I'm having trouble configuring the keystores properly due to the inconsitent documentation. I am completely new to ACS and tasked with installing it on Windows.
Documentation says:
1. For catalina.bat, configure the below; however when I look at the keystore-passwords.properties file, it says that is deprecated. Also, is the standard keystore type JCEKS or PCKS12?
Alfresco Docs - Install on Tomcat
set “JAVA_TOOL_OPTIONS=-Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA -Dmetadata-keystore.metadata.algorithm=DESede”
2. When configuring the Tomcat server.xml file for the 8443 connector, it keeps throwing errors stating:
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector] failed to set property [clientAuth] to [true]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.keystore]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.truststore]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificateTruststoreType] to [PKCS12]
This is my config for the connector:
<Connector port="8443" protocol="HTTP/1.1"
connectionTimeout="20000"
maxHttpHeaderSize="32768"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="true">
<SSLHostConfig sslProtocol="TLSv1.2">
<Certificate
certificatekeystoreFile="D:\alfresco-content-services\alf_data\keystore\ssl.keystore"
certificatekeystorePass="keypassword"
certificateKeystoreType="JCEKS"
certificatetruststoreFile="D:\alfresco-content-services\alf_data\keystore\ssl.truststore"
certificatetruststorePass="trustpw"
certificateTruststoreType="JCEKS"
/>
</SSLHostConfig>
</Connector>
In addition to documentation, this may help you to understand the task:
https://github.com/aborroy/alfresco-mtls-debugging-kit
Thanks I have watched the talk which provides some better detail. However, I noticed you are using Docker and step-ca in your demo; is the Alfresco-SSL-generator tool not supported? You also mention using the community.sh script to generate certificates, but that doesn't apppear to be available in the Windows folder.
Also, can you let me know what file the configuration in catalina.bat should be configured for? Is it intended to point to the file "keystore" that is generated in the \ssl-tool-win\keystores\alfresco dir using the Alfresco SSL tool, or the ssl.keystore or ssl.truststore file? If it is the keystore file, is it in JCEKS format and what are the passwords? Alfresco fails to start with the error "Failed to create key: metadata in key store: Location: D:/alfresco-content-services/alf_data/keystore/keystore".
Documentation says to configure:
set “JAVA_TOOL_OPTIONS=
-Dencryption.keystore.type=JCEKS
-Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
-Dencryption.keyAlgorithm=DESede
-Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore
-Dmetadata-keystore.password=mp6yc0UD9e
-Dmetadata-keystore.aliases=metadata
-Dmetadata-keystore.metadata.password=oKIWzVdEdA
-Dmetadata-keystore.metadata.algorithm=DESede”
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.