Securing Alfresco with 5 simple steps

cancel
Showing results for 
Search instead for 
Did you mean: 

Securing Alfresco with 5 simple steps

angelborroy
Alfresco Employee
4 2 3,415

Official documentation includes a number of measures that can be taken in order to improve default security provided by the platform:
https://docs.alfresco.com/content-services/latest/admin/securing-install/

In this blog post, 5 simple stepts related to that information are covered:

  1. Password storage
  2. Web Proxy
  3. TLS for Web Proxy
  4. mTLs for Alfresco-Solr communication
  5. ActiveMQ credentials

 

 

security-architecture.png

 

 

Alfresco Docker Installer

Alfresco Docker Installer, available in https://github.com/alfresco/alfresco-docker-installer, may be used to generate a reference Docker Compose deployment including all the steps described below.

Use following settings to create that kind of configuration.

 

$ yo alfresco-docker-installer

? Which ACS version do you want to use? 7.1
? How may GB RAM are available for Alfresco (16 is minimum required)? 16
? Do you want to use HTTPs for Web Proxy? Yes
? What is the name of your server? localhost
? Choose the password for your admin user: hyland
? What HTTPs port do you want to use (all the services are using the same port)? 443
? Do you want to use FTP (port 2121)? No
? Do you want to use MariaDB instead of PostgreSQL? No
? Are you using different languages (this is the most common scenario)? Yes
? Would you like to use HTTP, HTTPs or Shared Secret for Alfresco-SOLR communication? https
? Do you want to use credentials for Events service (ActiveMQ)? Yes
? Choose the USERNAME for your ActiveMQ user: alfresco
? Choose the PASSWORD for your ActiveMQ user: hyland
? Do you want to create an internal SMTP server? No
? Do you want to create an internal LDAP server? No
? Select the addons to be installed:
? Are you using a Windows host to run Docker? No
? Do you want to use a start script? No


You will get some warnings related to keystores and certificates that will be covered later in this blog post.

 

---------------------------------------------------------------
WARNING: You selected HTTPs for the NGINX Web Proxy.
Default certificates localhost.cer and localhost.key have been
provided in config/cert folder.
You may replace these certificates by your own.
---------------------------------------------------------------

---------------------------------------------------------------
WARNING: You selected HTTPs communication for Alfresco-Solr.
Default keystores have been provided in keystores folder.
You may replace these certificates by your own.
Check https://github.com/Alfresco/alfresco-ssl-generator
---------------------------------------------------------------

 

All required resources are created in your local computer, including configuration for ACS, configuration for NGINX and required keystores, truststores and digital certificates.

create .env
create docker-compose.yml
create alfresco/Dockerfile
create alfresco/modules/amps/empty
create alfresco/modules/jars/empty
create share/Dockerfile
create share/web-extension/share-config-custom-dev.xml
create share/modules/amps/empty
create share/modules/jars/empty
create search/Dockerfile
create config/nginx.conf
create config/nginx.htpasswd
create config/cert/localhost.cer
create config/cert/localhost.key
create keystores/alfresco/keystore
create keystores/alfresco/ssl.keystore
create keystores/alfresco/ssl.truststore
create keystores/client/browser.p12
create keystores/solr/ssl-repo-client.keystore
create keystores/solr/ssl-repo-client.truststore


1. Password storage

By default, Alfresco stores user passwords in the database using MD4 hashing. This only applies to deployments using NTML authentication subsystem, that is the one provided by default. Since this algorithm may be enough for many use cases, a safer one can be specified by using following settings in alfresco-global.properties file (or in the alfresco service section in docker-compose.yml)

system.preferred.password.encoding=bcrypt10

This bcrypt10 setting is using a Blowfish based algorithm with salt. Despite this digest is harder to attack than MD4, salting provides the ability to store different digest for the same user password. That increments security measures against unauthorized database access.

In addition, when using new Alfresco deployments, default admin password may be changed by using a new MD4 string (hyland in the following sample) in alfresco-global.properties file (or in the alfresco service section in docker-compose.yml)

alfresco_user_store.adminpassword=967f366ac4f37d059231c40edc8c0f72


2. Web Proxy

Instead of exposing directly every service, a proxy configuration provides a single entry point for every external request. That makes easier to implement security measures and protections on your platform.

Different approaches can be followed in order to implement this recommendation, but in this Docker deployment NGINX Web Proxy is used.

Alfresco services (alfresco, share, content-app) are not exposing ports in Docker Compose and only the proxy service is exposing HTTPs default port (443). So every request to the platform is using this single entry point. Required configuration for NGINX is available in config/nginx.conf file

 

# Alfresco Content Application Proxy
location / {
  proxy_pass http://content-app:8080;
}

# Repository Proxy
location /alfresco/ {
  proxy_pass http://alfresco:8080;
}

# Api-Explorer Proxy
location /api-explorer/ {
  proxy_pass http://alfresco:8080;
}

# Share Proxy
location /share/ {
  proxy_pass http://share:8080;
}

 

Note that mTLS configuration is used for Alfresco-Solr communication, so SOLR SSL port is exposed as 8983 with mTLS to provide access to SOLR Web Console.


3. TLS for Web Proxy

A third step would be to add TLS protocol for the Web Proxy, to enable HTTPs communications with ACS applications and services. Using this approach enables encryption, that means privacy, in every operation. Remember that is recommended to use TLSv1.2 or TLSv1.3 protocol versions for this configuration, relying on digital certificates using at least 2048 bits for the RSA key.

This configuration is provided for NGINX in config/nginx.conf file

 

listen *:443 ssl;

ssl_certificate /etc/nginx/localhost.cer;
ssl_certificate_key /etc/nginx/localhost.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;

 

In addition, server certificate is available in config/cert folder (both public and private key) and this is the origin of the first warning:

---------------------------------------------------------------
WARNING: You selected HTTPs for the NGINX Web Proxy.
Default certificates localhost.cer and localhost.key have been
provided in config/cert folder.
You may replace these certificates by your own.
---------------------------------------------------------------

Remember to use your own certificate (RSA 2048 bits is recommended) when using this approach for real word deployments.


4. mTLS for Alfresco-Solr communication

Alfresco and SOLR communication is not authenticated when using plain HTTP protocol. The fourth step includes a safer configuration for this communication, that may be based in Shared Secret HTTP Header or Mutual TLS. We are covering the Mutual TLS configuration, that is based in TLS v1.2 using digital certificates of 2048 bits RSA keys. Remember that Mutual TLS requires server and client certificates to ensure authentication between the parties.

Default Alfresco and Solr certificates are provided in keystores folder, hence the warning coming from the Alfresco Docker Installer.

---------------------------------------------------------------
WARNING: You selected HTTPs communication for Alfresco-Solr.
Default keystores have been provided in keystores folder.
You may replace these certificates by your own.
Check https://github.com/Alfresco/alfresco-ssl-generator
---------------------------------------------------------------

Remember to create your own set of keystores and truststores (by using https://github.com/Alfresco/alfresco-ssl-generator or some other PKI software) when using this approach for real word deployments.


5. ActiveMQ credentials

This service is used for asynchronous messages production and consumption. Alfresco Repository is producing messages every time a document is created or updated, while Alfresco Event API (the Out Of Process SDK) is consuming these messages. Using credentials authentication protects unauthorized access to this resource.

Username and password can be added to activemq service by using following environment variables in docker-compose.yml file

 

activemq:
  image: alfresco/alfresco-activemq:${ACTIVEMQ_TAG}
  environment:
    ACTIVEMQ_ADMIN_LOGIN: "alfresco"
    ACTIVEMQ_ADMIN_PASSWORD: "hyland"

In addition, repository service needs to be aware of this credentials by using following properties in alfresco-global.properties file (or in the alfresco service section in docker-compose.yml)

messaging.broker.username=alfresco
messaging.broker.password=hyland

When using Alfresco Java Events SDK (Out Of Process - https://github.com/Alfresco/alfresco-java-sdk) you need to add credentials to application.properties file

spring.activemq.username=alfresco
spring.activemq.password=hyland


If you want to see all that live on a video, check it out in:

 

About the Author
Angel Borroy is Hyland Developer Evangelist. Over the last 15 years, he has been working as a software architect on Java, BPM, document management and electronic signatures. He has been working with Alfresco during the last years to customize several implementations in large organizations and to provide add-ons to the Community based on Record Management and Electronic Signature. He writes (sometimes) on his personal blog http://angelborroy.wordpress.com. He is (proud) member of the Order of the Bee.
2 Comments