FCREPO-2061. Add ssl authentication capability to the fcrepo-indexing-solr

[mohideen]

https://jira.duraspace.org/browse/FCREPO-2061

[awoods]

Please include an update to the README

[acoburn]

@mohideen Thanks for this!

I would actually suggest a somewhat different tack here -- and it will be really easy to implement. Basically, in this file: https://github.com/fcrepo4-exts/fcrepo-camel-toolbox/blob/master/fcrepo-indexing-solr/src/main/resources/OSGI-INF/blueprint/blueprint.xml

You should be able to add these two lines (outside the camelContext):

 <bean id="http" class="org.apache.camel.component.http4.HttpComponent"/>
 <bean id="https" class="org.apache.camel.component.http4.HttpComponent"/>

And then, you'd set the solr.baseUrl to http://localhost:8983/solr/collection1.

And that's all you need code-wise for this PR (plus a similar change to the /main/cfg/org.fcrepo.camel.indexing.solr.cfg file and something in the README).

Then, if you want to enable an SSL-enabled connection, you set the solr.baseUrl value to https://solr-cloud.umd.edu/solr/fedora (or whatever). Then, for the truststore piece to work properly, create a truststore with keytool, add the cert from your Solr cloud, and put the truststore somewhere on the server. Then, in Karaf, in $KARAF_HOME/etc/karaf-wrapper.conf, you'd tell karaf where to find the truststore:

wrapper.java.additional.<N>=-Djavax.net.ssl.trustStore=/etc/karaf/truststore.jks
wrapper.java.additional.<N>=-Djavax.net.ssl.truststorePassword=<password>

(The <N> above would relate to particular numbers, say 9 or 10, depending on how many parameters you've added -- on my system, it's 10 and 11.)

This assumes your karaf has the service wrapper installed.

I think this would be the best way to handle this, as it provides the greatest amount of flexibility while keeping configuration-related things in the configuration areas.

[acoburn]

And one point of clarification: with the change suggested above, you would need to change these two lines: https://git.io/voHiy and https://git.io/voHiH to be simply:

.to("{{solr.baseUrl}}/update");

(since the http: or https: prefix will now be part of the configuration).

[mohideen]

@acoburn, I did remember testing the configuration using the wrapper configuration, but it did not seem to work. I will give it a try again.

Just to clarify, we have solr server that is protected by SSLVerifyClient require apache configuration. The clients need to present a valid ssl certificate that is signed by the apache's configured CA. Usually, the clients use the ssl certificate from the keystore while negotiating with the server (solr server's apache). In contrast, I beleive that the truststore is used when we need a client accept a server's self-signed certificate in a HTTPS connection.

[mohideen]

@acoburn: Looks like there is useSystemProperties option for http4 endpoint, which defaults to false. The following documentation says that the keystore/truststore system properties will be used only when the useSystemProperties is true. Reference: http://camel.apache.org/http4.html

I guess we can set this property in the blueprint (or from java code) and then we would be able to discard the code changes I have in the PR. I am not familiar with the syntax for setting this property in the blueprint. Do we need to add a child bean to the http4/https4 bean for the HttpEndpoint and then include this property in the child bean?

We did something similar for the fcrepo-java-client for it to use the system properties: https://git.io/voQp8

[acoburn]

@mohideen I think that setting useSystemProperties is the best approach here. The syntax would be:

.to("{{solr.baseUrl}}/update?useSystemProperties=true");

[mohideen]

Superseded by #93