Our organization wants to increase the Solr instance security when using the new FullText Service.
Solution:
To better secure your system when using the Fulltext Service, The Solr instance can be run with an SSL (Secure Sockets Layer) certificate. Please refer to the following guide on how this can be implemented;
1. First, enable Basic Authentication for Fulltext. Please see KBA-37185 on how this can be done.
2. Open a command line interface and navigate to the keytool.exe (Keytool is located in the bin directory of the JDK package; the path should be similar to C:\Program Files\DocuWare\Full-Text Server (x64)\OpenJDK\jdk-xxxxx\bin)
3. Create a keystore by executing the following command in the opened CMD:
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass <your_password> -storepass <your_password> -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:MACHINENAME -dname "CN=MACHINENAME, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
Edit the keypass and storepass (both should be at least 6 characters long) and edit the MACHINENAME of the machine in the command above. This command will create a file named solr-ssl.keystore.p12 in the same directory.
Here is an example of utilizing a localhost address:
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:localhost -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
4. Copy the solr-ssl.keystore.p12 file to C:\Program Files\DocuWare\Full-Text Server (x64)\solr\server\etc
5. Open up the Windows Certificate Management and import the newly created certificate (solr-ssl.keystore.p12) within Trusted Root Certificate Authorities.
6. Locate the solr.in.cmd file located in the bin directory of Solr 8 (C:\Program Files\DocuWare\Full-Text Server (x64)\solr\bin)
7. Open the file in notepad and edit the below settings by removing the leading “REM”'s. Make sure there is a “set” value at the beginning of each line. Ensure the key and store passwords are the same as those in the certificate.
set SOLR_SSL_ENABLED=true
set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12
set SOLR_SSL_KEY_STORE_PASSWORD=<your_password>
set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.p12
set SOLR_SSL_TRUST_STORE_PASSWORD=<your_password>
set SOLR_SSL_NEED_CLIENT_AUTH=false
set SOLR_SSL_CHECK_PEER_NAME=true
Note on Client Authentication Settings: Enable either SOLR_SSL_NEED_CLIENT_AUTH or SOLR_SSL_WANT_CLIENT_AUTH but not both at the same time. They are mutually exclusive, and Jetty will select one of them, which may not be what you expect.
Example:
8. Save the changes of the solr.in.cmd file.
9. Restart Solr using DocuWare Service Control or Windows Services.
10. Navigate to https://MACHINENAME:9012/solrt which may display the message;
You have successfully added SSL to Fulltext Server!
11. Make sure the DocuWare Administration tool uses the correct URL for the Fulltext Connections.
KBA is applicable to On-premise Organizations ONLY.
