When I use the provided Apache SOLR startup script (version 6.6.0), the script creates and then executes a java command line that has two sets of SSL properties who's related elements are set to the same values. One set has names like javax.net.ssl.* while the other set has names like solr.jetty.*. For example:

java -server ... 
    -Dsolr.jetty.keystore.password=secret ...
    -Djavax.net.ssl.keyStorePassword=secret ...
    ... -jar start.jar --module=https

Our security team does not allow passwords to be passed along on the command line or in environment variables but will allow them to be placed in a file provided the file has restricted access permissions. I noticed that there is a jetty-ssl.xml file in the solr/server/etc directory that can be used to provide default values to all the solr.jetty.* properties including solr.jetty.keystore.password. When I remove all the javax.net.ssl.keyStorePassword and solr.jetty.keystore.password properties from the java command line and update the jetty-ssl.xml file with my keystore password, SOLR appears to start with the default keystore password contained in that file. I can then connect with my browser to https://localhost:8983/solr/# and access the SOLR Admin page just fine.

Are the javax.net.ssl.* properties used at all in the SOLR standalone or SOLR cloud products? Are they used behind the scenes outside of the browser to SOLR server connections to connect to other processes like zookeeper? The only reference to them I can see to them in the source code is in the solr embedded code that is part of the solrj client.

Yes, both the solr.jetty server side and javax.net.ssl.* client side properties are used by SOLR. For certain operations, like collection creation, SOLR appears to connect to itself and when it does so it tries to connect via SSL with the javax.net.ssl.* property values.

As far as avoiding passing the properties on the command line or in an environment variable, the solution I came up with is to create a javaagent class that only has a premain method. In this premain method, which runs before main in start.jar, I read a properties file containing the "secret" SSL properties, like javax.net.ssl.keyStorePassword. The agent then adds that key/value to the Java System properties.

Thus when main starts all the SSL properties are known and have not been exposed to the command line or in environment variables. Clearly one must limit ownership and permissions on the properties file in order to maintain security. The following can be added to the SOLR java command line to make sure the agent runs and has access to the properties file as an argument:

java -javaagent:ssl-agent.jar=/path/to/ssl/properties/file ... -jar start.jar ... 

See here for info on writing java agents.