Enable mutual TLS authentication for Solr

Abstract

How to enable Solr client certificate authentication.

You can configure Sitecore to use an X509 client authentication certificate to authenticate with Solr. Sitecore then includes the certificate in every request it sends to Solr.

To enable Solr client certificate authentication:

  1. Obtain a valid certificate that can be authenticated by Solr.

  2. Install the certificate on the server where you deploy the Solr instance.

  3. Add this connection string to ConnectionStrings.config on all Sitecore instances where you use Solr:

    <add name="solr.search.client.certificate" connectionString="Thumbprint={Thumbprint of the client certificate here};StoreName={Certificate store where the certificate has been installed};StoreLocation={Store location};ValidOnly={true to allow only valid certificates to be returned from the search; otherwise, false}" />

    Note

    Replace the curly brackets ({   }) and the content between them with the values from the certificate you installed.

You can add configuration that makes Sitecore validate a Solr certificate when it communicates with Solr. Sitecore does this by comparing thumbprints.

To make Sitecore validate a Solr certificate when it communicates with Solr:

  1. Obtain certificate thumbprint(s) from the Solr server(s).

  2. Add the following connection string to ConnectionStrings.config on all Sitecore instances that use Solr:

    <add name="solr.search.server.certificate" connectionString="ValidCertificates
    ={Solr certificate thumbprint}" />
    

    Note

    Replace the content curly brackets ({   }) and the content between them with the Solr centificate thumbprint value. Use the pipe character (|) as separator if you provide multiple values.