[
https://issues.apache.org/jira/browse/SOLR-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Noble Paul updated SOLR-7126:
-----------------------------
Attachment: (was: SOLR-7126.patch)
> signing a jar and secure dynamic loading
> ----------------------------------------
>
> Key: SOLR-7126
> URL: https://issues.apache.org/jira/browse/SOLR-7126
> Project: Solr
> Issue Type: Sub-task
> Reporter: Noble Paul
> Assignee: Noble Paul
> Labels: security
> Attachments: SOLR-7126.patch
>
>
> We need to ensure that the jars loaded into solr are trusted
> We shall use simple PKI to protect the jars/config loaded into the system
> The following are the steps involved for doing that.
> {noformat}
> #Step 1:
> # generate a 768-bit RSA private key. or whaterver strength you would need
> $ openssl genrsa -out private_key.pem 768
> # convert private Key to PKCS#8 format (so that Java can read it)
> $ openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -out
> private_key.der -nocrypt
> # store your private keys safely (with a password if possible)
> # output public key portion in DER format (so Java can read it)
> $ openssl rsa -in private_key.pem -pubout -outform DER -out public_key.der
> #Step 2:
> # copy the public keys (the .DER files) to all Solr nodes under
> SOLR_HOME/keys . or start all your
> # solr servers with -Dpublic.keys.dir=/location/of/keys (where keys are
> stored)
> # Please note that you can store multiple public keys in that directory and
> all are valid
> Step3:
> # start all your servers with -Denable.dynamic.loading=true
> Step 4:
> # sign the sha1 digest of your jar with one of your private keys and get the
> base64 string of that signature .
> $ openssl dgst -sha1 -sign key.pem myjar.jar | openssl enc -base64
> #Step 5:
> # load your jars into blob store . refer SOLR-6787
> #Step 6:
> # use the command to add your jar to classpath as follows
> {noformat}
> {code}
> curl http://localhost:8983/solr/collection1/config -H
> 'Content-type:application/json' -d '{
> "add-runtimelib" : {"name": "jarname" , "version":2 ,
> "sig":"mW1Gwtz2QazjfVdrLFHfbGwcr8xzFYgUOLu68LHqWRDvLG0uLcy1McQ+AzVmeZFBf1yLPDEHBWJb5KXr8bdbHN/PYgUB1nsr9pk4EFyD9KfJ8TqeH/ijQ9waa/vjqyiKEI9U550EtSzruLVZ32wJ7smvV0fj2YYhrUaaPzOn9g0="
> }// output of step 4. concatenate the lines
> }'
> {code}
> If no keys are present , the jar is loaded without any checking.
> Before loading a jar from blob store , each Solr node would check if there
> are keys present in the keys directory. If yes, each jar's signature will be
> verified with all the available public keys. If atleast one succeeds , the
> jar is loaded into memory. If nothing succeeds , it will be rejected
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
