Configuring the Guidewire Solr Extension for secure transport (HTTPS)

You can configure PolicyCenter and the Guidewire Solr Extension to use the Hypertext Transfer Protocol Secure (HTTPS) communication protocol to exchange data. By default, PolicyCenter and the Guidewire Solr Extension use the unsecured HTTP protocol to exchange data. HTTPS provides a more secure exchange of data than HTTP by authenticating the PolicyCenter and Guidewire Solr Extension web sites and associated web servers before connecting to exchange data. In addition, HTTPS provides bidirectional encryption of exchanged data.

The way you configure PolicyCenter and the Guidewire Solr Extension to use HTTPS depends on the way you configure the Guidewire Solr Extension for external operation:

HTTP
Configures a single instance of the Guidewire Solr Extension that runs externally from the application server in which PolicyCenter runs
Cloud
Configures a cluster of Guidewire Solr Extension instances, managed as a cluster, or ensemble, by Apache ZooKeeper

With secure transport enabled, HTTPS authentication and encryption apply to indexing, querying, administration, and the free-text batch load command.

HTTP Configuration for secure transport (HTTPS)

To configure PolicyCenter and a single instance of the Guidewire Solr Extension to use secure transport, set the securetransport parameter in solrserver-config.xml to true. The securetransport parameter is valid for servers of type http only.

The following example configures a single instance of the Guidewire Solr Extension for secure transport with the HTTPS communication protocol. 

<solrserver name="https" type="http">
  <param name="host" value="localhost"/>
  <param name="port" value="8983"/>
  <param name="securetransport" value="true"/>
</solrserver>

PolicyCenter inserts a host property in solr.xml, in the following format, whenever you run the gwb packageSolr command:

<str name="host">${serverHost:127.0.0.1}</str>
Note: If you modify solr.xml manually for any reason, PolicyCenter no longer inserts a host property when you run the gwb packageSolr command.

The base configuration of PolicyCenter does not include solr.xml. To create a solr.xml file to edit in Studio or to retain changes that you make to solr.xml in GWSOLR_HOME/pc/solr, copy the file in GWSOLR_HOME/pc/solr. In Guidewire Studio, navigate in the Project window to configuration > config > solr, and then, from the menu, click Edit > Paste.

For remotely hosted instances, override the value in the JVM where Guidewire Solr Extension runs using the serverHost system property.

If HTTPS is configured for a port other than 8983, which is the standard port for the Guidewire Solr Extension, change the port definition in solr.xml. Change the port definition in solr.xml before you start instances of the Guidewire Solr Extension for the first time. Alternatively, start Guidewire Solr Extension with the solr -p #### option.

Run the gwb packageSolr command after you modify free-text search configuration files in Studio to produce an updated pc-solr.zip file to deploy to the Guidewire Solr home directory.

Cloud configuration for secure transport (HTTPS)

To configure PolicyCenter and a cluster of Guidewire Solr Extension instances, managed as a cluster or ensemble by Apache ZooKeeper, requires no changes to free-text search configuration files like solrserver-config.xml. Instead, PolicyCenter provides Guidewire versions of the ZooKeeper command line interface, shell script (gwzkcli.sh) and batch file (gwzkcli.bat). These command files are located in the following deployment directory: 

/opt/gwsolr/pc/bin

Use the gwzkcli -zkhost command to set the secure flag that enables the Guidewire Solr Extension instances for secure transport. Use the command after you deploy the Guidewire Solr Extension and the ZooKeeper software to hosts where you want them to run. Then, before you start the Guidewire Solr Extension on a host for the first time, run the gwzkcli -zkhost command as the following example shows:

  • On Unix
    gwzkcli -zkhost localhost:2181 -cmd put /pc/clusterprops.json {"urlScheme":"https"}
  • On Windows 
    gwzkcli -zkhost localhost:2181 -cmd put /pc/clusterprops.json {\"urlScheme\":\"https\"}
If you started an instance of the Guidewire Solr Extension before running the preceding command, run the following commands to reset that instance: 
gwzkcli -zkhost clear /pc
gwzkcli -zkhost localhost:2181 -cmd put /pc/clusterprops.json {\"urlScheme\":\"https\"}
In addition, upload the document configuration again.

Public key certificates

You must configure the application server in which PolicyCenter and the Java Virtual Machine (JVM) for Guidewire Solr Extension run with public key certificates. The HTTPS protocol uses these certificates to authenticate the PolicyCenter and the Guidewire Solr Extension instances when they open connections with each other.

Batch load command

When you configure the Guidewire Solr extension for secure transport, you also must enable the batch load command to use secure transport. The batch load command runs on a host where you deployed the Guidewire Solr Extension. You must configure the Java VM on startup on that host with the location and password for the local trust store.

For example, you can add the following options to the Java command at end of the shell script (batchload.sh) or batch file (batchload.bat) for the batch load command. 

-Djavax.net.ssl.trustStore=pathToTrustStore -Djavax.net.ssl.trustStorePassword=password

For improved security, prompt the user for the trust store password instead of including it directly in the shell script or batch file.

You can locate and edit the shell script or batch file for the batch load command in the Project window in Studio by navigating to configuration > config > solr.