Securing the Solr administrative console

Protect access to the full-text search service by securing the Solr administrative console.

About this task

The Solr administrative console, which is hosted by the IBM® WebSphere® Application Server administrative console, is not protected by default. If you deploy the Solr server outside your firewall and you do not secure access to the console before you begin indexing the HCL Compass database, then anyone who knows the console URL can search the full-text search index without authenticating. For example, in this scenario, a user who knows the Solr console URL might search the index for a social security number, and the search results might return a list of HCL Compass record DBIDs that contain the social security number. While the user cannot access the HCL Compass database by using the DBIDs returned in the search results, the user now knows that the social security number exists in the database.

If you have deployed the Solr server outside your firewall, follow the steps outlined in this topic to secure the WebSphere Application Server profile for HCL Compass full-text search and prevent unauthorized access to the search index.

Procedure

  1. Start the WebSphere Application Server administrative console on the server where you have HCL Compass full-text search installed. For example, in HCL Compass, to secure the Solr administrative console for the default profile cqsearchprofile, enter the following address in your web browser:
    http://localhost:12080/cqweb
    Important: If you have deployed full-text search on more than one HCL Compass database, each database will have its own profile and each will be on a different port. You must secure the Solr administrative console on each port.
  2. Log on to the WebSphere Application Server administrative console. By default, restricted access to the console is disabled, so you might be able to log on by entering the administrative user ID and clicking Log in. If restricted access is enabled, then you are prompted to enter the administrative password. See the WebSphere Application Server help on enabling security for details.

    The Welcome dialog box opens.

  3. Expand the Servers section and select Application servers. The Application servers pane opens.
  4. Select server1. The Configuration page opens.
  5. In the Container Settings section, expand Web Container Settings and select Web container transport chains. The Web container transport chains page opens.
  6. Click WCInboundDefault.
  7. In the Transport Channels section of the WCInboundDefault page, select TCP inbound channel (TCP 2).
  8. Define the transport chain by using the Address exclude list, Address include list, Host name exclude list and Host name include list fields, as appropriate, to specify the host addresses and names to include and exclude.

    For example, consider the following entries on the WCInboundDefault configuration page:

    Address include list
    192.168.1.2,192.128.2.*
    Host name include list
    *.mydomain.sample

    In this example, the host IP address 192.168.1.2 and the hosts that are returned by the expression 192.168.2.* are included in the transport chain. Also included are the hosts that are returned by the expression *.mydomain.sample.

    See the WebSphere Application Server help on TCP transport channel settings for configuration information.

  9. Click Apply and then click Save to save these changes to the master configuration.
  10. Restart the WebSphere Application Server profile.