Configure SSL for Solr embedded in Fusion
Prerequisite
Create or determine the fully qualified path for your Fusion directory, referred to as {FUSION_HOME} in this document. For example, c:/fusion/4.2/.
Configure SSL for Solr embedded in Fusion
-
Navigate to the following directory:
{FUSION_HOME}/apps/jetty/solr/etc -
Create a self-signed certificate from an existing certificate in a production environment.
Use the following example and enter information for your system:
keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 365 -keystore keystore -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=org unit, O=org, L=loc, ST=st, C=country"Only use a trusted Certificate Authority (CA) to generate certificates. -
Navigate to the following directory:
{FUSION_HOME}/apps/jetty/solr -
Enter the following command to enable SSL on the Solr jetty instance:
java -jar {FUSION_HOME}/apps/jetty/home/start.jar --add-to-start=https -
Navigate to the following directory:
cd {FUSION_HOME} -
Enter the following to create the obfuscated (OBF) password:
java -cp ./apps/libs/jetty-util-9.3.8.v20160314.jar org.eclipse.jetty.util.security.Password secret -
Open the
{FUSION_HOME}/apps/jetty/solr/start.inifile and set the following properties (using the designated OBF password):jetty.sslContext.keyStorePassword jetty.sslContext.keyManagerPassword jetty.sslContext.trustStorePassword -
Enter the following to set the Solr SSL port:
jetty.ssl.port=<PORT_FOR_HTTPS>
Disable HTTP for Solr
| HTTP must be disabled for services such as connectors to work correctly with Solr. |
Open the fusion/4.2/apps/jetty/solr/start.d/http.ini file and and enter a # to comment out the --module=http entry:
#--module=http
Edit the fusion.properties file
-
Open the
fusion/4.2/conf/fusion.propertiesfile. -
Enter the Solr keystore information in the Java Virtual Machine (JVM) for all services:
<service>.jvmOptions=-Djavax.net.ssl.trustStore={FUSION_HOM E}/apps/jetty/solr/etc/keystore -Djavax.net.ssl.trustStorePassword=secret -Djavax.net.ssl.keyStore={FUSION_HOME}/apps/jetty/solr/etc/ keystore -Djavax.net.ssl.keyStorePassword=secret -
Uncomment the
default.addressfield and enter the hostname of the server validated in the SSL certificate:default.address=localhost -
Enter the value designated in
jetty.ssl.port=<PORT_FOR_HTTPS>in thesolr.portfield. -
Append the
solr.ssl=trueentry to the file. -
Save and close the file.
Start Zookeeper and Solr
-
Enter the following command to start Zookeeper:
${FUSION_HOME}/bin/zookeeper start -
Enter the following command to start Solr:
${FUSION_HOME}/bin/solr start
Configure Solr cluster for https
Enter the following command to use Zookeeper to configure the Solr cluster for https instead of http:
${FUSION_HOME}/apps/solr-dist/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983/lwfusion/${FUSION_VERSION}/solr -cmd clusterprop -name urlScheme -val https
Solr SSL shell script
The solr_ssl.sh script contains all of the steps to configure SSL for Solr embedded in Fusion. To use the script, enter your system’s values and information in the file, and then execute the script:
# Update these variables as needed.
FUSION_HOME="<your FUSION_HOME location>"
VALIDATED_ADDRESS="localhost"
SOLR_PORT="8493"
FUSION_VERSION="4.2.6"
keytool -genkeypair -keystore "${FUSION_HOME}/apps/jetty/solr/etc/keystore" -dname "CN=CommonName, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass secret -storepass secret -keyalg RSA -alias selfsigned -deststoretype pkcs12 -ext SAN=dns:${VALIDATED_ADDRESS},ip:127.0.0.1
# enable ssl on solr
cd "${FUSION_HOME}/apps/jetty/solr"
java -jar "${FUSION_HOME}/apps/jetty/home/start.jar" --add-to-start=https
KEYSTORE_ARG="-Djavax.net.ssl.trustStore=${FUSION_HOME}/apps/jetty/solr/etc/keystore -Djavax.net.ssl.trustStorePassword=secret -Djavax.net.ssl.keyStore=${FUSION_HOME}/apps/jetty/solr/etc/keystore -Djavax.net.ssl.keyStorePassword=secret"
# add the solr properties
echo "" >> ${FUSION_HOME}/apps/jetty/solr/start.ini
echo "" >> ${FUSION_HOME}/apps/jetty/solr/start.ini
echo "jetty.ssl.port=${SOLR_PORT}" >> ${FUSION_HOME}/apps/jetty/solr/start.ini
echo "jetty.sslContext.keyStorePassword=OBF:1yta1t331v8w1v9q1t331ytc" >> ${FUSION_HOME}/apps/jetty/solr/start.ini
echo "jetty.sslContext.keyManagerPassword=OBF:1yta1t331v8w1v9q1t331ytc" >> ${FUSION_HOME}/apps/jetty/solr/start.ini
echo "jetty.sslContext.trustStorePassword=OBF:1yta1t331v8w1v9q1t331ytc" >> ${FUSION_HOME}/apps/jetty/solr/start.ini
# set the keystore and truststore on solr jvm
sed -i -e "s%solr.jvmOptions.*%solr.jvmOptions=-Xmx2g -Xss256k ${KEYSTORE_ARG}%g" ${FUSION_HOME}/conf/fusion.properties
# set the truststore on other jvms
sed -i -e "s%api.jvmOptions.*%api.jvmOptions=-Xmx1g -Xss256k -Dhttp.maxConnections=1000 ${KEYSTORE_ARG}%g" ${FUSION_HOME}/conf/fusion.properties
sed -i -e "s%connectors-classic.jvmOptions.*%connectors-classic.jvmOptions=-Xmx1g -Xss256k ${KEYSTORE_ARG}%g" ${FUSION_HOME}/conf/fusion.properties
sed -i -e "s%connectors-rpc.jvmOptions.*%connectors-rpc.jvmOptions=-Xmx1g -Xss256k -Xms512m ${KEYSTORE_ARG}%g" ${FUSION_HOME}/conf/fusion.properties
sed -i -e "s%proxy.jvmOptions.*%proxy.jvmOptions=-Xmx512m ${KEYSTORE_ARG}%g" ${FUSION_HOME}/conf/fusion.properties
# Change the solr port to the SSL port and enable SSL on the validated address
sed -i -e "s%solr.port.*%solr.port=${SOLR_PORT}%g" ${FUSION_HOME}/conf/fusion.properties
echo "" >> ${FUSION_HOME}/conf/fusion.properties
echo "solr.ssl=true" >> ${FUSION_HOME}/conf/fusion.properties
echo "default.address = ${VALIDATED_ADDRESS}" >> ${FUSION_HOME}/conf/fusion.properties
# Disable HTTP
echo "#--module=http" > ${FUSION_HOME}/apps/jetty/solr/start.d/http.ini
# Start zookeeper
${FUSION_HOME}/bin/zookeeper start
${FUSION_HOME}/bin/solr start
# Use zookeeper to configure the solr cluster to use HTTPS instead of HTTP
${FUSION_HOME}/apps/solr-dist/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983/lwfusion/${FUSION_VERSION}/solr -cmd clusterprop -name urlScheme -val https
# Ready to go at this point. Restart Fusion!
${FUSION_HOME}/bin/fusion restart