Change Alfresco to use SSL and 'Share' stops authenticating!

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
webberj
Active Member

Change Alfresco to use SSL and 'Share' stops authenticating!

Hi,

Sorry to ask a question that has been discussed a few times before, but I cannot find a solution to this issue that works for me!

I have created a new server (CentOS release 6.2) for Alfresco and downloaded and installed the latest released version of Alfresco Community (4.2.c), using the standard installer (from http://www.alfresco.com/products/community).

We would like to use SSL over port 8443, instead of non-SSL over port 8080.  I have made LOTS of amendments to the standard configuration files (detailed below). 

It was relatively straight forward to get the "Alfresco Explorer" working correctly using SSL, but I have had NO success in changing the configuration to enable Alfresco Share to authenticate.

When I attempt to log on to the Alfresco share (https://alfresco.nbi.ac.uk:8443/share), I see an error message that states:  "The remote server may be unavailable or your authentication details have not been recognized."  The authentication is working correctly for Alfresco Explorer (https://alfresco.nbi.ac.uk:8443/alfresco), but not for share.

I also see the following message in the (alfresco)/tomcat/logs/catalina.out:
"2013-07-11 17:11:42,098  INFO  [web.site.EditionInterceptor] [http-bio-8443-exec-12] Unable to retrieve License information from Alfresco: 500"

Please can someone advice whether it is possible to get Share working over SSL?

I have made the following configuration amendments, but to no avail so far!

———————
   In <alfresco>/tomcat/shared/classes/alfresco-global.properties change the following:
      alfresco.context=alfresco
      alfresco.host=alfresco.nbi.ac.uk
      alfresco.port=8443
      alfresco.protocol=https

      share.context=share
      share.host=alfresco.nbi.ac.uk
      share.port=8443
      share.protocol=https

      and add      web.application.context.url=https://127.0.0.1:8443/alfresco

———————

   Update <alfresco>/tomcat/conf/web.xml
      Add the following lines at the end of the file (before the </web-app> )

      <!– Added to attempt to stop http and force https instead                 –>
      <security-constraint>
         <web-resource-collection>
            <web-resource-name>Protected Context</web-resource-name>
            <url-pattern>/*</url-pattern>
         </web-resource-collection>

         <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
      </security-constraint>

———————

   Update /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml
         Change the "endpoint URLs" from
         <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url   
      to
         <endpoint-url>https://localhost:8443/alfresco</endpoint-url
      (by removing the /s, changing http to https and changing 8080 to 8443)

      Add:     <repository-url>https://localhost:8443/alfresco</repository-url>
      Update the alfresco endpoint to be : <endpoint-url>https://localhost:8443/alfresco/wcs</endpoint-url>
      (by adding the "wcs"
      And add  <external-auth>true</external-auth> to the alfresco endpoint

———————

   Update /opt/alfresco-4.2.c/tomcat/webapps/share/WEB-INF/classes/alfresco/share-cmis-config.xml
      Change parameter key value from
         value="http://localhost:8080/alfresco/cmisatom"
      to
         value="https://localhost:8443/alfresco/cmisatom'/>

———————

   Update /opt/alfresco-4.2.c/tomcat/webapps/share/WEB-INF/classes/alfresco/share-documentlibrary-config.xml
      Change   <repository-url>http://localhost:8080/alfresco</repository-url>
      to   <repository-url>https://localhost:8443/alfresco</repository-url>

———————

   Update /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/web-client-config.xml
      Change   <scheme>http</scheme>
      to   <scheme>https</scheme>

      Change   <port>8080</port>
      to   <port>8443</port>

———————

Any advice that anyone can give to help me configure this would be very gratefully received!

Thanks
John
14 Replies
mitpatoliya
Established Member II

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

you can place all your configs of share-cmis-config.xml share-documentlibrary-config.xml
in to share-config-custom.xml as it will override all this file.

Please do that change and then post your share-config-custom.xml config
webberj
Active Member

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

Thank you for your quick response.

As suggested, I have combined the configuration files:  "share-cmis-config.xml" and "share-documentlibrary-config.xml" into the existing share-config-custom.xml file by adding the lines at the end!

Please see attached a copy of my new share-config-custom.xml file (renamed to .txt so that I could attach it to this page).

Thanks
John
webberj
Active Member

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

I am not sure my file attached correctly, so here it is again!

Are you able to see the file now?  I have definitely attached it, but am not sure that I can see it… where does the file get attached to this page?
rjohnson
Established Member

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

You seem to be having trouble. I have Share working on several sites via https without changing / adding anything in share-custom-config.xml, but I did it using Apache, mod_jk and mod_ssl.

Should you want to do it that way, below are my notes on how I did it on Ubuntu 12.04 and Alfresco 4.2c (I have also done it on Alfresco 4.0a on Ubuntu 10.04 and if memory serves it was an identical procedure.

<blockquote>
<strong>Install Apache</strong>


Apache is not technically a pre-requisite, but in order to route https requests to Alfresco without needing to specify a port number and without needing to use iptables then it helps.
sudo apt-get install apache2

and now we need to map the https to Alfresco, so first check if mod_jk and mod_ssl are installed and enabled. Please note, it is very unlikely that mod_ssl would not be installed, if you think it isn't, double check. To check for the modules do this:

/etc/apache2/mods-enabled

ls -l | grep “jk.load”
ls -l | grep “ssl.load”

If either of the 2 commands return nothing, go to

/etc/apache2/mod-available

and repeat the command. If you still get nothing you will need to install the modules, if they now return a result you will merely need to configure them.
mod_jk
If jk.load is not installed then at the command line type

sudo apt-get install libapache2-mod-jk

and to enable it type

sudo a2enmod jk
mod_ssl
So to enable ssl type

sudo a2enmod ssl

<strong>Create SSL certificates and keys</strong>


In production you will be installing purchased SSL certificates but you need to do what follows to enable everything for the production certificates and to have a system that replicates a production environment.

You can create the certificate files anywhere you like but they must eventually be copied into a directory that the apache server can see. For this section let us create the files in /tmp

cd /tmp
To generate the keys for the Certificate Signing Request (CSR)
openssl genrsa -des3 -out server.key 1024

This will ask you for a passphrase, this is not important but use something you can remember because you will need it in the next command.
Create the insecure key
openssl rsa -in server.key -out server.key.insecure

You will need to enter the passphrase that you used in the first step.

mv server.key server.key.secure
mv server.key.insecure server.key
Create the CSR
openssl req -new -key server.key -out server.csr
Answer the questions asked. The data is not important, but be sensible, its visible.
Create a self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Installing a certificate
In Ubuntu certificates are stored in /etc/ssl/certs and keys are stored in /etc/ssl/private so from the directory in which you created the certificates:-

sudo cp *.crt /etc/ssl/certs
sudo cp *.key /etc/ssl/private
Connect Apache to Alfresco
Configure Apache
You now need to tell Apache to intercept calls to https services and redirect them. This is done using the 000-default files. You also need to adjust ssl to cater for certain browsers using the ssl.conf file.
000-default
cd /etc/apache2/sites-enabled
sudo vi 000-default

Open this file and append the lines below after all the existing content


<VirtualHost *:443>
          ServerName {servername}
          SSLEngine On
          SSLCertificateFile /etc/ssl/certs/server.crt
          SSLCertificateKeyFile /etc/ssl/private/server.key
          <Location />
              SSLRequireSSL On
              SSLVerifyClient optional
              SSLRenegBufferSize 104860000
              SSLVerifyDepth 1
              SSLOptions +StdEnvVars +StrictRequire
          </Location>
          # Send everything for the context / to worker named worker1 via ajp13
          JkMount /* ajp13_worker
</VirtualHost>



<strong>httpd.conf</strong>


Whilst not absolutely necessary it is tidy to define the host name for your server. Should you not do this, apache will try a reverse DNS lookup to determine the host name. This reverse lookup will work for any public IP address you register against a domain name on the internet but in testing or in closed networks that do not have a local DNS it will not work and so it is neat to define the server name. To do this


cd /etc/apache2
sudo vi httpd.conf
Add the line

ServerName {your-server-name}


Save and restart Apache


<strong>Configure SSL</strong>


ssl.conf
cd /etc/apache2/mods-enabled
sudo vi ssl.conf

Open this file and either append the line below after all the existing content but before the </IfModule> line, or, if it exists (and in 12.04 it does exist) remove the # from the beginning of the line.


SSLInsecureRenegotiation on


Please note that this reads worse than it is and in any case is required for Internet Explorer 8 and other browsers to function. This is nothing to do with security in our application or server, but to do with the implementation of SSL renegotiation in major browsers.


Restart apache
sudo /etc/init.d/apache2 restart


<strong>The result</strong>


https://{hostname}/share will now get you to the login page (once Alfresco is installed). Note that if you try and go to https://{hostname} you will end up at the Tomcat Welcome page.

</blockquote>
webberj
Active Member

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

Hi,

Thank you for your response and for the instructions.

I have seen other instructions for implementing Alfresco using Apache, mod_jk and mod_ssl as well, so this might be something that we need to do.

However, we were hoping to configure Alfresco Share without needing to use Apache.  As the Alfresco Implementation is build on Tomcat, we were hesitant to implement a second Web server (Apache) in front of another web server (Tomcat) unless it is absolutely necessary.  We are therefore looking to see if what we are trying to achieve is possible with just Tomcat.

Thanks
John
webberj
Active Member

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

Having been digging further, I have traced this issue down to one section of code in one configuration file!

I have trawled through all of the configuration files to identify the ones where a specific port (8080) is defined.  I have changed all of these ports from 8080 to 8443, and changed any associated http to https as well.

The ONE file that causes the authentication of Alfresco Share to break is the:  /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.

I have amended MOST of the entries in the file, to change: 
—–
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>

to
<endpoint-url>https://localhost:8443/alfresco/s</endpoint-url>
——

The one section which breaks Alfresco Share Authentication is:

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

If I amend this code to point to HTTPS and port 8443 the user authentication for Alfresco Share no longer works!

Please can someone help me as to how I can amend this code to use SSL over port 8443 instead of non-SSL over port 8080.

Thanks
John
eswbitto
Active Member

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

I have tried following the instructions from HERE

I couldn't get it to work for me so I just did the apache and the mod_jk route. Tackling alfresco's community version for ssl authentication vs just having apache do it was the difference of a couple of weeks vs an hour of my time.

Just something to think about it.
yuhuayang
Member II

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

Hello,

I am having this exact same problem. Alfresco Explorer works completely fine while share is broken. I do not wish to use the apache mod_jk solution. Can someone help and shed some light on why this is happening?

Thanks
yuhuayang
Member II

Re: Change Alfresco to use SSL and 'Share' stops authenticating!

OK I solved my own problem. I had to import more certificates into /java/jre/lib/security/cacerts and also this link helps alot: http://ecmstuff.blogspot.com/2011/06/configuring-alfresco-for-sso-with-cas.html

there is no need to modify the share-config-custom.xml at all