Upgrading to ACS 7.2

angelborroy · ‎4 Apr 2022

In this blog post we deal with the most important configuration change introduced with the release of ACS 7.2. Since the plain HTTP communication mode between Alfresco Repository and Search Services is deprecated, you may need to adjust your configuration to use one of the supported communication modes: Mutual TLS or Secret Header.

A regular Alfresco deployment includes a set of services that provide all the required functionality for the ACS stack. This blog post focus on the communication mode between the Alfresco Repository and the Search Services, which is based on Solr 6.

There are three different communication modes available:

'none' uses the plain HTTP protocol without authentication, so you need to protect this communication with an external configuration, such as NGINX Web Proxy configuration, to prevent external access to Repository and Solr 6 endpoints.
'https' uses the Mutual TLS protocol, where you need to create a set of keystore and truststore files, including digital certificates, that ensure authentication between the two services
'secret' uses a common secret word in a special HTTP header, so that communication is not using authentication but is protected by the configuration of this secret word in Alfresco and Search Services

The modes "none" and "https" are available for ACS 6.x as well as for ACS 7.0 and 7.1. As of ACS 7.2, only the modes "secret" and "https" are available.

Screenshot 2022-04-04 at 14.34.56.png

Call to Action

If you have previously used 'https', no configuration changes are required.
If you previously used 'none' and want to use Mutual TLS ('https') as part of the upgrade, keystore and truststore files must be created and configured: https://docs.alfresco.com/search-services/latest/install/options/#install-with-mutual-tls
If you previously used "none" and want to use Secret Header ("secret") as part of the upgrade, you must select a secret word and configure it in Repository and Search Services: https://docs.alfresco.com/search-services/latest/install/options/#install-without-mutual-tls-http-wi...

Notes on Secret mode configuration

When applying configuration to Search Services, using environment variables (for ZIP Distribution deployment and also for Docker / Helm deployment) is required.

 -Dalfresco.secureComms=secret
 -Dalfresco.secureComms.secret=password

When using SOLR command line tools, it's required to use alternatively HTTP REST API invocations. For instance, the replacement for bin/solr status is:

$ curl --location --request POST 'http://localhost:8983/solr/admin/cores?action=STATUS&wt=json' \
--header 'X-Alfresco-Search-Secret: secret'

Additional details

Additional details on the configuration and a sample upgrading process is described in the following video recording.

mohitashah1 · ‎13 Apr 2022

Greetings Angel,

I'm not entirely sure, if I can post this question on this Blog Post. If it is inappropriate - please delete it Sir.

I tried upgrading from Alfresco v 7.1.x to Alfresco 7.2 by simply replacing the Alfresco v 7.1.x war files with the Alfresco 7.2 war files in the tomcat\webapps folder.

I get the following Exception:

Caused by: java.lang.ClassNotFoundException: net.sf.ehcache.CacheManager
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1407)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:398)
at java.base/sun.reflect.generics.factory.CoreReflectionFactory.makeNamedType(CoreReflectionFactory.java:114)
... 63 more

Any thoughts/suggestions on this issue ?

Regards,

-Mohit

angelborroy · ‎13 Apr 2022

That is not the recommended / tested approach for upgrading.

You can understand this process in the official documentation: https://docs.alfresco.com/content-services/latest/upgrade/

sufo · ‎17 May 2022

If you are trying to run 7,2 Community with secureComms=secret via Helm, you probably will find out that solr won't work and will log error about ssl keystore similar to this: https://hub.alfresco.com/t5/alfresco-content-services-forum/solr-error-failed-to-initialize-keystore...

Just change this line:
https://github.com/Alfresco/acs-deployment/blob/f41e950ac0862cc62e49dc0dabbc98a924d0b634/helm/alfres...
to:

    {{ printf "-Dalfresco.secureComms=secret -Dalfresco.secureComms.secret=%s " (include "tracking-shared-secret" .) | b64enc | indent 2 }}

And try again.

Happy helming

aitseitz · ‎19 May 2022

Helpful Information from the Video regarding the shared secret communcation method between Solr and Alfresco Repository:

I use the Browser Extension "ModHeader" for Chromium
https://docs.modheader.com/
https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj?hl=de
to test the solr commmuncation method with the shared secret.

In addition the url shown in @angelborroy video
http://localhost:8080/alfresco/s/api/solr/transactions
is very helpful to test if you're configured shared secret works to access alfresco repository. Activate the ModHeader with the corresponding solr shared secret

you've configured in the alfresco-global.properties.

For Solr distributuin zip installation, I'm passing the shared secret in via solr.in.sh as SOLR_OPTS:

# Solr Communication Method via Secret
# https://docs.alfresco.com/search-services/latest/install/options/#install-without-mutual-tls-http-with-secret-word-in-request-header
SOLR_OPTS="$SOLR_OPTS -Dalfresco.secureComms=secret -Dalfresco.secureComms.secret=mysolrsecret"

which in my opinion is a better approach then passing it into as JAVA_OPTS into the systemd unit file.

Abhinav18 · ‎7 Jul 2022

Hi Angel,

If we upgrade to version 7.2 is there a way to revert back to the previous version.

Please let me know what you think and if there are any guidelines we should follow if it is possible.

Regards,

Abhinav

Upgrading to ACS 7.2

Upgrading to ACS 7.2

We use cookies on this site to enhance your user experience