ACS 23.2.1 Enterprise keystore issues

cancel
Showing results for 
Search instead for 
Did you mean: 
mparsons
Member II

ACS 23.2.1 Enterprise keystore issues

I'm having trouble configuring the keystores properly due to the inconsitent documentation.  I am completely new to ACS and tasked with installing it on Windows.

Documentation says:

1. For catalina.bat, configure the below; however when I look at the keystore-passwords.properties file, it says that is deprecated.  Also, is the standard keystore type JCEKS or PCKS12?

 Alfresco Docs - Install on Tomcat
set “JAVA_TOOL_OPTIONS=-Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA -Dmetadata-keystore.metadata.algorithm=DESede”

2. When configuring the Tomcat server.xml file for the 8443 connector, it keeps throwing errors stating:

WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector] failed to set property [clientAuth] to [true]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.keystore]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.truststore]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificateTruststoreType] to [PKCS12]

This is my config for the connector:

<Connector port="8443" protocol="HTTP/1.1"
connectionTimeout="20000"
maxHttpHeaderSize="32768"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="true">
<SSLHostConfig sslProtocol="TLSv1.2">
<Certificate
certificatekeystoreFile="D:\alfresco-content-services\alf_data\keystore\ssl.keystore"
certificatekeystorePass="keypassword"
certificateKeystoreType="JCEKS"
certificatetruststoreFile="D:\alfresco-content-services\alf_data\keystore\ssl.truststore"
certificatetruststorePass="trustpw"
certificateTruststoreType="JCEKS"
/>
</SSLHostConfig>
</Connector>

3 Replies
angelborroy
Alfresco Employee

Re: ACS 23.2.1 Enterprise keystore issues

In addition to documentation, this may help you to understand the task:

https://hub.alfresco.com/t5/news-announcements/tech-talk-live-157-slides-and-recording/ba-p/321141/j...

https://github.com/aborroy/alfresco-mtls-debugging-kit

 

Hyland Developer Evangelist
mparsons
Member II

Re: ACS 23.2.1 Enterprise keystore issues

Thanks I have watched the talk which provides some better detail.  However, I noticed you are using Docker and step-ca in your demo; is the Alfresco-SSL-generator tool not supported?  You also mention using the community.sh script to generate certificates, but that doesn't apppear to be available in the Windows folder.

mparsons
Member II

Re: ACS 23.2.1 Enterprise keystore issues

Also, can you let me know what file the configuration in catalina.bat should be configured for?  Is it intended to point to the file "keystore" that is generated in the \ssl-tool-win\keystores\alfresco dir using the Alfresco SSL tool, or the ssl.keystore or ssl.truststore file?  If it is the keystore file, is it in JCEKS format and what are the passwords?  Alfresco fails to start with the error "Failed to create key: metadata in key store: Location: D:/alfresco-content-services/alf_data/keystore/keystore".

Documentation says to configure:

set “JAVA_TOOL_OPTIONS=

-Dencryption.keystore.type=JCEKS

-Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding

-Dencryption.keyAlgorithm=DESede

-Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore

-Dmetadata-keystore.password=mp6yc0UD9e

-Dmetadata-keystore.aliases=metadata

-Dmetadata-keystore.metadata.password=oKIWzVdEdA

-Dmetadata-keystore.metadata.algorithm=DESede”