Securing your SOLR Instance for Sitecore

CMS, Sitecore, SOLR 3 Minutes

If you didn’t know already, SOLR is the default search engine that comes with Sitecore 9, and presumably future versions. The choice to use SOLR instead is very obvious – SOLR is scalable, while lucene is not. SOLR is more fault-tolerant, and can be load-balanced for failover, and thus resulting in a more reliable environment. This also means that Sitecore developers are going to need to know more about managing SOLR. Fortunately, there is plenty of information out there to learn about SOLR, so we aren’t totally in dark.

Security being an important factor in most infrastructures, securing the SOLR instance when being used with Sitecore is an important topic. The default installation for SOLR is open for anonymous visits, so I’m going outline some steps to make it less easy to get into the SOLR instance.

Some simple steps to take:

  1. As mentioned, by default, the SOLR instance is open. First thing you can do is to lock it down by IP, so only your Sitecore instances can see them (CM, CD, xConnect, etc.). This is simple enough and can be done without much effort.
  2. Make sure the SOLR instance is internal (i.e. behind a firewall). SOLR instances for Sitecore does need to be accessed by public visitors, so there is no need for it to be exposed outside your internal network.
  3. Add SSL to your SOLR instance. There are various ways to do this, and a lot of the documentation refers to using a self-signed cert. If you are running SOLR on apache, you’ll need to generate the java keystore with your real SSL certificate (make sure you have the .pfx file, which has both the public and private keys). If you are running SOLR on windows, you can use the .pfx file directly.
  4. Add Basic Authentication

The last step is the most involved and requires a small change in Sitecore as well. It enables basic authentication on SOLR, so Sitecore will need to authenticate to access SOLR. To do this, you’ll need to do the following.

Enable Basic Authentication

Add a new file, security.json to your SOLR instance with the below code – save this file in [path to solr]\server\solr.


{
"authentication":{
"blockUnknown":true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"user-role":{"solr":"admin"},
"permissions":[{"name":"security-edit",
"role":"admin"}]
}}

So what does this file do?

  • Enables authentication and authorization
  • A user called solr is created with a password SolrRocks – note that we have to add it so at least you have one user. You can change the password later.
  • The user solr is assigned a role admin
  • The permissions to edit security is now restricted to the role admin. All other resources are unprotected and the user should configure more rules to secure them.

You can very granular with the security rules – I wasn’t able to find all the possible permissions, but there is a short list here.

Make sure Basic Authentication works

Once you do the above, your SOLR instance should be not accessible without logging in anymore. Restart the SOLR service, and give it a try, and you should see this screen:

If you use the solr/SolrRocks credentials, you should be able to get into your SOLR instance.

Configuring Sitecore to use the credentials

At this point, Sitecore can’t access the SOLR instance, so your instance is probably not working correctly. You’ll need to add the credentials to the configs:


\App_Config\Sitecore\ContentSearch\Sitecore.ContentSearch.Solr.DefaultIndexConfiguration.config

Comment this out:


<solrHttpWebRequestFactory type="HttpWebAdapters.HttpWebRequestFactory, SolrNet" />

And add this:


<solrHttpWebRequestFactory type="HttpWebAdapters.BasicAuthHttpWebRequestFactory, SolrNet">
<param hint="username">solr</param>
<param hint="password">SolrRocks</param>
</solrHttpWebRequestFactory>

…right before:


</indexConfigurations>
</contentSearch>

Note: Don’t edit the config file directly, ya’know – best practice – make an include config patch file.

Manage Users

Now that Sitecore is able to authenticate to access SOLR, you should change the default passwords. The easiest way to do this is via the REST API that SOLR has, and the easiest way to access that is via curl. Once you get this downloaded, open up the command prompt and fire out the command to change the password for the ‘solr’ user:


curl --user solr:SolrRocks https://localhost:8983/solr/admin/authentication -H "Content-type:application/json" -d "{ \"set-user\": {\"solr\" : \"MyNewPassword\"}}

You can also add new users:


curl --user solr:Password.1 https://localhost:8983/solr/admin/authentication -H "Content-type:application/json" -d "{ \"set-user\": {\"newuser\" : \"newpassword\"}}

Note that you have to change admin password for the ‘solr’ in the authentication request, if you changed it prior to running commands

If your request is successful, you should see the security.json file in [path to solr]\server\solr change. The encrypted password in the file should have changed. You should be able to use these credentials without restarting SOLR.

Advertisement

Published by Mickey Rahman

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s