Using --go-live with SSL or Kerberos

Establish trust between the indexer client and Solr server(s).

The go-live phase of the indexer jobs sends a MERGEINDEXES request from the indexer client (the node from which the MR job was submitted) to the live Solr servers. If the Solr server has SSL enabled, you need to ensure that the indexer client trusts the certificate presented by the Solr server(s), otherwise you get an SSLPeerUnverifiedException.

  1. Specify the location of the trust store by setting the following HADOOP_OPTS variable before launching the indexer job:
    HADOOP_OPTS="-Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks "
  2. If the Solr servers have Kerberos authentication enabled, you need to ensure that the indexer client can authenticate via Kerberos to the Solr servers. For this, you need to create a Java Authentication and Authorization Service configuration (JAAS) file locally on the node where the indexing job is launched:
    • If you are authenticating using kinit to obtain credentials, you can configure the client to use your credential cache by creating a jaas.conf file with the following contents:
      Client {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=false
       useTicketCache=true
       principal="<user>@EXAMPLE.COM";
       };
      Replace <user> with your username, and EXAMPLE.COM with your Kerberos realm.
    • If you want the client application to authenticate using a keytab, modify jaas-client.conf as follows:
      Client {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/path/to/user.keytab"
       storeKey=true
       useTicketCache=false
       principal="<user>@EXAMPLE.COM";
      };
      Replace /path/to/user.keytab with the keytab file you want to use and <user>@EXAMPLE.COM with the principal in the keytab. If you are using a service principal that includes the hostname, make sure that it is included in the jaas.conf file (for example, solr/solr01.example.com@EXAMPLE.COM).
  3. If you are using a ticket cache, you need to do a kinit to acquire a ticket for the configured principal before launching the indexer.
  4. Specify the authentication configuration in the HADOOP_OPTS environment variable:
    HADOOP_OPTS="-Djava.security.auth.login.config=jaas.conf -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks" \
    hadoop --config /etc/hadoop/conf \
    jar /opt/cloudera/parcels/CDH/lib/hbase-solr/tools/hbase-indexer-mr-*-job.jar \
    --conf /etc/hbase/conf/hbase-site.xml -Dmapreduce.map.java.opts="-Xmx512m" -Dmapreduce.reduce.java.opts="-Xmx512m" \
    --hbase-indexer-file /home/systest/hbasetest/morphline-hbase-mapper.xml \
    --zk-host 127.0.0.1/solr \
    --collection hbase-collection1 \
    --go-live --log4j src/test/resources/log4j.properties