Connectors Security

This topic helps you set up transport layer security (TLS) between your Connectors-rpc server (using gRPC) and Connector JVM.

This is recommended in a production environment.

Install OpenSSL binaries

The gRPC framework makes TLS more efficient by using native openssl binaries while doing SSL. To take advantage of this efficiency, install OpenSSL for your operating system.

Install OpenSSL on Ubuntu or Debian

sudo apt-get install openssl

Install OpenSSL on CentOS, Redhat Linux, or Amazon EC2

sudo yum install openssl

Install OpenSSL on Windows

  1. Install OpenSSL, for example from https://slproweb.com/products/Win32OpenSSL.html.

  2. Add the installed binaries to your path.

Set up the certificates

In a production environment, use an SSL certificate from a trusted certificate authority. For testing purposes, you can use a self-signed certificate. Generate a self-signed certificate with the following steps.

Once you have the SSL certificates in the server.key and server.pem files, continue to the Specify rpc-system properties step.

Linux setup

Create a new folder, open a terminal, cd to the new folder, then run this bash script:

# Change these CNs to match your hosts in your environment if needed.
SERVER_CN=myhost
CLIENT_CN=myhost # Used when doing mutual TLS

echo Generate CA key:
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
echo Generate CA certificate:
# Generates ca.crt, the trustCertCollectionFile
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=${SERVER_CN}"
echo Generate server key:
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
echo Generate server signing request:
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/CN=${SERVER_CN}"
echo Self-signed server certificate:
# Generates server.crt, the certChainFile for the server
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
echo Remove passphrase from server key:
openssl rsa -passin pass:1111 -in server.key -out server.key
echo Generate client key
openssl genrsa -passout pass:1111 -des3 -out client.key 4096
echo Generate client signing request:
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/CN=${CLIENT_CN}"
echo Self-signed client certificate:
# Generates client.crt, the clientCertChainFile for the client (needed for mutual TLS only)
openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
echo Remove passphrase from client key:
openssl rsa -passin pass:1111 -in client.key -out client.key
echo Converting the private keys to X.509:
# Generates client.pem, the clientPrivateKeyFile for the Client (needed for mutual TLS only)
openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pem
# Generates server.pem, the privateKeyFile for the Server
openssl pkcs8 -topk8 -nocrypt -in server.key -out server.pem

Windows setup

The default installation directory is C:\OpenSSL-Win64

Create a new directory, open a cmd shell, cd to that directory, and run this batch:

@echo off
set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg

# Change these CNs to match your hosts in your environment if needed.
set SERVER_CN=myhost
set CLIENT_CN=myhost # Used when doing mutual TLS

echo Generate CA key:
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
echo Generate CA certificate:
# Generates ca.crt, the trustCertCollectionFile
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=%SERVER_CN%"
echo Generate server key:
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
echo Generate server signing request:
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/CN=${SERVER_CN}"
echo Self-signed server certificate:
# Generates server.crt, the certChainFile for the server
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
echo Remove passphrase from server key:
openssl rsa -passin pass:1111 -in server.key -out server.key
echo Generate client key
openssl genrsa -passout pass:1111 -des3 -out client.key 4096
echo Generate client signing request:
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/CN=%CLIENT_CN%"
echo Self-signed client certificate:
# Generates client.crt, the clientCertChainFile for the client (need for mutual TLS only)
openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
echo Remove passphrase from client key:
openssl rsa -passin pass:1111 -in client.key -out client.key
echo Converting the private keys to X.509:
# Generates client.pem, the clientPrivateKeyFile for the Client (needed for mutual TLS only)
openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pem
# Generates server.pem, the privateKeyFile for the Server
openssl pkcs8 -topk8 -nocrypt -in server.key -out server.pem</td>

Specify connectors-rpc system properties to provide the certs

Now that we have the certs, we set them in the system properties.

Example with mutual TLS auth and private key passwords

-Dcom.lucidworks.apollo.app.hostname=myhost
-Dcom.lucidworks.fusion.tls.server.certChain=./sslcerts/server.crt
-Dcom.lucidworks.fusion.tls.server.privateKey=./sslcerts/server.pem
-Dcom.lucidworks.fusion.tls.server.privateKeyPassword=password123
-Dcom.lucidworks.fusion.tls.client.certChain=./sslcerts/client.crt
-Dcom.lucidworks.fusion.tls.requireMutualAuth=false

Example without TLS auth and no private key passwords

-Dcom.lucidworks.apollo.app.hostname=myhost
-Dcom.lucidworks.fusion.tls.server.certChain=./sslcerts/server.crt
-Dcom.lucidworks.fusion.tls.server.privateKey=./sslcerts/server.pem