ACS 23.2.1 Enterprise keystore issues

mparsons · ‎19 Jun 2024

I'm having trouble configuring the keystores properly due to the inconsitent documentation. I am completely new to ACS and tasked with installing it on Windows.

Documentation says:

1. For catalina.bat, configure the below; however when I look at the keystore-passwords.properties file, it says that is deprecated. Also, is the standard keystore type JCEKS or PCKS12?

Alfresco Docs - Install on Tomcat
set “JAVA_TOOL_OPTIONS=-Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA -Dmetadata-keystore.metadata.algorithm=DESede”

2. When configuring the Tomcat server.xml file for the 8443 connector, it keeps throwing errors stating:

WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector] failed to set property [clientAuth] to [true]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.keystore]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.truststore]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificateTruststoreType] to [PKCS12]

This is my config for the connector:

angelborroy · ‎20 Jun 2024

In addition to documentation, this may help you to understand the task:

https://hub.alfresco.com/t5/news-announcements/tech-talk-live-157-slides-and-recording/ba-p/321141/j...

https://github.com/aborroy/alfresco-mtls-debugging-kit

Hyland Developer Evangelist

mparsons · ‎20 Jun 2024

Thanks I have watched the talk which provides some better detail. However, I noticed you are using Docker and step-ca in your demo; is the Alfresco-SSL-generator tool not supported? You also mention using the community.sh script to generate certificates, but that doesn't apppear to be available in the Windows folder.

mparsons · ‎20 Jun 2024

Also, can you let me know what file the configuration in catalina.bat should be configured for? Is it intended to point to the file "keystore" that is generated in the \ssl-tool-win\keystores\alfresco dir using the Alfresco SSL tool, or the ssl.keystore or ssl.truststore file? If it is the keystore file, is it in JCEKS format and what are the passwords? Alfresco fails to start with the error "Failed to create key: metadata in key store: Location: D:/alfresco-content-services/alf_data/keystore/keystore".

Documentation says to configure:

set “JAVA_TOOL_OPTIONS=

-Dencryption.keystore.type=JCEKS

-Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding

-Dencryption.keyAlgorithm=DESede

-Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore

-Dmetadata-keystore.password=mp6yc0UD9e

-Dmetadata-keystore.aliases=metadata

-Dmetadata-keystore.metadata.password=oKIWzVdEdA

-Dmetadata-keystore.metadata.algorithm=DESede”