Secure Apache Solr Communications

This best practice addresses the need to secure connections between WebFOCUS and Apache Solr to ensure the confidentiality, authenticity, and integrity of all communications. It also addresses the need to ensure that indexing and search operations affect only those content resources and domains to which the user issuing the indexing operation or search query has been granted access. It can be applied by a WebFOCUS administrator and requires the support of an Apache Solr administrator.

Overview

In the standard configuration of WebFOCUS, search queries and indexing operations are directed to an Apache Solr application that uses a server based on Apache Lucene, a Java-based open-source information retrieval product that supports search operations.

Apache Solr is independent of the applications it supports. It runs in an external environment and can support search queries from multiple users, whose access privileges can vary from unrestricted access to tightly restricted access within a single application. The same Apache Solr server can also support search and index operations from multiple applications that are not at all associated with WebFOCUS. In this multi-user, multi-tenant environment, administrators have an obligation to ensure that the results of search and index operations are available only to the application and user from which they originated.

Communications move between WebFOCUS and Apache Solr in the form of URLs that include query request information and results returned in the form of JSON files or delimited files using a different format.

An Apache Solr server is included in the on-premises product installation, by default. An Apache Solr Server is available to cloud installations, but it is not hosted within the same environment. Therefore, connectivity to a remote server and all of the protections that are required to secure such connections are advised.

Because they must move across the secure barriers of the WebFOCUS environment to those of the Apache Solr application, queries and index operations can be vulnerable to man-in-the-middle attacks that produce compromised results and provide an entry point for unauthorized individuals to manipulate the systems they target.

Even though communications between WebFOCUS and Apache Solr can be unrestricted, given the need to secure these vulnerable communications, WebFOCUS requires the use of Basic Authentication within the Apache Solr configuration for all customers using the cloud installation and recommends it for customers using an on-premise installation.

WebFOCUS supports the use of Solr Basic Authentication by providing settings on the Search Settings page that contain the credentials provided to you by your Apache Solr administrator. It also enables you to specify a target URL using the HTTPS protocol to support TLS (SSL) encryption. Finally, it ensures that your query and index operations remain unavailable to users outside of your organization by enabling you to create a unique name for your index collection and establish it within WebFOCUS and Apache Solr.

Note that, in addition to Basic Authentication, Apache Solr also supports Authorization, Audit Logging, and IP Access control within its Security configuration. The use of these additional features is beyond the scope of WebFOCUS requirements, and other than establishing the use of Basic Authentication and the HTTPS protocol, WebFOCUS does not contain configuration settings that support these additional security features in Apache Solr. If your organization requires you to support these additional features, contact your organization’s Apache Solr administrator to learn more.

Best Practice

We recommend that you configure Apache Solr to use Basic Authentication by taking the following steps.

  1. Work with your Apache Solr administrator to develop Apache Solr Basic Authentication, or if you will manage both applications, configure it on your own.
  2. Add the following Basic Authentication values to the WebFOCUS Configuration:
    1. Add a User ID to the User Name for Basic Authentication (IBI_SEARCH_USERNAME) setting.
    2. Replace the default Password provided in the Password for Basic Authentication (IBI_SEARCH_PASSWORD) setting with a unique password for your organization.

When Solr Basic Authentication is in use, a unique search collection is also required. Therefore, we recommend that you:

  1. Replace ibi-protected, the default value that appears in the Collection Name (IBI_SEARCH_COLLECTION) setting, with a collection name that is unique to your organization.
  2. Assign the same unique name to your collection in the Solr Collections API.

    For more information, see the Collections/Core Admin topic and the Collections API topic in the Apache Solr Reference Guide.

We also recommend that you extend the use of an HTTP Strict Transport Security (HSTS) policy to all communications between the WebFOCUS Client and the Solr Server.

  1. Ensure that the Apache Solr configuration also requires the use of SSL/TLS communications.
  2. Create a Self-Signed Certificate and assign it to your configuration of WebFOCUS.
    1. If you are using Apache Tomcat as your web server, follow the procedures in the Configuring ibi WebFOCUS for SSL topics, which are located in the ibi™ WebFOCUS® Security and Administration technical content.
    2. If you are using a web server from a different vendor, follow the instructions describing how to configure SSL/TLS for that server provided by your vendor.
  3. Assign a URL that includes the HTTPS protocol to the Solr URL (IBI_INFOSEARCH_SOLR_URL) setting.

Additional Resources

For more information, see Configuring Solr Basic Authentication in the ibi™ WebFOCUS® Security and Administration technical content.

For more information about Apache Solr Security, see the Securing Solr section of the Apache Solr Reference Guide for the version of Apache Solr installed in your organization.