Documentation Center

Solr Security

Perform these steps if your corporate policy requires you to run Solr within an HTTPS environment.

Procedure

  1. Ensure you have obtained the web server authentication certificate and required root certificates from the certificate authority.
  2. Import the certificate into your keystore. Ensure that you import the root certificate first.
    • Configure Solr Jetty.

      Copy the created keystore (assume solr-ssl.keystore.jks) to "<JETTY_HOME>/etc" "[Contenta_Home]\tools\Solr\example\etc\"

    • Comment out the non-SSL

      SelectChannelConnector block in "[Contenta_Home]\tools\Solr example/etc/ jetty.xml using !-- before and --> after tags.

      <!--
      <Call name="addConnector">
      <Arg>
      <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
      <Set name="host"><SystemProperty name="jetty.host" /></Set>
      <Set name="port"><SystemProperty name="jetty.port"
      default="8983"/></Set>
      <Set name="maxIdleTime">50000</Set>
      <Set name="Acceptors">2</Set>
      <Set name="statsOn">false</Set>
      <Set name="confidentialPort">8443</Set>
      <Set name="lowResourcesConnections">5000</Set>
      <Set name="lowResourcesMaxIdleTime">5000</Set>
      </New>
      </Arg>
      </Call>
      -->
  3. Uncomment the SslSelectChannelConnector block by removing the before <!-- and after --> tags, and change the keyStore value to point to the JKS keystore created in the previous step. The result should look as follows:
    <Call name="addConnector">
    <Arg>
    <New
    class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
    <Arg>
    <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="keyStore"><SystemProperty name="jetty.home"
    default="."/>/etc/solr-ssl.keystore.jks</Set>
    <Set name="keyStorePassword">secret</Set>
    <Set
    name="needClientAuth"><SystemPropertyname="jetty.ssl.clientAuth"
    default="false"/></Set>
    </New>
    </Arg>
    <Set name="port"><SystemProperty name="jetty.ssl.port"
    default="8984"/></Set>
    <Set name="maxIdleTime">30000</Set>
    </New>
    </Arg>
    </Call>
  4. To recognize the changes you make, restart the Solr service/daemon.
  5. Open a web browser to the Solr URL to verify that the connection is now ‘trusted.’

    For example: https://<machine_name>:8984/solr/

  6. Once you have successfully tested the above URL, update the URL value for each collection for each database that will be using above Solr configuration to build the indexes.
    • Log in to Contenta as ‘sysadmin’ or a user with sysadmin privileges.
    • Open AppData:

    From Contenta Web, right click on sysadmin, and then click More. From the resulting pop-up menu, click Edit AppData.

    -or

    From Contenta Explorer, click Tools > Options > Tool Preferences.

    • In AppData, expand {Global}\Collections\URL
    • Click URL and then click Modify Value to set the URL value as the Solr address.

  7. On a system where the Contenta Crawler will be running, import the certificates (including root certificate) to the JSSE keystore of the JVM that is configured to run the Crawler.

    The certificates will be stored to the default JVM keystore, which is JRE_HOME\lib\security\cacerts unless you have specified a different key store path during import.