-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SC-23] Ensure all inter-component traffic within Solr is sent over TLS #4119
Comments
Full disclosure: This is not an easy issue. There are known issues as to why we couldn't get EFS encrypted-in-transit and to support HTTPS from the Solr node itself would require installing either self-signed certificates or some other solution which is further customization to the design (not to mention the implementation details themselves). |
We don't know if this is possible to be implemented; may have to look into getting acceptance of current. |
have things changed? is this easy now? |
So, I remembered that I looked at that page and that I tried to use the
There was some issue with connectivity. Either AWS didn't like the hack with efs-utils trying to initiate the connection after the Solr container was already running and since it couldn't establish the connection, Solr just made a temporary directory for its data. The primary issue was that the connection was not being established TLS and there were no errors, no warnings, no indications about which part of the connection was failing. Not being able to debug it, I had given up. We can try again, but I stand by the fact that it is not worth the effort to investigate this. We had even submitted an issue with AWS Support and there wasn't any specific help that they could provide because they thought it was an application/infrastructure-specific issue that they were not knowledgeable enough to diagnose. |
Next step looks like discuss with our ISSO. |
Discussed with ISSO on 2/14/23. He will raise with ISSM. |
ISSO advises we start work on AOR, https://docs.google.com/document/d/18AvgMBln6fKgoznb3BWTvu2JHO7iISyf/edit?usp=sharing&ouid=113511966954817069922&rtpof=true&sd=true |
Draft sent to ISSO |
Met with ISSM 8/9, this is pending CISO's return from leave in a few weeks |
@nickumia-reisys can you dump the support ticket to a PDF as I don't have access to view it. Thank you |
@rpalmer-gsa Here is the doc version of the support ticket. P.S. I tried my best to paste it in a readable structure. (additional discussion) |
Met with ISSM 1/22, he will follow up on AOR status |
Not carried over as a new POA&M |
User Story
In order to increase our security posture, the Data.gov Solr Team wants to secure all communication channels within our Solr deployment.
Acceptance Criteria
[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]
GIVEN communication between Solr and the LB is encrypted
WHEN I look at the Solr service
THEN I see it listening only on port 443
GIVEN communication between Solr and the Admin Init app is encrypted
WHEN I look at the logs of the Admin Init app
THEN I see it talking to Solr over https
GIVEN communication between Solr and EFS is encrypted
WHEN I look at the Solr service
THEN I see it talking to EFS in an encrypted way
Background
[Any helpful contextual notes or links to artifacts/evidence, if needed]
Related tickets:
Security Considerations (required)
TODO
Sketch
[Notes or a checklist reflecting our understanding of the selected approach]
The text was updated successfully, but these errors were encountered: