Configure TLS/SSL encryption for Solr
Although Cloudera recommends using AutoTLS, you also have the option to set up TLS manually for Cloudera Search.
- The Solr service must be running.
- Keystores for Solr must be readable by the
solr
user. This could be a copy of the Hadoop services' keystore with permissions0440
and owned by thesolr
group. - Truststores must have permissions
0444
(that is, readable by all). - Specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the Solr service run. Therefore, the paths you choose must be valid on all hosts.
- In case there is a DataNode and a Solr server running on the same host, they can use the same certificate.
For more information on obtaining signed certificates and creating keystores, see Encrypting Data in Transit. You can also view the upstream Solr documentation.
An additional consideration when configuring TLS/SSL for Solr HA is to allow clients to talk to Solr servers (the target servers) through the load balancer using TLS/SSL. To achieve this, you have to configure the load balancer for TLS/SSL pass-through, which means the load balancer does not perform encryption/decryption but simply passes traffic from clients and servers to the appropriate target host. See the documentation of your load balancer for details.