Victoria, On 4/26/22 16:17, Victoria Stuart (VictoriasJourney.com) wrote: > > [snip] >
[victoria@victoria etc]$ sudo systemctl restart httpd [sudo] password for victoria:
I think this httpd restart/status are not relevant, no?
# ---------------------------------------- # ADD CERTIFICATE TO JAVA TRUST STORE (cacerts): # ---------------------------------------------- ## cacerts p/w generally defaults to: changeit [victoria@victoria etc]$ sudo keytool -import -trustcacerts -cacerts -storepass *** -noprompt -alias solr-ssl -file /mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl-cert Certificate was added to keystore
I would highly recommend *against* modifying the platform's cacerts trust store. It should be possible to use a specific trust store for any client who needs to access your Solr server.
# ============================================================================ # 2. INDEX DOCUMENTS TO SSL-HARDENED SOLR # =======================================
> [snip]
# ---------------------------------------- # solr.in.sh : # ------------ ## Note: basic authentication allows access to SSL-protected Solr from the console / command-line. SOLR_SSL_ENABLED=true SOLR_SSL_KEY_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 SOLR_SSL_KEY_STORE_PASSWORD=secret SOLR_SSL_KEY_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 SOLR_SSL_TRUST_STORE_PASSWORD=secret SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_AUTH_TYPE="basic" SOLR_AUTHENTICATION_OPTS="-Dbasicauth=pg-solr-admin:secret" SOLR_SSL_NEED_CLIENT_AUTH=false SOLR_SSL_WANT_CLIENT_AUTH=false
Hmm I could have sworn you were using mutual-TLS. Maybe not.
# ---------------------------------------- # SOLR INDEXING (old, for reference; note: http://...): # ----------------------------------------------------- /usr/lib/jvm/java-8-openjdk/jre//bin/java -classpath /mnt/Vancouver/apps/solr/solr-8.7.0/dist/solr-core-8.7.0.jar -Dauto=yes -Dc=core0 -Ddata=files org.apache.solr.util.SimplePostTool /mnt/Vancouver/programming/datasci/solr/test/d1.html /mnt/Vancouver/programming/datasci/solr/test/d2.html /mnt/Vancouver/programming/datasci/solr/test/d3.html /mnt/Vancouver/programming/datasci/solr/test/d4.html
If you add: -Djavax.net.ssl.trustStore=[path to trust store] -Djavax.net.ssl.trustStorePassword=[password] -Djavax.net.ssl.trustStoreType=[type] ... then you should not have to modify the platform's cacerts trust store.
/usr/lib/jvm/java-18-openjdk/bin/java \ -classpath /mnt/Vancouver/apps/solr/solr-8.11.1/dist/solr-core-8.11.1.jar \ -Dbasicauth=pg-solr-admin:secret \ -Dsolr.default.confdir=/mnt/Vancouver/apps/solr/solr-8.11.1/server/solr/configsets/_default/conf/ \ -Djavax.net.ssl.keyStore=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 \ -Djavax.net.ssl.keyStoreType=PKCS12 \ -Djavax.net.ssl.keyStorePassword=secret \ -Djavax.net.ssl.trustStore=/mnt/Vancouver/apps/solr/solr-8.11.1/server/etc/solr-ssl.keystore.p12 \ -Djavax.net.ssl.trustStoreType=PKCS12 \ -Djavax.net.ssl.trustStorePassword=secret \
Yes, just like the above. -chris
