When you use SunJSSE FIPS 140 compliant mode in OpenJDK 11, Jetty's KeyManagerFactory is obstructed when the keystore required for running the cb-solr service in FIPS mode is created with Fully Qualified Domain Names (FQDN) instead of IP addresses. This issue is addressed as a part of OpenJDK 17.

For cb-solr service to run correctly in FIPS mode on RHEL 8, you must update OpenJDK to the latest available stable version (version 17 as of the time of this publication).

Note: If you have a cluster deployment, perform the following steps on all nodes.

Procedure

  1. Install OpenJDK 17 by running the following command:
    yum install java-17-openjdk-headless
  2. Confirm that the jre-17 folder exists on the path /usr/lib/jvm.
  3. Back up the existing solr.in.she configuration file by running the following command:
    cp /etc/cb/solr/solr.in.sh /etc/cb/solr/solr.in.sh.bak
  4. In the /etc/cb/solr/solr.in.sh file, update SOLR_JAVA_HOME to point to OpenJDK 17.
    Replace SOLR_JAVA_HOME=${CbJavaHome:-/usr/lib/jvm/jre-11/} with SOLR_JAVA_HOME="/usr/lib/jvm/jre-17/".

What to do next

See Enable FIPS in Solr.