[
https://issues.apache.org/jira/browse/SOLR-15423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17349047#comment-17349047
]
Jan Høydahl commented on SOLR-15423:
------------------------------------
See PR for proposed implementation. I chose to not go with Java's keystore
format, but instead support PEM, DER and PKCS#7 certs directly in the config,
either as a file reference of as plain-text in the config. The certs will be
used to trust https connections when looking up Well-Known URL as well as the
JWKs endpoint(s). See screenshot for refGuide doc:
!jwt-refguide.png!
> JWTAuthPlugin support for custom truststore
> -------------------------------------------
>
> Key: SOLR-15423
> URL: https://issues.apache.org/jira/browse/SOLR-15423
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Attachments: jwt-refguide.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The JWT plugin performs outbound HTTPS traffic to Identity Provider (IdP) to
> fetch signing keys. If that IdP has a custom SSL certificate not signed by
> any of the root certs shipping with Java, then we need to add its certificate
> to Jetty/Java's TrustStore to tell Solr that it should trust the self-signed
> cert of the IdP.
> In the k8s world it is quite common to terminate SSL in a mesh network
> outside applications or in the ingress controller. This won't work with the
> use case discussed above, since Jetty's TrustStore is not enabled at all when
> Solr is running in non-SSL mode.
> The proposal is to let JWT manage its own TrustStore by configuration.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
