Setting up Solr with mutual TLS ACS 7.2 and Search Service 2.0.

cancel
Showing results for 
Search instead for 
Did you mean: 
asirika
Partner

Setting up Solr with mutual TLS ACS 7.2 and Search Service 2.0.

Overview 

In this post I will be highlingting steps to set up Solr with mutual TLS. 

Prerequisites

  1. Set up Alfresco content Services 7.2. following the installation guide can available here https://docs.alfresco.com/content-services/latest/install/zip/
  2. Make sure the keystore and keystore-password.properties files are placed in the relevant locations and is configured in JAVA_TOOL_OPTIONS accordingly.
    export  JAVA_TOOL_OPTIONS="-Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding 
    -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=/opt/alfresco-content-service7.2/alf_data/keystore/keystore
    -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA
    -Dmetadata-keystore.metadata.algorithm=DESede"
  3. Start Alfresco and make sure Alfresco is up and running without issues.

Install Search Services with mutual TLS

  1. To secure access to Search Services, you must create a new set of keystores and keys. In this example I have used generate_keystores.sh to generate certificates. For secure file generation in production environment refer:  https://docs.alfresco.com/search-services/latest/config/keys/#generate-secure-keys-for-ssl-communica...
  2. Download and unzip alfresco-search-services-2.0.x.zip
  3. Create a new keystore directory at alfresco-search-services/solrhome.
  4. Copy generated ssl.repo.client.keystore and ssl.repo.client.truststore to alfresco-search-services/solrhome/keystore directory
  5. Set below properties in alfresco-search-services/solr.in.sh
    SOLR_SSL_KEY_STORE=/opt/alfresco-content-service7.2/alfresco-search-services/solrhome/keystore/ssl.repo.client.keystore
    SOLR_SSL_KEY_STORE_PASSWORD=PASSWORD-CHANGEME
    SOLR_SSL_KEY_STORE_TYPE=JCEKS
    SOLR_SSL_TRUST_STORE=/opt/alfresco-content-service7.2/alfresco-search-services/solrhome/keystore/ssl.repo.client.truststore
    SOLR_SSL_TRUST_STORE_PASSWORD= PASSWORD-CHANGEME
    SOLR_SSL_TRUST_STORE_TYPE=JCEKS
    SOLR_SSL_NEED_CLIENT_AUTH=true
    SOLR_SSL_WANT_CLIENT_AUTH=false
    
    SOLR_PORT=8983
    SOLR_SOLR_HOST=localhost
    SOLR_ALFRESCO_HOST=localhost
  6. Before creating alfresco and archive cores set alfresco.secureComms=https in alfresco-search-services/solrhome/templates/noRerank/conf/solrcore.properties.  If the alfresco and archive cores already exist, ensure that alfresco.secureComms is set to https for both the cores.
    alfresco-search-services/solrhome/alfresco/solrcore.properties
    alfresco-search-services/solrhome/archive/solrcore.properties
  7. Start Search Services with below command. Change the parameter values accordingly. Refer:    https://docs.alfresco.com/search-services/latest/install/options/#install-with-mutual-tls       
     ./solr/bin/solr start -a "-Dcreate.alfresco.defaults=alfresco,archive 
    -Dsolr.ssl.checkPeerName=false -Dsolr.allow.unsafe.resourceloading=true
    -Dssl-keystore.password= PASSWORD -Dssl-keystore.aliases=ssl-alfresco-ca,ssl-repo-client
    -Dssl-keystore.ssl-alfresco-ca.password= PASSWORD -Dssl-keystore.ssl-repo-client.password= PASSWORD
    -Dssl-truststore.password= PASSWORD -Dssl-truststore.aliases=ssl-alfresco-ca,ssl-repo,ssl-repo-client
    -Dssl-truststore.ssl-alfresco-ca.password= PASSWORD -Dssl-truststore.ssl-repo.password= PASSWORD
    -Dssl-truststore.ssl-repo-client.password= PASSWORD " -f
                                
  8.  You receive an error like below. Therefore, make sure to copy ssl.repo.client.keystore and ssl.repo.client.truststore  to the alfresco-search-services/solrhome/alfresco and alfresco-search-services/solrhome/archieve'  
    Caused by: java.io.FileNotFoundException: Caused by Can't find resource 'ssl.repo.client.keystore' in classpath or '/opt/alfresco-content-service7.2/alfresco-search-services/solrhome/alfresco'
  9. Restart Search services with below command.
    ./solr/bin/solr start -a “-Dsolr.ssl.checkPeerName=false -Dsolr.allow.unsafe.resourceloading=true -Dssl-keystore.password= PASSWORD -Dssl-keystore.aliases=ssl-alfresco-ca,ssl-repo-client -Dssl-keystore.ssl-alfresco-ca.password= PASSWORD -Dssl-keystore.ssl-repo-client.password= PASSWORD -Dssl-truststore.password= PASSWORD -Dssl-truststore.aliases=ssl-alfresco-ca,ssl-repo,ssl-repo-client -Dssl-truststore.ssl-alfresco-ca.password= PASSWORD -Dssl-truststore.ssl-repo.password= PASSWORD -Dssl-truststore.ssl-repo-client.password= PASSWORD " -f
  10. Copy ssl.keystore and ssl.truststore into keystore directory in Alfresco Content Services.
  11. Set the following properties in the <TOMCAT_HOME>/shared/classes/alfresco-global.properties file:
    index.subsystem.name=solr6
    solr.secureComms=https
    solr.port=8983
    solr.port.ssl=8983
     
  12. For the Tomcat SSL Connector update the following in in <TOMCAT_HOME>/conf/server.xml  
    <Connector port="8443" protocol="HTTP/1.1"
         SSLEnabled="true" maxThreads="150" scheme="https"
         keystoreFile="/opt/alfresco-content-service7.2/alf_data/keystore/ssl.keystore"
         keystorePass="kT9X6oe68t" keystoreType="JCEKS"
         secure="true" connectionTimeout="240000"
         truststoreFile="/opt/alfresco-content-service7.2/alf_data/keystore/ssl.truststore"
         truststorePass="kT9X6oe68t" truststoreType="JCEKS"
         clientAuth="want" sslProtocol="TLS" />
  13. Modify  JAVA_TOOL_OPTIONS and append -Dssl-keystore.password=PASSWORD. Full command is below.
    export  JAVA_TOOL_OPTIONS="-Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding -Dencryption.keyAlgorithm=DESede 
    -Dencryption.keystore.location=/opt/alfresco-content-service7.2/alf_data/keystore/keystore
    -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA
    -Dmetadata-keystore.metadata.algorithm=DESede
    -Dssl-keystore.password= PASSWORD"
  14. Restart Alfresco.

Once All the above steps performed indexes will be created in serach services and you will be able to search trough ACS

References

https://docs.alfresco.com/content-services/latest/install/zip/tomcat/ 

https://docs.alfresco.com/search-services/latest/config/security/#repository-ssl-keystores 

https://docs.alfresco.com/search-services/latest/install/options/ 

https://docs.alfresco.com/content-services/latest/admin/security/#managealfkeystores