Community Articles

Enable SSL for Ambari Infra Solr:

1) Create directory on Infra Solr node:

mkdir -p /etc/security/serverKeys
cd /etc/security/serverKeys

2) Create Infra Solr keystore:

keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass bigdata -storepass bigdata -validity 9999 -keystore infra.solr.keyStore.jks -ext SAN=DNS:{solr-hostname},IP:{solr-host-ip-address} -dname "CN={solr-hostname}, OU=Ambari, O=InfraSolr, L=Location, ST=State, C=Country"

3) Update the keystore file infra.solr.keyStore.jks ownership:

chown infra-solr:hadoop infra.solr.keyStore.jks

4) Update below properties from Ambari under Ambari Infra Config Tab in Advanced infra-solr-env section:

infra_solr_ssl_enabled (Enable SSL to Infra Solr) - true
infra_solr_keystore_location (Infra Solr key store location) - /etc/security/serverKeys/infra.solr.keyStore.jks
infra_solr_keystore_type (Infra Solr key store type) - jks
infra_solr_keystore_password (Infra Solr key store password) - bigdata (Enter password given in -storepass argument while creating keystore)

Here, using the same keystore as truststore.
infra_solr_truststore_location (Infra Solr trust store location) - /etc/security/serverKeys/infra.solr.keyStore.jks
infra_solr_truststore_type (Infra Solr trust store type) - jks
infra_solr_truststore_password (Infra Solr truststore store password) - bigdata (Enter password given in -storepass argument while creating keystore)

5) (Optional, Ambari Infra Solr restart handles setting https urlScheme) Configure Infra Solr cluster properties in Zookeeper:

/usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -zkhost {zookeeper-host}:2181/infra-solr -cmd clusterprop -name urlScheme -val https

6) Restart Ambari Infra Solr.

NOTE: For more detailed explanation on enabling solr in SSL refer: Enabling SSL

Configure Ranger and Ranger Plugins:

1) Create directory on Ranger node as well on Ranger Plugin node:

mkdir -p /etc/security/serverKeys
cd /etc/security/serverKeys

2) Create solr-trust.cer file. Need to export infra.solr.keyStore.jks certificate into it:

keytool -export -keystore infra.solr.keyStore.jks -alias solr-ssl -file solr-trust.cer -storepass bigdata

3) Import Infra Solr certificate into JDK cacerts:

keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit

4) Create Ranger truststore file having Infra Solr certificate:

keytool -import -file solr-trust.cer -alias solr-ranger-trust -keystore rangertruststore -storepass changeit

5) Update the ownership of Ranger truststore file and also update below properties from Ambari under Ranger service config tab in Advanced ranger-admin-site section

chown ranger:hadoop rangertruststore

Properties:
ranger.truststore.file - /etc/security/serverKeys/rangertruststore
ranger.truststore.password - changeit (Enter the password given in -storepass argument while creating truststore)

6) For Ranger Plugin import Infra Solr certificate into JDK cacerts file on the node where Ranger Plugin is enabled:

keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit

7) After updating properties Restart Ranger and Ranger Plugin supported Components.