Configuring the TLS connections between Liberty and Solr and ZooKeeper
To secure the connection between the i2 Analyze application server, Solr, and ZooKeeper, you must change the configuration of all three components. The i2 Analyze configuration must define the keystore and truststore for Solr and ZooKeeper.
Before you begin
Ensure that you configured Liberty for TLS. For more information, see Configuring Liberty for TLS.
You must have the appropriate keystore set up for your Solr deployment.
You must have the appropriate keystore set up for your ZooKeeper deployment.
About this task
Liberty uses a Java truststore to verify the certificate from the Solr and ZooKeeper servers.
Steps
Stop Liberty by running the following command on the Liberty server:
setup -t stopLiberty
Ensure that the Liberty instance is stopped, otherwise you encounter an error if you try to run the command when you complete the configuration changes.
Stop ZooKeeper by running the following command on every server where ZooKeeper is running:
setup -t stopZkHosts --hostname zookeeper.host-name
Here, zookeeper.host-name is the hostname of the ZooKeeper server where you are running the command, and matches the value for the host-name attribute of a <zkhost> element in the topology.xml file.
Ensure the Liberty, Solr, and ZooKeeper keystores and truststores contains the certificate required to authenticate the other components.
Modify the topology.xml file to specify TLS for its Solr connection.
In an XML editor, open the toolkit\configuration\environment\topology.xml file.
In the <solr-cluster> element for the Solr cluster that you want to connect to with TLS, add the secure-connection attribute with the value of true.
For example:
<solr-cluster id="is_cluster" zookeeper-id="zoo" secure-connection="true">
Add the key-store and trust-store attributes to either the <solr-cluster> or the <solr-node> element.
Add the attribute values as defined:
- key-store
The path to the Solr keystore.
- trust-store
The path to the Solr truststore.
For example, add the attribute as highlighted in the <solr-clusters> element:
<solr-cluster id="is_cluster" zookeeper-id="zoo" secure-connection="true" key-store="C:\i2\i2analyze\i2-solr-keystore.p12" trust-store="C:\i2\i2analyze\i2-solr-truststore.p12">
Or add the attribute as highlighted in the <solr-node> element:
<solr-node memory="2g" data-dir="C:\i2\i2analyze\data\solr" host-name="hostname" id="node1" port-number="8983" key-store="C:\i2\i2analyze\i2-solr-keystore.p12" trust-store="C:\i2\i2analyze\i2-solr-truststore.p12">
Note: The host-name attribute value must match the common name that is associated with the certificate for Solr.
Modify the topology.xml file to specify TLS for its ZooKeeper connection.
In the <zookeeper> element for the ZooKeeper host that you want to connect to with TLS, add the secure-connection attribute with the value of true.
For example:
<zookeeper id="zoo" secure-connection="true">
Add the key-store and trust-store attributes to either the <zookeeper> or to the <zkhost> element.
Add the attribute values as defined:
- key-store
The path to the ZooKeeper keystore.
- trust-store
The path to the ZooKeeper truststore.
For example, add the attributes in the <zookeeper> element:
<zookeeper id="zoo" secure-connection="true" key-store="C:\i2\i2analyze\i2-zookeeper-keystore.p12" trust-store="C:\i2\i2analyze\i2-zookeeper-truststore.p12">
For example, add the attributes in the <zkhost> element:
<zkhost quorum-port-number="10483" leader-port-number="10983" data-dir="C:\i2\i2analyze\data\zookeeper" host-name="hostname" id="1" port-number=" 9983" key-store="C:\i2\i2analyze\i2-zookeeper-keystore.p12" trust-store="C:\i2\i2analyze\i2-zookeeper-truststore.p12">
Note: The host-name attribute value must match the common name that is associated with the certificate for ZooKeeper.
Specify the truststore and keystore passwords in the credentials file.
In a text editor, open the toolkit\configuration\environment\credentials.properties file.
Enter the passwords for the Solr keystore and truststore that you specified in the topology file.
solr.truststore.password=password solr.keystore.password=password
Enter the passwords for the ZooKeeper keystore and truststore that you specified in the topology file.
zookeeper.truststore.password=password zookeeper.keystore.password=password
Copy the toolkit\configuration from the Liberty server, to the toolkit directory of the deployment toolkit on each server in your environment.
Update the application with your configuration changes. Run the following commands from the toolkit\scripts directory on the Liberty server.
Redeploy Liberty to update the application:
setup -t deployLiberty
Recreate the ZooKeeper host on each server where your ZooKeeper hosts are located:
setup -t createZkHosts --hostname zookeeper.host-name
Where zookeeper.host-name is the hostname of the ZooKeeper server where you are running the command, and matches the value for the host-name attribute of a <zkhost> element in the topology.xml file.
Start ZooKeeper.
To start ZooKeeper, run the following command on every server where your ZooKeeper hosts are located:
setup -t startZkHosts --hostname zookeeper.host-name
Where zookeeper.host-name is the hostname of the ZooKeeper server where you are running the command, and matches the value for the host-name attribute of a <zkhost> element in the topology.xml file.
Upload the new Solr configuration to ZooKeeper:
setup -t createAndUploadSolrConfig --hostname liberty.hostname
Where liberty.hostname is the hostname of the Liberty server where you are running the command, and matches the value for the host-name attribute of the <application> element in the topology.xml file.
Restart the Solr nodes.
To restart the Solr nodes, run the following command on every server where Solr is running:
setup -t restartSolrNodes --hostname solr.host-name
Where solr.host-name is the host name of the Solr server where you are running the command, and matches the value for the host-name attribute of a <solr-node> element in the topology.xml file.
Start Liberty.
To start Liberty, run the following command on each Liberty server:
setup -t startLiberty