Configuring the TLS connections between Liberty and Solr and ZooKeeper

To secure the connection between the i2 Analyze application server, Solr, and ZooKeeper, you must change the configuration of all three components. The i2 Analyze configuration must define the keystore and truststore for Solr and ZooKeeper.

Before you begin

  • Ensure that you configured Liberty for TLS. For more information, see Configuring Liberty for TLS.

  • You must have the appropriate keystore set up for your Solr deployment.

  • You must have the appropriate keystore set up for your ZooKeeper deployment.

About this task

Liberty uses a Java truststore to verify the certificate from the Solr and ZooKeeper servers.

At this release, you delete and re-create the Solr collections during the configuration process. After you delete and re-create the Solr collections, the system must reindex all of your data. You should aim to configure Solr to use TLS before you ingest a large amount of data into your system. If you are configuring TLS in a production system with a large amount of data, contact i2 Support before you delete your Solr collections.

Steps

  1. Stop Liberty by running the following command on the Liberty server:

    setup -t stopLiberty

    Ensure that the Liberty instance is stopped, otherwise you encounter an error if you try to run the command when you complete the configuration changes.

  2. To delete the Solr collections, run the following command from the toolkit\scripts directory on the Liberty server:

    setup -t deleteSolrCollections --hostname liberty.hostname --all

  3. Stop ZooKeeper by running the following command on every server where ZooKeeper is running:

    setup -t stopZkHosts --hostname zookeeper.host-name

    Here, zookeeper.host-name is the hostname of the ZooKeeper server where you are running the command, and matches the value for the host-name attribute of a <zkhost> element in the topology.xml file.

  4. Ensure the Liberty, Solr, and ZooKeeper keystores and truststores contains the certificate required to authenticate the other components.

  5. Modify the topology.xml file to specify TLS for its Solr connection.

    1. In an XML editor, open the toolkit\configuration\environment\topology.xml file.

    2. In the <solr-cluster> element for the Solr cluster that you want to connect to with TLS, add the secure-connection attribute with the value of true.

      For example:

      <solr-cluster id="is_cluster" zookeeper-id="zoo" secure-connection="true">

    3. Add the key-store and trust-store attributes to either the <solr-cluster> or the <solr-node> element.

      Add the attribute values as defined:

      key-store

      The path to the Solr keystore.

      trust-store

      The path to the Solr truststore.

      For example, add the attribute as highlighted in the <solr-clusters> element:

      <solr-cluster id="is_cluster" zookeeper-id="zoo" secure-connection="true"
  key-store="C:\i2\i2analyze\i2-solr-keystore.p12" trust-store="C:\i2\i2analyze\i2-solr-truststore.p12"\>

      Or add the attribute as highlighted in the <solr-node> element:

      <solr-node memory="2g" data-dir="C:\i2\i2analyze\data\solr" host-name="hostname" id="node1" port-number="8983"
  key-store="C:\i2\i2analyze\i2-solr-keystore.p12" trust-store="C:\i2\i2analyze\i2-solr-truststore.p12">

      Note: The host-name attribute value must match the common name that is associated with the certificate for Solr.

  6. Modify the topology.xml file to specify TLS for its ZooKeeper connection.

    1. In the <zookeeper> element for the ZooKeeper host that you want to connect to with TLS, add the secure-connection attribute with the value of true.

      For example:

      <zookeeper id="zoo" secure-connection="true">

    2. Add the key-store and trust-store attributes to either the <zookeeper> or to the <zkhost> element.

      Add the attribute values as defined:

      key-store

      The path to the ZooKeeper keystore.

      trust-store

      The path to the ZooKeeper truststore.

      • For example, add the attributes in the <zookeeper> element:

        <zookeeper id="zoo" secure-connection="true" key-store="C:\i2\i2analyze\i2-zookeeper-keystore.p12" trust-store="C:\i2\i2analyze\i2-zookeeper-truststore.p12">

      • For example, add the attributes in the <zkhost> element:

        <zkhost quorum-port-number="10483" leader-port-number="10983" data-dir="C:\i2\i2analyze\data\zookeeper" host-name="hostname" id="1" port-number=" 9983" key-store="C:\i2\i2analyze\i2-zookeeper-keystore.p12" trust-store="C:\i2\i2analyze\i2-zookeeper-truststore.p12">

      Note: The host-name attribute value must match the common name that is associated with the certificate for ZooKeeper.

  7. Specify the truststore and keystore passwords in the credentials file.

    1. In a text editor, open the toolkit\configuration\environment\credentials.properties file.

    2. Enter the passwords for the Solr keystore and truststore that you specified in the topology file.

      solr.truststore.password=password
solr.keystore.password=password

    3. Enter the passwords for the ZooKeeper keystore and truststore that you specified in the topology file.

      zookeeper.truststore.password=password
zookeeper.keystore.password=password

  8. Copy the toolkit\configuration from the Liberty server, to the toolkit directory of the deployment toolkit on each server in your environment.

  9. Update the application with your configuration changes. Run the following commands from the toolkit\scripts directory on the Liberty server.

  10. Redeploy Liberty to update the application:

    setup -t deployLiberty

  11. Recreate the ZooKeeper host on each server where your ZooKeeper hosts are located:

    setup -t createZkHosts --hostname zookeeper.host-name

    Where zookeeper.host-name is the hostname of the ZooKeeper server where you are running the command, and matches the value for the host-name attribute of a <zkhost> element in the topology.xml file.

  12. Start ZooKeeper.

    To start ZooKeeper, run the following command on every server where your ZooKeeper hosts are located:

    setup -t startZkHosts --hostname zookeeper.host-name

    Where zookeeper.host-name is the hostname of the ZooKeeper server where you are running the command, and matches the value for the host-name attribute of a <zkhost> element in the topology.xml file.

  13. Upload the new Solr configuration to ZooKeeper:

    setup -t createAndUploadSolrConfig --hostname liberty.hostname

    Where liberty.hostname is the hostname of the Liberty server where you are running the command, and matches the value for the host-name attribute of the <application> element in the topology.xml file.

  14. Restart the Solr nodes.

    To restart the Solr nodes, run the following command on every server where Solr is running:

    setup -t restartSolrNodes --hostname solr.host-name

    Where solr.host-name is the host name of the Solr server where you are running the command, and matches the value for the host-name attribute of a <solr-node> element in the topology.xml file.

  15. Create the Solr collections.

    Run the following command from the Liberty server:

    setup -t createSolrCollections --hostname liberty.hostname --all

  16. Start Liberty.

    To start Liberty, run the following command on each Liberty server:

    setup -t startLiberty