Elasticsearch Security

Overview

drwxr-sr-x. 2 root elasticsearch    43 Sep  3 20:50 ssl
openssl req -x509 -newkey rsa:4096 -keyout es-key.pem -out es-cert.pem -days 365 -subj '/CN=*.test.local' -nodes
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

Mutual TLS Authentication

NOTE: TLS / SSL functionality in Solr 8.5.x is not working (See SOLR-14105 issue for more info). You have to use Solr 8.4.x.

Mutual TLS is based on asymmetric (public-key) cryptography. Both the server and clients identify itself by a Distinguished Name (DN) contained in their certificates.

Keys and Certificates

Step 1: Generate server keys and certificates

Run Java keytool to generate private and public key (keypair) for Solr nodes. In this example we will use the same keypair for all Solr nodes and wildcard Common Name (CN). You can also generate individual keypairs for each node.

keytool -genkeypair -alias "solr" -keystore "solr.jks" -dname "CN=*.test.local" -keyalg RSA -storepass "password"

Export certificate.

keytool -exportcert -alias "solr" -keystore "solr.jks" -file "solr.cer" -storepass "password"

Step 2: Generate client keys and certificate

Run Java keytool to generate keypair and export certificate. Use "CN=solr-admin".

keytool -genkeypair -alias "solr-admin" -keystore "solr-admin.jks" -dname "CN=solr-admin" -keyalg RSA -storepass "password"
keytool -exportcert -alias "solr-admin" -keystore "solr-admin.jks" -file "solr-admin.cer" -storepass "password"

Step 3: Create server trust store

Create server trust store and import Solr server and client certificates.

keytool -importcert -alias "solr" -keystore "solr-trust.jks" -file "solr.cer" -storepass "password"
keytool -importcert -alias "solr-admin" -keystore "solr-trust.jks" -file "solr-admin.cer" -storepass "password"

Step 4: Create client trust store

Create client trust store and import Solr server and client certificates. The same trust store can be used by all Solr clients. Although content of both server and client trust stores is the same at this point, you should use different files for servers and clients.

keytool -importcert -alias "solr" -keystore "solr-admin-trust.jks" -file "solr.cer" -storepass "password"
keytool -importcert -alias "solr-admin" -keystore "solr-admin-trust.jks" -file "solr-admin.cer" -storepass "password"

Configure Solr

Step 1: Set "urlScheme" cluster property

Connect to ZooKeeper

/opt/zookeeper/bin/zkCli.sh -server zk1.test.local

and create the following znode

create /solr/clusterprops.json {"urlScheme":"https"}

You can also call Solr API to set the "urlScheme" cluster property

http://localhost:8983/solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https

Step 2: Copy key and trust store

In this example we will use /opt/solr/ssl directory. You can select another, more secure location.

Copy solr.jks and solr-trust.jks to all Solr nodes.

Step 3: Edit Solr startup script

Add following SSL parameters in /opt/solr/bin/solr.in.sh on each Solr node.

SOLR_SSL_KEY_STORE=/opt/solr/ssl/solr.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr/ssl/solr-trust.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
SOLR_SSL_NEED_CLIENT_AUTH=true

Also set SOLR_HOST variable in /opt/solr/bin/solr.in.sh. Default value, "loacalhost", may cause SSL host validation issues.

SOLR_HOST=solr1.test.local

Step 4: Restart Solr on each node

systemctl stop solr
systemctl start solr

Configure Registry Manager

Step 1: Copy key and trust store

Copy zk-client-solr.jks and zk-client-trust.jks to your home directory or another location.

Step 2: Edit Registry Manager startup script

Add SOLR_CLIENT_TLS_FLAGS variable in $REGISTRY_HOME/bin/registry-manager. Adjust key and trust store paths and passwords.

SOLR_CLIENT_TLS_FLAGS="
-Djavax.net.ssl.keyStore=/opt/solr/ssl/solr-admin.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/opt/solr/ssl/solr-admin-trust.jks
-Djavax.net.ssl.trustStorePassword=password"

Replace last line in $REGISTRY_HOME/bin/registry-manager.

"$JAVA" $ZK_CLIENT_TLS_FLAGS -jar "$TOOL_JAR" $@

with

"$JAVA" $ZK_CLIENT_TLS_FLAGS $SOLR_CLIENT_TLS_FLAGS -jar "$TOOL_JAR" $@