Configure TLS/SSL encryption for Solr

Although Cloudera recommends using AutoTLS, you also have the option to set up TLS manually for Cloudera Search.

Minimum required role: Configurator (Also provided by Cluster Administrator, Full Administrator)
  • The Solr service must be running.
  • Keystores for Solr must be readable by the solr user. This could be a copy of the Hadoop services' keystore with permissions 0440 and owned by the solr group.
  • Truststores must have permissions 0444 (that is, readable by all).
  • Specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the Solr service run. Therefore, the paths you choose must be valid on all hosts.
  • In case there is a DataNode and a Solr server running on the same host, they can use the same certificate.

For more information on obtaining signed certificates and creating keystores, see Encrypting Data in Transit. You can also view the upstream Solr documentation.

An additional consideration when configuring TLS/SSL for Solr HA is to allow clients to talk to Solr servers (the target servers) through the load balancer using TLS/SSL. To achieve this, you have to configure the load balancer for TLS/SSL pass-through, which means the load balancer does not perform encryption/decryption but simply passes traffic from clients and servers to the appropriate target host. See the documentation of your load balancer for details.

  1. Open the Cloudera Manager Admin Console and go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > All.
  4. In the Search field, type TLS/SSL to show the Solr TLS/SSL properties.
  5. Edit the following properties according to your cluster configuration.
    Table 1. Solr TLS/SSL Properties
    Property Description
    Enable TLS/SSL for Solr Check this field to enable TLS for Solr.
    Solr TLS/SSL Server JKS Keystore File Location The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Solr is acting as a TLS/SSL server. The keystore must be in JKS format.
    Solr TLS/SSL Server JKS Keystore File Password Password for the Solr JKS keystore.
    Solr TLS/SSL Client Trust Store File Required in case of self-signed or internal CA signed certificates. The location on disk of the truststore, in .jks format, used to confirm the authenticity of TLS/SSL servers that Solr might connect to. This is used when Solr is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the service(s) being connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    Solr TLS/SSL Client Trust Store Password The password for the Solr TLS/SSL Certificate Trust Store File. This password is not required to access the truststore: this field can be left blank. This password provides optional integrity checking of the file. The contents of truststores are certificates, and certificates are public information.
  6. Enter a Reason for Change, and then click Save Changes to commit your changes.
  7. Launch the Stale Configuration wizard to restart the Solr service and any dependent services.
If Ranger authorization has been enabled for the Solr service, you need to update the Solr Collection URL (for a resource-based policy) or Solr URL (for a resource-based service) from http://host_ip:8983/solr to https://host_ip:8985/solr on the Ranger Admin Web UI.