Securing Guidewire Solr Extension

Securing Guidewire Solr Extension both for the server and the client requires two key configurations. The first is the requirement of basic authentication. The second is the activation of SSL.

Requiring authentication in Guidewire Solr Extension

Guidewire recommends that you secure communications between PolicyCenter and the Solr application. To this end, you can configure both PolicyCenter and the Solr application for basic authentication. Note that if you do configure PolicyCenter or the Solr application for basic authentication, Guidewire recommends that you also configure the respective application to run with SSL activated. Otherwise, basic authentication will not provide effective security.

Configuring PolicyCenter to use basic authentication when communicating with Solr

To configure PolicyCenter to use basic authentication when communicating with Solr, one alternative is to store username and password properties in the solrserver-config.xml file. The following code example shows how to store these properties in an HTTP server environment:

<solrserver name="solr_instance_name" type="http">
  <param name="host" value="localhost"/>
  <param name="port" value="8983"/>
  <param name="securetransport" value="true"/>
  <param name="username" value="solr_user"/>
  <param name="password" value="the_password"/>
</solrserver>

If you are in a cloud server environment, substitute cloud for the type property assignment as in the following example:

<solrserver name="solr_cloud_name" type="cloud">
  <param name="zkhosts" value="localhost:2181/pc"/>
  <param name="username" value="solr_user"/>
  <param name="password" value="the_password"/>
</solrserver>

Note: Guidewire does not recommend using this alternative in production for security reasons. Clear text credentials can upload to a ZooKeeper installation in the cloud environment. ZooKeeper is accessible by HTTP and is not secure.

As an alternative to using clear text credentials, use the Credentials plugin. If you register this plugin, the Solr server manager inside the Guidewire Solr Extension will request credentials for the SOLR key. If the plugin returns credentials in response to such a request, the credential values will supersede any clear text credentials in the solrserver-config.xml file.

Configuring the Solr application for basic authentication

To configure the Solr application to use basic authentication, you must define credentials for it. Defining credentials for the Solr application requires producing a credentials hash. To create this hash, use the commands called createuser.bat and createuser.sh for a given username and password pair. These commands are in the /opt/gwsolr/pc/bin folder by default. An example of how to use a createuser command is as follows:

C:\opt\gwsolr\pc\bin>.\createuser
Usage: createuser -user username [-password password] [-solrhome solrhome_folder] [-debug]

In the createuser command, if you enter a username without a password, you will receive a prompt to create a password. Otherwise, you will receive the following instruction:

Add the following entry to the authentication section of $SOLR_HOME/security.json.
"credentials": {
  "solr": "LkbT+UV72dlWq8zT/e9hyGFIIZSocHwQtK/h1P/4N2g= gN6KFzYNlIv0wgIyQvHUx+yX8phzY6OivyRGnpyp2to="
}
Be sure to enable the SOLR_AUTH* properties in bin/solr.in.cmd or bin/solr.in.sh.

If you include the solrhome option in the createuser command and no security.json file exists at the solrhome location, the file will be created with default content. This default content will include the generated password hash.

Configuring Guidewire Solr Extension to run with SSL activated

You can configure both the Guidewire Solr Extension server and Guidewire Solr Extension clients to run with SSL activated. Note that if you do configure the server or clients in this way, Guidewire recommends that you also configure the respective server or clients for basic authentication. Otherwise, running the respective server or clients with SSL activated will not provide effective security.

Configuring Guidewire Solr Extension server to run with SSL activated

Single HTTP server configuration

In a single HTTP server configuration, set the securetransport property to true in the corresponding solrserver element of the solrserver-config.xml file. The following code example shows this configuration:

<solrserver name="solr_ssltest_instance" type="solrhost">
  <param name="host" value="localhost"/>
  <param name="port" value="8983"/>
  <param name="securetransport" value="true"/>
</solrserver>

In addition, configure the appropriate certificates in accordance with instructions for the underlying Java Virtual Machine (JVM) or application server.

Cloud server configuration

In a cloud server configuration, set the security flag that enables Guidewire Solr Extension instances for secure transport. To set the flag, run the gwzkcli - zkhost command as the following Windows example shows:

gwzkcli -zkhostlocalhost:2181 -cmd put /pc/clusterprops.json {"urlScheme":"https"}

Note: In configuring the security for Guidewire Solr Extension batch load, follow the same instructions as for the corresponding Guidewire Solr Extension server type. In addition, configure a public certificate for the JVM running batch load in accordance with standard JVM properties. These property settings will be in either the batchload.bat file or the batchload.sh file.

Configuring Guidewire Solr Extension clients to run with SSL activated

In both standalone and cloud client configurations, configure security certificates and other environment variables. These settings include the SOLR_HOME variable. Configure the security certificates and environment variables in solr.in.cmd or solr.in.sh in accordance with Apache instructions.