Fusion Server.
  • OpenSSL. You might need the openssl command line tool:
    • If you have the certificate chain and private key as separate files, then you can use the openssl command line tool to create a PKCS #12 file.
    • If you have an intermediate CA certificate, then you can use it and openssl to generate the certificate chain and private key files.

Overview of procedure

How to configure Fusion for SSL:
  1. Load an SSL certificate into a Fusion keystore.
  2. Enable SSL in the Fusion Proxy service.
  3. Restart Fusion and test access through HTTPS.
  4. Disable HTTP access to the Fusion Proxy service.

Load an SSL certificate into a Fusion keystore

The SSL protocol is based on public-key cryptography where encryption keys come in public key/private key pairs. An SSL certificate is used to verify the authenticity of a particular server. It contains the web site name, contact email address, company information and the public key used to encrypt the communication which is shared with the entities that communicate with the owner of the public/private key pair.The server has a locally-protected private key that is accessible via a JSEE keystore.The keystore maintains both the server certificate and the private key, so that when a server authenticates itself to the client, it uses the private key from its keystore for the initial SSL handshake.Load the certificate into a Fusion keystore. Perform the tasks in the appropriate section:
  • Self-signed certificate. If Fusion is behind a firewall, you can use a self-signed certificate for SSL communication with other hosts in your internal network. Create a keystore for the Fusion Proxy service and load the keystore with the self-signed PKCS #12 certificate.
  • Certificate signed by a certificate authority. In a production environment, SSL certificates typically originate with certificate signing requests (CSRs) and are signed by a trusted third-party Certificate Authority (CA). Create a keystore for the Fusion Proxy service and load the keystore with the PKCS #12 certificate from a CA.

Alternative 1: Self-signed certificate

If you are using a CSR-originated certificate from a trusted certificate authority, proceed to Alternative 2: CA-signed certificate.
If Fusion is behind a firewall, you can use a self-signed certificate for SSL communication with other hosts in your internal network. Create a keystore for the Fusion Proxy service and load the keystore with the self-signed PKCS #12 certificate.To store certificates, you can use the Java keytool Key and Certificate Management utility which is a part of the JDK.How to create a keystore and load a self-signed certificate
  1. Set environment variables: 
    set JAVA_HOME=JavaHomeDirectory
set FUSION_HOME=FusionHomeDirectory
  2. Create the Fusion Proxy service keystore, generate the key pair and self-signed certificate, and load them into the keystore: 
    "%JAVA_HOME%\bin\keytool.exe" -genkeypair -keystore "%FUSION_HOME%\apps\jetty\proxy\etc\keystore" -dname "CN=CommonName, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass KeyPassword -storepass KeystorePassword -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:ServerFqdn,ip:ServerIpAddress
    You must include the qualified domain name and/or the IP address of the Fusion server in the -ext SAN part of the command. Failure to do so results in SSL validation errors.
    Example command: 
    "%JAVA_HOME%\bin\keytool.exe" -genkeypair -keystore "%FUSION_HOME%\apps\jetty\proxy\etc\keystore" -dname "CN=CommonName, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass 59Winter.Is.Long45 -storepass 46I.Prefer.Vanilla24 -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:search.mycorp,ip:192.168.1.40,dns:localhost
    The resulting certificate enables validated SSL transport to these hosts: 
https://search.mycorp:ProxyPort
https://192.168.1.40:ProxyPort
https://localhost:ProxyPort
Where ProxyPort is the Fusion Proxy port.

Alternative 2: CA-signed certificate

If Fusion is behind a firewall and you are using a self-signed certificate, skip this section. Perform the tasks in Alternative 1: Self-signed certificate.
In a production environment, SSL certificates typically originate with certificate signing requests (CSRs) and are signed by a trusted third-party Certificate Authority (CA).The steps here assume that you are the person who will be obtaining the SSL certificate chain and private key files. If you are not that person, contact your system administrator.

Preliminary steps

  1. Obtain a domain from a domain registrar.
  2. Change the A record of your domain to the public IP address of your web server instance.

Generate SSL certificate files

Use an SSL certificate provider to generate the certificate chain and private key files, or a PKCS #12 certificate, from a trusted CA:
  • Certificate chain and private key files. In this case, you will need to convert these files into a single certificate file in PKCS #12 format.
  • A PKCS #12 certificate that contains both the certificate chain and private key. In this case, no conversion is necessary.
How to obtain certificate files
  1. In most cases, you will need to temporarily open ports 80 and 443 in your firewall configuration. The SSL certificate provider must be able to make successful HTTP and HTTPS requests to your server through the Domain Name System (DNS).
  2. Use an SSL certificate provider to generate the certificate chain (fullchain.pem) and private key (privkey.pem) files, or the PKCS #12 certificate, from a trusted CA. Steps will vary based on the certificate provider. Contact your certificate provider for details.
  3. Close ports 80 and 443 in your firewall configuration.
  4. Change the A record of your domain to the public domain-name address of your web server instance.
Proceed to the next sections as follows:

Convert the certificate chain and private key files to a PKCS #12 certificate

If you have a PKCS #12 certificate, skip this section and proceed to the section Import the PKCS #12 certificate into the Fusion Proxy service keystore.
How to create a PKCS #12 certificateWith the certificate chain and private key as separate files, use the openssl command line tool in OpenSSL to create a PKCS #12 certificate.
openssl pkcs12 -export -out \path\to\keystore.p12 -in \path\to\fullchain.pem -inkey \path\to\privkey.pem
Do not enter a blank password.

Create the Fusion Proxy service keystore and import the PKCS #12 certificate

Use the Java keytool Key and Certificate Management utility to create a keystore for the Fusion Proxy service (%FUSION_HOME%\apps\jetty\proxy\etc\keystore) and import the PKCS #12 certificate file. Fusion uses this certificate to perform SSL.
If you are starting with a certificate file in PFX format (file extension .pfx), that format is now identical to PKCS #12 format.
  1. To create the keystore and import the PKCS #12 certificate: 
    "%JAVA_HOME%\bin\keytool.exe" -genkeypair -alias mykeystore -keyalg RSA -keysize 2048 -keystore keystore.jks

"%JAVA_HOME%\bin\keytool.exe" -importkeystore -srckeystore mycertificate.p12 -srcstoretype PKCS12 -destkeystore keystore.jks
  2. Use the keytool import command to create a JSSE keystore. 
    keytool -importkeystore -srckeystore \path\to\keystore.p12 -srcstoretype PKCS12 -destkeystore "%FUSION_HOME%\apps\jetty\proxy\etc\keystore" -deststoretype PKCS12
  3. (Optional) If desired, delete the PKCS #12 certificate file that resides outside of the Fusion Proxy service keystore (the one you created from the certificate chain and private key files, or obtained from a trusted CA. 
    del \path\to\keystore.p12

Enable HTTPS in the Fusion Proxy service

Before beginning these steps, load an SSL certificate into a Fusion keystore.How to enable HTTPS in the Fusion Proxy service:
  1. Set environment variables: 
    set JAVA_HOME=JavaHomeDirectory
set FUSION_HOME=FusionHomeDirectory
  2. Add HTTPS protocol support to the Jetty TLS (SSL) connector: 
    cd "%FUSION_HOME%\apps\jetty\proxy\"
java -jar "%FUSION_HOME%\apps\jetty\home\start.jar" --add-to-start=https
    Example output: 
    INFO: ssl             initialized (transitively) in ${jetty.base}/start.ini
INFO: https           initialized in ${jetty.base}/start.ini
INFO: Base directory was modified
  3. Get the obfuscated version of your keystore password: 
    java -cp "$FUSION_HOME/apps/jetty/home/lib/*" org.eclipse.jetty.util.security.Password PASSWORD
    Replace PASSWORD with the password you used for the keystore. If the password contains special characters, URL encode them. Example output: 
    2018-05-15 12:32:48.988:INFO::main: Logging initialized @133ms
password345XYZ
OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
MD5:b91cd1a54781790beaa2baf741fa6789
  4. Edit the file %FUSION_HOME%\apps\jetty\proxy\start.ini:
    1. Include obfuscated passwords by adding these properties to the end of the file:
      • jetty.sslContext.keyStorePassword
      • jetty.sslContext.keyManagerPassword
      • jetty.sslContext.trustStorePassword
    2. Use the OBF-encrypted password from step 4 (including the OBF: string) as the value for all three of the properties.
      For example:       
      ## Keystore password
jetty.sslContext.keyStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg

...

## KeyManager password
jetty.sslContext.keyManagerPassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg

## Truststore password
jetty.sslContext.trustStorePassword=OBF:2uha1vgt1jg01a4b1a4j1jda1vg11ugg
    3. Set the local SSL port by adding the jetty.ssl.port property to the end of the file, and providing the port number. For example: 
      ## Connector port to listen on
jetty.ssl.port=8443
    4. Save the file %FUSION_HOME%\apps\jetty\proxy\start.ini.

Restart Fusion and test access through HTTPS

  1. Restart all Fusion services: 
    bin\fusion.cmd restart
    HTTPS should now be enabled in the Fusion Proxy service.
  2. Sign in to the Fusion UI. Specify the HTTPS URL scheme and SSL port, for example, https://search.mycorp:8443.

Disable HTTP access to the Fusion Proxy service

Disable HTTP access. You have a choice. Perform the tasks in the appropriate section:

Alternative 1: Disable HTTP access on the firewall or load balancer

Disable HTTP access to the Fusion Proxy service on the firewall or load balancer:
  1. Disallow all requests for port 8764 from the outside world. Only localhost should be able to communicate with Fusion on the non-SSL port 8764. Block all other requestors.
  2. If you are using a firewall or load balancer in front of Fusion, use it to redirect all HTTP requests to use HTTPS instead. For example, Apache would redirect all incoming HTTP traffic to HTTPS.

Alternative 2: Disable listening for HTTP requests in the Fusion Proxy service

Ideally, you should disable HTTP access using the firewall or load balancer. Follow the steps in this section only if disabling HTTP access on the firewall or load balancer is not feasible.
You can only use this alternative if your SSL certificate covers a hostname that can be accessed from the local host. For example, if your certificate only covers https://fusion.com, then your local machine must be able to access Fusion from that exact host. If necessary, change the hosts file so that this can work.How to disable HTTP
  1. Edit \lucidworks\fusion\latest.x\apps\jetty\proxy\start.d\http.ini.
    1. Change this line: 
      --module=http
      To: 
      #--module=http
    2. Save the file.
  2. Edit the Fusion configuration file, \lucidworks\fusion\latest.x\conf\fusion.cors (fusion.properties in Fusion 4.x).
    1. Ensure that the Agent JVM uses the Fusion Proxy service’s keystore by adding this to the end of the file: 
      agent.jvmOptions=-Djavax.net.ssl.trustStore="%{FUSION_HOME}%\\apps\\jetty\\proxy\\etc\\keystore" -Djavax.net.ssl.trustStorePassword=PASSWORD -Djavax.net.ssl.keyStore="%{FUSION_HOME}%\\apps\\jetty\\proxy\\etc\\keystore" -Djavax.net.ssl.keyStorePassword=PASSWORD
      Replace PASSWORD with your Fusion keystore password.
    2. Uncomment the default.address and change it to the hostname of the server that is validated by your SSL certificate.
      If the hostname saved in default.address is not validated by your SSL certificate, then the Fusion Proxy service will not start, because the agent’s liveness detector will not be able to access the HTTPS port to determine whether Fusion is running.
      If you self-signed the certificate, then the default.address must match the hostname you specified while signing the certificate. Failure to do this will result in the Fusion Proxy service not starting after you have disabled HTTP.
      For example, if your SSL certificate’s validated hostname is search.mycorp, then change: 
      #default.address = 127.0.0.1
      To: 
      default.address = search.mycorp
    3. Change the proxy.port to the SSL port you chose. For example, change: 
      proxy.port = 8764
      To: 
      proxy.port = 8443
    4. Uncomment proxy.ssl and change its value to true. Change: 
      # proxy.ssl=false
      To: 
      proxy.ssl=true
Stop and start Fusion for these changes to take effect.

References and tutorials

Fusion user login

When logging into the Fusion UI, a user provides a username and password, as well as their assigned security realm. An administrator must specify these in Fusion (using the native security realm) or configure Fusion to use an external authentication provider (for example, LDAP or SAML). See Access control. Fusion uses roles defined by permissions to authorize Fusion UI access and perform tasks in Fusion, including searching. The recommended method to delegate permissions is as follows:
  • Assign each user to a role and create custom roles as needed.
  • Assign permissions on a per-app basis.

Manage users with security realms

Fusion uses security realms to authenticate users of the Fusion UI. Each user has an assigned security realm, which the user must select when logging in. If the user selects a different realm, authentication fails. A security realm also provides a list of roles as follows:
  • The list always includes the role(s) that are specified in the security realm.
  • (Optional) If an external directory service (such as LDAP) is used for authentication, the list can also contain roles that are mapped from the names of the directory-service groups. That is, you can configure a security realm to return group information for users from that same directory service.
  • (Optional) The security realm can reference one or more Fusion roles or, when using an external directory service provider, use group membership information from the provider to determine roles for users. Fusion maps the group names to role names and adds these roles to the user’s list of roles.
Fusion does not use permissions from LDAP to authorize UI access or API requests. It only obtains group names (optionally), which are used as role names or are mapped to role names. If an Active Directory Security Query Trimming Stage is used, then directory-service permissions are used for trimming. If a connector supports security trimming, then connector permissions are used for trimming.

Per-Request Authentication

Requests to the Fusion REST API must specify a security realm for per-request authentication, unless a session cookie is used (which contains information about the security realm). Fusion authorizes requested operations based on API permissions specified for the user and for the user’s role(s). Fusion considers the role(s) specified in the user definition and in the security realm. Fusion creates a list of roles when a session is created, that is, when a user logs in or when the Sessions REST API creates a session. Authorization based on permissions and its layering is at request time. You can define multiple security realms for a Fusion instance. A Fusion instance can manage multiple security realms, which allows users from different domains to have (different levels of) access to specific Fusion collections.