1

I'm trying to get Solr 8.11.1 working on Red Hat Enterprise Linux release 8.5 (Ootpa). The environment has FIPS enabled and I can't get Solr to start. I've followed Solr's install guide (https://solr.apache.org/guide/8_11/taking-solr-to-production.html) and then I tried following Solr's guide (https://solr.apache.org/guide/8_11/enabling-ssl.html) to enable SSL, but I'm unable to run the keytool command they provide:
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:localhost,IP:XXX.XXX.X.X,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"

When I try to run that command, I get the following error: keytool error: java.security.KeyStoreException: Key protection algorithm not found: java.lang.NullPointerException

I was able to successfully get the same version of Solr working using the same steps from https://solr.apache.org/guide/8_11/taking-solr-to-production.html on two other RHEL 8 machines, but they did not have FIPS on them. So I'm fairly certain that FIPS is the issue here, but I don't have much experience working with it, so I don't know how to properly start Solr within a FIPS environment. I've tried searching online, but have not come across anything on how to get Solr to run on a FIPS enabled machine. Any help would be much appreciated!

RyanWorks
  • 39
  • 6
  • You aren't alone. 8.11.1. Having the same thing on a STIG'd RHEL. My problem goes even further with the "CoreContainer is either not initialized or shutting down" If I find anything I'll let you know. – Steven Linn Mar 09 '22 at 15:53

1 Answers1

1

After much research, I was able to get it to run in a STIG'd RHEL with this in /etc/default/solr.in.sh.

SOLR_OPTS="$SOLR_OPTS -Dcom.redhat.fips=false"

I'm not sure what this affects but since the underlying FS is FIPS and I have a PKCS12 SSL cert it all works fine, including SSL connections.

There are open issues with Solr about FIPS mode not working, but no resolution has been posted anywhere.

Steven Linn
  • 696
  • 5
  • 14
  • Nice! Unfortunately, disabling FIPS within Solr is not an option for me. However, I did try disabling it just out of curiosity and found out that Solr still won't start. I'm using only the default values in the solr.in.sh file with the addition of SOLR_OPTS="$SOLR_OPTS -Dcom.redhat.fips=false" but it still won't start. I just get a 503 error when I try to hit the Solr Admin page (http://localhost:8983/solr/) – RyanWorks Mar 09 '22 at 23:28
  • Try taking your pk12 cert and running this on it: `keytool -v -importkeystore -srckeystore solr-ssl.keystore.p12 -srcstoretype PKCS12 -destkeystore solr-ssl.keystore.jks -deststoretype JKS` In a non-FIPS environment, then copy it over and use the key as a JKS store. `SOLR_SSL_KEY_STORE_TYPE=JKS` and `SOLR_SSL_TRUST_STORE_TYPE=JKS` – Steven Linn Mar 09 '22 at 23:49
  • So my team and I FINALLY got it working after trying numerous ways. So I thought I'd go ahead and share this info in hopes that the next person will find this info useful to them. https://stackoverflow.com/questions/70962385/solr-8-not-working-when-trying-to-start-solr-java-lang-illegalstateexception – RyanWorks May 12 '22 at 22:41