Shared Secret Communication Mode for Repository and SOLR

cancel
Showing results for 
Search instead for 
Did you mean: 

Shared Secret Communication Mode for Repository and SOLR

angelborroy
Alfresco Employee
1 13 11.9K

ACS 7.1 includes a new mode for Alfresco/SOLR Communication named secret.

This is an additional mode to the existent ones (http and mtls) that provides an intermmediate level of security to protect this communications from unauthorized access.

Communication between Repository and SOLR happens using plain HTTP protocol with a Shared Secret in HTTP Header.

Configuration for Alfresco Repository

Recommended settings for alfresco-global.properties or Java Environment variables.

solr.host=solr6
solr.port=8983
solr.secureComms=secret
solr.sharedSecret=secret

You may use a more complex secret word than "secret" for your "solr.sharedSecret" property.

Configuration for Search Services

Recommended settings for solrcore.properties (remember to add these settings to both cores: alfresco and archive)

alfresco.host=alfresco
alfresco.port=8080
alfresco.secureComms=secret
alfresco.secureComms.secret=secret

You must use the same secret word configured in repository property ("solr.sharedSecret") as "alfresco.secureComms.secret" value.

This mode doesn't include authentication by default, but it will require to add the shared secret word ("secret" in the abova sample) in HTTP Header requests using by default X-Alfresco-Search-Secret property.

Accessing SOLR Web Console requires using a Browser plugin to add this header to the HTTP Request.

Additional information

More information about Alfresco/SOLR Communication modes is available in:

Deployment source code for the different modes is available in https://github.com/AlfrescoLabs/alfresco-solr-comm

About the Author
Angel Borroy is Hyland Developer Evangelist. Over the last 15 years, he has been working as a software architect on Java, BPM, document management and electronic signatures. He has been working with Alfresco during the last years to customize several implementations in large organizations and to provide add-ons to the Community based on Record Management and Electronic Signature. He writes (sometimes) on his personal blog http://angelborroy.wordpress.com. He is (proud) member of the Order of the Bee.
13 Comments
upforsin
Senior Member

Hello @angelborroy and thank you for the new feature.

I've been testing it out with Alfresco Community 7.1 and I can tell it works pretty well when "alfresco.secureComms.secret" is passed via a console argument ( -Dalfresco.secureComms.secret=xxx) but is not detected when specified in the solrcore.proprties (alfresco.secureComms.secret=xxx)

Caused by: java.lang.RuntimeException: Missing value for alfresco.secureComms.secret configuration property

Do you have any idea if I am doing sth wrong or is it a bug?

angelborroy
Alfresco Employee

Are you including the property in both solrcore.properties files for alfresco and archive cores?

upforsin
Senior Member

@angelborroy  I include it both in the rerank and noRerank templates. Before alfresco and archive cores are created.

angelborroy
Alfresco Employee

You're right @upforsin 

I was able to reproduce it locally and getting the same error.

I've opened an issue to fix that.

Thanks!

Phfirst
Active Member

Hello Community,

I'm a beginner working on deploying alfresco 7.2 using Docker Compose.

I'm a bit stuck at starting the Solr service in the browser with the url  http://localhost:8083/solr. Research says to use a plugin for secret communication mode (witch is default on Alfresco 7.2).

I would like to know if it has a specific plugin that needs to be added; if not, which one do you recommend on Ubuntu using firefox browser. Or is there any other way to solve this probem?

This is what the http://localhost:8083/solr page displays:

HTTP ERROR 403

Problem accessing /solr/. Reason:

Authentication failure: "secret" method has been selected, use the right request header with the secret word

Thanks!

 

angelborroy
Alfresco Employee
Phfirst
Active Member

Thank you for the suggestion!

I hadn't used this plugin defore, now I added it. But I haven't found a solution.

Here is what gives the interface of this plugin:

Capture d’écran du 2022-05-13 17-39-01.png

I remember that I had tried Authentificator, Http Evrywhere plugin but no solution as it should been in the 10th minute of your video :

https://www.youtube.com/watch?v=RQLQFNBAVWE 

 

Phfirst
Active Member

Please, could anyone find a solution for my problem?

angelborroy
Alfresco Employee
Phfirst
Active Member

BIg thank you sir @angelborroy.

Solr starts normally now as expected whith that plugin.

visagu55
Member II

Hello, thanks for the good explanation, I'm having some troubles to use this secret communication mode using the pysolr client, is there any recommendation you can provide?

cesarista
Customer

Hi Angel:

A quick question. Is this valid for ACS 6.2 ? If not, may you use  ACS 6.2 and ASS 2.0.3 with solr.secureComms=none ? 

Regards and thanks in advance.

--C-

NickLee
Member II

I was experiencing the same issue, solved it by adding this extension on my browser https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj?hl=en.

I also added the header

X-Alfresco-Search-Secret

The secret can be found on the docker-compose.yml file

alf.png

This is how I added the header

pf2.png