Securing the Solr administrative console

Protect access to the full-text search service by securing the Solr administrative console.

About this task

The Solr administrative console, which is hosted by the IBM WebSphere Application Server administrative console, is not protected by default. If you deploy the Solr server outside your firewall and you do not secure access to the console before you begin indexing the IBM Rational ClearQuest database, then anyone who knows the console URL can search the full-text search index without authenticating. For example, in this scenario, a user who knows the Solr console URL might search the index for a social security number, and the search results might return a list of ClearQuest record DBIDs that contain the social security number. While the user cannot access the ClearQuest database by using the DBIDs returned in the search results, the user now knows that the social security number exists in the database.

If you have deployed the Solr server outside your firewall, follow the steps outlined in this topic to secure the WebSphere Application Server profile for ClearQuest full-text search and prevent unauthorized access to the search index.

Procedure

  1. Start the Solr administrative console on the server where you have ClearQuest full-text search installed. For example, to secure the Solr administrative console for the default profile cqsearchprofile, enter the following address in your web browser:
    http://localhost:14060/ibm/console

    If you have enabled full-text search on two or more ClearQuest databases, each database will have its own profile and each will be on a different port. You must secure the Solr administrative console for each profile.

  2. Log on to the console. By default, restricted access to the console is disabled, so you might be able to log on by entering the administrative user ID and clicking Log in. If restricted access is enabled, then you are prompted to enter the administrative password. See the WebSphere Application Server help on Enabling securing for details.

    The Welcome dialog box opens.

  3. Expand the Servers section and select Application servers. The Application servers pane opens.
  4. Select server1. The Configuration page opens.
  5. In the Container Settings section, expand Web Container Settings and select Web container transport chains. The Web container transport chains page opens.
  6. Click WCInboundDefault.
  7. In the Transport Channels section of the WCInboundDefault page, select TCP inbound channel (TCP 2).
  8. Define the transport chain by using the Address exclude list, Address include list, Host name exclude list and Host name include list fields, as appropriate, to specify the host addresses and names to include and exclude.

    For example, consider the following entries on the WCInboundDefault configuration page:

    Address include list
    192.168.1.2,192.128.2.*

    Host name include list

    *.mydomain.sample

    In this example, the host IP address 192.168.1.2 and the hosts that are returned by the expression 192.168.2.* are included in the transport chain. Also included are the hosts that are returned by the expression *.mydomain.sample.

    See the WebSphere Application Server help on TCP transport channel settings for configuration information.

    Attention: Security needs vary. At a minimum, include all Change Management Server (CM Server) hosts that serve ClearQuest Web so that end users can access the user database and associated full-text search service. Failure to do this will affect the full-text search query results.

    Hosts might include CM Servers at IBM Rational ClearQuest MultiSite locations when using a single full-text search service for a family, or a set of load-balanced CM Servers.

  9. Click Apply and then click Save to save these changes to the master configuration.
  10. Restart the WebSphere Application Server profile.

Feedback