Configuring TLS/SSL for Solr

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin

  • The Solr service must be running.
  • Keystores for Solr must be readable by the solr user. This could be a copy of the Hadoop services' keystore with permissions 0440 and owned by the solr group.
  • Truststores must have permissions 0444 (that is, readable by all).
  • Specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the Solr service run. Therefore, the paths you choose must be valid on all hosts.
  • In case there is a DataNode and a Solr server running on the same host, they can use the same certificate.
For more information on obtaining signed certificates and creating keystores, see TLS/SSL Certificates Overview. You can also see the Enabling SSL section in the Apache Solr 4.10 Reference Guide (PDF).

Additional Considerations when Configuring TLS/SSL for Solr HA

To allow clients to talk to Solr servers (the target servers) through the load balancer using TLS/SSL, configure the load balancer to perform TLS/SSL pass-through. This allows clients to use the certificate provided by the target servers (so the load balancer will not need one). Consult your load balancer's documentation on how to configure this. Make sure to point the load balancer at the https://HOST:HTTPS_PORT addresses for your target servers. Clients can then connect to the load balancer at https://LOAD_BALANCER_HOST:PORT.

Configuring TLS/SSL for Solr Using Cloudera Manager

The steps for configuring and enabling Hadoop TLS/SSL for Search are as follows:
  1. Open the Cloudera Manager Admin Console and go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > All.
  4. Select Category > All.
  5. In the Search field, type TLS/SSL to show the Solr TLS/SSL properties.
  6. Edit the following properties according to your cluster configuration.
    Solr TLS/SSL Properties
    Property Description
    Enable TLS/SSL for Solr Check this field to enable SSL for Solr.
    Solr TLS/SSL Server Keystore File Location The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Solr is acting as a TLS/SSL server. The keystore must be in JKS format.
    Solr TLS/SSL Server JKS Keystore File Password Password for the Solr JKS keystore.
    Solr TLS/SSL Certificate Trust Store File Required in case of self-signed or internal CA signed certificates. The location on disk of the truststore, in .jks format, used to confirm the authenticity of TLS/SSL servers that Solr might connect to. This is used when Solr is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the service(s) being connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    Solr TLS/SSL Certificate Trust Store Password The password for the Solr TLS/SSL Certificate Trust Store File. This password is not required to access the truststore: this field can be left blank. This password provides optional integrity checking of the file. The contents of truststores are certificates, and certificates are public information.
  7. Click Save Changes to commit the changes.
  8. Restart the service.

Additional Considerations When Using a Load Balancer TLS/SSL for Solr HA

To configure a load balancer:
  1. Go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > Solr.
  4. Enter the hostname and port number of the load balancer in the Solr Load Balancer property in the format hostname:port number.
  5. Click Save Changes to commit the changes.
  6. Restart Solr and any dependent services or restart the entire cluster for this configuration to take effect.

Configuring TLS/SSL for Solr Using the Command Line

To configure the Search to use TLS/SSL:
  1. Use solrctl to modify the urlScheme setting to specify https. For example:
    solrctl --zk myZKEnsemble:2181/solr cluster --set-property urlScheme https
  2. Stop Solr by running
    sudo service solr-server stop
  3. Edit /etc/default/solr to include the following environment variable settings:
    SOLR_SSL_ENABLED=true
    SOLR_KEYSTORE_PATH=<absolute_path_to_keystore_file>
    SOLR_KEYSTORE_PASSWORD=<keystore_password>
    
    #Following required only in case of self-signed or internal CA signed certificates
    SOLR_TRUSTSTORE_PATH=<absolute_path_to_truststore_file>
    SOLR_TRUSTSTORE_PASSWORD=<truststore_password>
  4. Start Solr by running
    sudo service solr-server start

Configuring TLS/SSL for the Key-Value Store Indexer Using Cloudera Manager

The steps for configuring and enabling Hadoop TLS/SSL for the Keystore Indexer are as follows:
  1. Open the Cloudera Manager Admin Console and go to the Key-Value Store Indexer.
  2. Click the Configuration tab.
  3. Select Scope > All.
  4. Select Category > All.
  5. In the Search field, type TLS/SSL to show the Solr TLS/SSL properties.
  6. Edit the following TLS/SSL properties according to your cluster configuration.
    Key-Value Store TLS/SSL Properties
    Property Description
    HBase Indexer TLS/SSL Certificate Trust Store File The location on disk of the truststore, in .jks format, used to confirm the authenticity of TLS/SSL servers that HBase Indexer might connect to. This is used when HBase Indexer is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the service(s) being connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    HBase Indexer TLS/SSL Certificate Trust Store Password (Optional) The password for the HBase Indexer TLS/SSL Certificate Trust Store File. This password is not required to access the truststore: this field can be left blank. This password provides optional integrity checking of the file. The contents of truststores are certificates, and certificates are public information.
  7. Restart the service.

Configuring TLS/SSL for the Key-Value Store Indexer Using the Command Line

For every host running Key-Value Store Indexer server, specify Solr Trust Store details using the HBASE_INDEXER_OPTS environmental variable using following Java system properties:

  • -Djavax.net.ssl.trustStore=<absolute_path_to_truststore_file>
  • -Djavax.net.ssl.trustStorePassword=<truststore_password> (Optional)

Restart the Key-Value Store Indexer servers to apply these changes.

Configuring TLS/SSL for Flume Using Cloudera Manager

The steps for configuring and enabling Hadoop TLS/SSL for Flume are as follows:
  1. Open the Cloudera Manager Admin Console and go to Flume.
  2. Click the Configuration tab.
  3. Select Scope > All.
  4. Select Category > All.
  5. In the Search field, type TLS/SSL to show the properties.
  6. Edit the following SSL properties according to your cluster configuration.
    Key-Value Store SSL Properties
    Property Description
    Flume TLS/SSL Certificate Trust Store File The location on disk of the truststore, in .jks format, used to confirm the authenticity of TLS/SSL servers that Flume might connect to. This is used when Flume is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the service(s) being connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    Flume TLS/SSL Certificate Trust Store Password (Optional) The password for the Flume TLS/SSL Certificate Trust Store File. This password is not required to access the truststore: this field can be left blank. This password provides optional integrity checking of the file. The contents of truststores are certificates, and certificates are public information.
  7. Click Save Changes to commit the changes.
  8. Restart the service.

Configuring TLS/SSL for Flume Using the Command Line

For every host running Flume agent, specify Solr Trust Store details using the FLUME_AGENT_JAVA_OPTS environmental variable using following Java system properties:

  • -Djavax.net.ssl.trustStore=<absolute_path_to_truststore_file>
  • -Djavax.net.ssl.trustStorePassword=<truststore_password> (Optional)

Restart the Flume agents to apply these changes.