https://connect.hyland.com/t5/alfresco-archive/alfresco-5-0-gt-201605-sorl4-ssl-403-errors/m-p/307632#M260762 <HTML><HEAD></HEAD><BODY><SPAN>Hi all,</SPAN><BR /><BR /><SPAN>We have upgraded from Alfresco 5.0 community edition to Alfresco201605. Everything, except secure communication with Solr4, is working. There appears to be a problem with X509 filter in solr4. The browsers and clients do not appear to send the client certs as far as we can tell.</SPAN><BR /><BR /><SPAN>I have done the following:</SPAN><BR /><BR /><SPAN>1) Copied our existing and working ssl.keystore and ssl.truststore to alf_data/keystore along with password property files</SPAN><BR /><SPAN>2) Copied our existing and working ssl.rep.client.keystore, ssl.repo.client.truststore to our two cores, archive and workspace along with password property files,</SPAN><BR /><SPAN>3) Ensured /etc/tomcat/tomcat-users.xml has the correct users entries for client certs</SPAN><BR /><SPAN>4) When starting tomcat we get 403 solr errors - as below</SPAN><BR /><SPAN>5) We have tried running the generate_keystore.sh script, modified with our setting, and get the same error result.</SPAN><BR /><SPAN>5) We imported he browser.p12 certificate into firefox and chromium and visited the :8443/solr4. We get the untrusted cert warning, which we accept, but then we get a 403 error from the X509 filter <img id="smileysad" class="emoticon emoticon-smileysad" src="https://connect.hyland.com/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" /></SPAN><BR /><SPAN>6) If I create a test war file, assign the "repository" and "repoclient" role to the war and add a security constraint for client certs to web.xml we get prompted to accept our client cert when we visit the test site and we successfully gain access. Thereafter we are able to access the solr4 admin page successfully.</SPAN><BR /><BR /><SPAN>I have browsed the AlfrescoX509ServletFilter and X509ServletFilterBase code at: </SPAN><A href="https://github.com/Alfresco/community-edition/blob/70f90384d2745fbc0c1d1be2aaa01cab40c47f34/projects/web-client/source/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java" rel="nofollow noopener noreferrer">https://github.com/Alfresco/community-edition/blob/70f90384d2745fbc0c1d1be2aaa01cab40c47f34/projects/web-client/source/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java</A><SPAN> as far as I can see X509ServletFilterBase simply retrieves a request attribute javax.servlet.request.X509Certificate to get the cert in the code. So it seems that the client is unaware that it needs to send the cert? Just guessing here - but this is as far as our investigation has taken us.</SPAN><BR /><BR /><SPAN>Any ideas? </SPAN><BR /><BR /><SPAN>Java<img id="smileysurprised" class="emoticon emoticon-smileysurprised" src="https://connect.hyland.com/i/smilies/16x16_smiley-surprised.png" alt="Smiley Surprised" title="Smiley Surprised" />penjdk version "1.8.0_91"</SPAN><BR /><SPAN>Tomcat: 7.0.68-1</SPAN><BR /><BR /><BR /><SPAN>&lt;blockcode&gt;ERROR [solr.tracker.AbstractTracker] [SolrTrackerScheduler_Worker-10] Model tracking failed</SPAN><BR /><SPAN> org.alfresco.error.AlfrescoRuntimeException: 07200907 GetModelsDiff return status is 403</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1157)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:249)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:207)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.tracker.ModelTracker.ensureFirstModelSync(ModelTracker.java:229)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.component.EnsureModelsComponent.prepare(EnsureModelsComponent.java:80)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.apache.solr.handler.component.AlfrescoSearchHandler.handleRequestBody(AlfrescoSearchHandler.java:283)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.apache.solr.handler.RequestHandlerBase.handleRequest(RequestHandlerBase.java:135)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.Cloud.getResponse(Cloud.java:159)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.Cloud.getSolrDocumentList(Cloud.java:143)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.SolrInformationServer.getDocsWithUncleanContent(SolrInformationServer.java:715)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.tracker.ContentTracker.doTrack(ContentTracker.java:74)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:185)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.quartz.core.JobRunShell.run(JobRunShell.java:216)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)</SPAN><BR /><SPAN>&lt;/blockcode&gt;</SPAN></BODY></HTML> Sat, 20 Aug 2016 20:55:52 GMT mxc 2016-08-20T20:55:52Z https://connect.hyland.com/t5/alfresco-archive/alfresco-5-0-gt-201605-sorl4-ssl-403-errors/m-p/307632#M260762 Hi all,We have upgraded from Alfresco 5.0 community edition to Alfresco201605. Everything, except secure communication with Solr4, is working. There appears to be a problem with X509 filter in solr4. The browsers and clients do not appear to send the client certs as far as we can tell.I have done th Sat, 20 Aug 2016 20:55:52 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-5-0-gt-201605-sorl4-ssl-403-errors/m-p/307632#M260762 mxc 2016-08-20T20:55:52Z https://connect.hyland.com/t5/alfresco-archive/alfresco-5-0-gt-201605-sorl4-ssl-403-errors/m-p/307633#M260763 <HTML><HEAD></HEAD><BODY><SPAN>Found the problem. It seems the syntax for the coyote connector in server.xml has changed. Needed to add 'allowUnsafeLegacyRenegotiation="true"' to the declaration so the full connector stanza looks like this:</SPAN><BR /><SPAN>&lt;blockcode&gt;</SPAN><BR /><SPAN>&nbsp;&nbsp; &lt;Connector port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; maxThreads="150" scheme="https" keystoreFile="/usr/local/alfresco/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"</SPAN><BR /><SPAN> secure="true" connectionTimeout="240000" truststoreFile="/usr/lcoal/alfresco/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; clientAuth="want" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" maxSavePostSize="-1" /&gt;&nbsp; </SPAN><BR /><SPAN>&lt;/blockcode&gt;</SPAN></BODY></HTML> Sun, 21 Aug 2016 10:49:00 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-5-0-gt-201605-sorl4-ssl-403-errors/m-p/307633#M260763 mxc 2016-08-21T10:49:00Z