Alfresco MTLS Configuration Deep Dive

cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco MTLS Configuration Deep Dive

2 0 772

solr_certificates.png

 

When setting MTLS configuration between SOLR and Repository, some steps need to be done:

  1. Generate certificates for Repository (ssl.repo) and SOLR (ssl.repo.client) using a CA (alfresco.ca)
  2. Configure Tomcat Repository in order to manage incoming HTTPs requests from SOLR
  3. Configure Alfresco Repository WAR in order to build request to Jetty SOLR
  4. Configure Jetty SOLR in order to manage incoming HTTPs requests from Repository
  5. Configure SOLR WAR in order to build requests to Tomcat Repository

1. Generating certificates

Several certificates are required:

  • alfresco.ca is the public certificate of the CA used to generate ssl.repo and ssl.repo.client certificates
  • ssl.repo is the certificate (private and public) to be used for the Repository
  • ssl.repo.client is the certificate (private and public) to be used for SOLR

Keystore (private keys) and Truststore (public keys) files are required for the Repository and SOLR. Supported formats for these stores are JKS, JCEKS and PKCS12. The contents for every store are described below:

  • Repository Keystore (ssl.keystore) contains ssl.repo private key.
  • Repository Truststore (ssl.truststore) contains alfresco.ca and ssl.repo.client public keys.
  • SOLR Keystore (ssl.repo.client.keystore) contains ssl.repo.client private key.
  • SOLR Truststore (ssl.repo.client.truststore) contains alfresco.ca, ssl.repo and ssl.repo.client public keys.

These files can be generated manually but it's easier to use the Alfresco SSL Generator Tool.

2. Configuring Tomcat Repository

Tomcat Repository is handling secure tracking requests from SOLR WAR, so a new Tomcat Connector must be added to /usr/local/tomcat/conf/server.xml file.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
    connectionTimeout="20000"
    SSLEnabled="true" maxThreads="150" scheme="https"
    keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore"
    keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true"
    truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore"
    truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS">
</Connector>

3. Configuring Alfresco Repository WAR

Alfresco Repository WAR requires to be configured in order to build secure requests to Jetty SOLR when performing searching operations. Add following settings to /usr/local/tomcat/shared/classes/alfresco-global.properties file.

solr.port.ssl=8983
solr.secureComms=https

dir.keystore=/usr/local/tomcat/alf_data/keystore
alfresco.encryption.ssl.keystore.type=JCEKS
alfresco.encryption.ssl.truststore.type=JCEKS

Inside dir.keystore folder following files are required: ssl.keystore, ssl.truststore, ssl-keystore-password.properties, ssl-truststore-password.properties.

4. Configuring Jetty SOLR

Jetty SOLR is handling secure searching operations from the Repository. Following configuration is required to be added to SOLR starting script solr.in.sh (Linux) or solr.in.cmd (Windows) under folder /opt/alfresco-search-services/

SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore
SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t
SOLR_SSL_TRUST_STORE_TYPE=JCEKS
SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore
SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t
SOLR_SSL_KEY_STORE_TYPE=JCEKS
SOLR_SSL_NEED_CLIENT_AUTH=true
SOLR_OPTS="$SOLR_OPTS -Dsolr.allow.unsafe.resourceloading=true -Dsolr.ssl.checkPeerName=false -Dsolr.data.dir.root=$DIST_DIR/data -Dsolr.solr.model.dir=$DIST_DIR/data/alfrescoModels"

5. Configuring SOLR WAR

SOLR WAR requires to be configured in order to build secure requests to Tomcat Repository when performing tracking operations. Following lines must be added to both SOLR cores (alfresco and archive) in the following locations:

  • /opt/alfresco-search-services/solrhome/alfresco/conf/solrcore.properties
  • /opt/alfresco-search-services/solrhome/archive/conf/solrcore.properties
alfresco.secureComms=https
alfresco.port.ssl=8443

alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore
alfresco.encryption.ssl.keystore.provider=JCEKS
alfresco.encryption.ssl.truststore.type=
alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore
alfresco.encryption.ssl.truststore.provider=JCEKS
alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties
alfresco.encryption.ssl.keystore.type=
alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties

Troubleshooting

If you are experimenting problems when searching from Alfresco or Share web applications, check steps 3 and 4.

If you are experimenting problems when indexing / tracking from SOLR web applications, check steps 2 and 5.

About the Author
Angel Borroy is Senior Software Engineer in Alfresco. Over the last 15 years, he has been working as a software architect on Java, BPM, document management and electronic signatures. He has been working with Alfresco during the last years to customize several implementations in large organizations and to provide add-ons to the Community based on Record Management and Electronic Signature. He writes (sometimes) on his personal blog http://angelborroy.wordpress.com. He is (proud) member of the Order of the Bee. Angel Borroy is Engineer at Alfresco.