Solr Security
Perform these steps if your corporate policy requires you to run Solr within an HTTPS environment.
Procedure
- Ensure you have obtained the web server authentication certificate and required root certificates from the certificate authority.
- Import the certificate into your keystore. Ensure that you import the root certificate first.
- Configure Solr Jetty.
Copy the created keystore (assume
solr-ssl.keystore.jks) to "<JETTY_HOME>/etc""[Contenta_Home]\tools\Solr\example\etc\"
- Comment out the non-SSL
SelectChannelConnectorblock in"[Contenta_Home]\tools\Solr example/etc/ jetty.xmlusing!--before and-->after tags.<!-- <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> <Set name="host"><SystemProperty name="jetty.host" /></Set> <Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set> <Set name="maxIdleTime">50000</Set> <Set name="Acceptors">2</Set> <Set name="statsOn">false</Set> <Set name="confidentialPort">8443</Set> <Set name="lowResourcesConnections">5000</Set> <Set name="lowResourcesMaxIdleTime">5000</Set> </New> </Arg> </Call> -->
- Configure Solr Jetty.
- Uncomment the
SslSelectChannelConnectorblock by removing the beforeand after<!---->tags, and change the keyStore value to point to the JKS keystore created in the previous step. The result should look as follows:Note: Do not copy/paste the following section into thejetty.xml; this section mustalready be present insidejetty.xml.Note: Do not use ports 443, 8443, or 80; instead, use a port near 8984 or 8986 (not 8990). ThemaxIdleTimequeries are not session based, so you do not need to change this number.<Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Arg> <New class="org.eclipse.jetty.http.ssl.SslContextFactory"> <Set name="keyStore"><SystemProperty name="jetty.home" default="."/>/etc/solr-ssl.keystore.jks</Set> <Set name="keyStorePassword">secret</Set> <Set name="needClientAuth"><SystemPropertyname="jetty.ssl.clientAuth" default="false"/></Set> </New> </Arg> <Set name="port"><SystemProperty name="jetty.ssl.port" default="8984"/></Set> <Set name="maxIdleTime">30000</Set> </New> </Arg> </Call> - To recognize the changes you make, restart the Solr service/daemon.
- Open a web browser to the Solr URL to verify that the connection is now ‘trusted.’
For example:
https://<machine_name>:8984/solr/ - Once you have successfully tested the above URL, update the URL value for each collection for each database that will be using above Solr configuration to build the indexes.
- Log in to Contenta as ‘sysadmin’ or a user with sysadmin privileges.
- Open AppData:
From Contenta Web, right click on sysadmin, and then click More. From the resulting pop-up menu, click Edit AppData.
-or
From Contenta Explorer, click Tools > Options > Tool Preferences.
- In AppData, expand
{Global}\Collections\URL Click URL and then click Modify Value to set the URL value as the Solr address.
- On a system where the Contenta Crawler will be running, import the certificates (including root certificate) to the JSSE keystore of the JVM that is configured to run the Crawler.
The certificates will be stored to the default JVM keystore, which is JRE_HOME\lib\security\cacerts unless you have specified a different key store path during import.