Hi all,
We have upgraded from Alfresco 5.0 community edition to Alfresco201605. Everything, except secure communication with Solr4, is working. There appears to be a problem with X509 filter in solr4. The browsers and clients do not appear to send the client certs as far as we can tell.
I have done the following:
1) Copied our existing and working ssl.keystore and ssl.truststore to alf_data/keystore along with password property files
2) Copied our existing and working ssl.rep.client.keystore, ssl.repo.client.truststore to our two cores, archive and workspace along with password property files,
3) Ensured /etc/tomcat/tomcat-users.xml has the correct users entries for client certs
4) When starting tomcat we get 403 solr errors - as below
5) We have tried running the generate_keystore.sh script, modified with our setting, and get the same error result.
5) We imported he browser.p12 certificate into firefox and chromium and visited the :8443/solr4. We get the untrusted cert warning, which we accept, but then we get a 403 error from the X509 filter
6) If I create a test war file, assign the "repository" and "repoclient" role to the war and add a security constraint for client certs to web.xml we get prompted to accept our client cert when we visit the test site and we successfully gain access. Thereafter we are able to access the solr4 admin page successfully.
I have browsed the AlfrescoX509ServletFilter and X509ServletFilterBase code at: https://github.com/Alfresco/community-edition/blob/70f90384d2745fbc0c1d1be2aaa01cab40c47f34/projects... as far as I can see X509ServletFilterBase simply retrieves a request attribute javax.servlet.request.X509Certificate to get the cert in the code. So it seems that the client is unaware that it needs to send the cert? Just guessing here - but this is as far as our investigation has taken us.
Any ideas?
Java
penjdk version "1.8.0_91"
Tomcat: 7.0.68-1
<blockcode>ERROR [solr.tracker.AbstractTracker] [SolrTrackerScheduler_Worker-10] Model tracking failed
org.alfresco.error.AlfrescoRuntimeException: 07200907 GetModelsDiff return status is 403
at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1157)
at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:249)
at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:207)
at org.alfresco.solr.tracker.ModelTracker.ensureFirstModelSync(ModelTracker.java:229)
at org.alfresco.solr.component.EnsureModelsComponent.prepare(EnsureModelsComponent.java:80)
at org.apache.solr.handler.component.AlfrescoSearchHandler.handleRequestBody(AlfrescoSearchHandler.java:283)
at org.apache.solr.handler.RequestHandlerBase.handleRequest(RequestHandlerBase.java:135)
at org.alfresco.solr.Cloud.getResponse(Cloud.java:159)
at org.alfresco.solr.Cloud.getSolrDocumentList(Cloud.java:143)
at org.alfresco.solr.SolrInformationServer.getDocsWithUncleanContent(SolrInformationServer.java:715)
at org.alfresco.solr.tracker.ContentTracker.doTrack(ContentTracker.java:74)
at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:185)
at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
</blockcode>
We have upgraded from Alfresco 5.0 community edition to Alfresco201605. Everything, except secure communication with Solr4, is working. There appears to be a problem with X509 filter in solr4. The browsers and clients do not appear to send the client certs as far as we can tell.
I have done the following:
1) Copied our existing and working ssl.keystore and ssl.truststore to alf_data/keystore along with password property files
2) Copied our existing and working ssl.rep.client.keystore, ssl.repo.client.truststore to our two cores, archive and workspace along with password property files,
3) Ensured /etc/tomcat/tomcat-users.xml has the correct users entries for client certs
4) When starting tomcat we get 403 solr errors - as below
5) We have tried running the generate_keystore.sh script, modified with our setting, and get the same error result.
5) We imported he browser.p12 certificate into firefox and chromium and visited the :8443/solr4. We get the untrusted cert warning, which we accept, but then we get a 403 error from the X509 filter
6) If I create a test war file, assign the "repository" and "repoclient" role to the war and add a security constraint for client certs to web.xml we get prompted to accept our client cert when we visit the test site and we successfully gain access. Thereafter we are able to access the solr4 admin page successfully.
I have browsed the AlfrescoX509ServletFilter and X509ServletFilterBase code at: https://github.com/Alfresco/community-edition/blob/70f90384d2745fbc0c1d1be2aaa01cab40c47f34/projects... as far as I can see X509ServletFilterBase simply retrieves a request attribute javax.servlet.request.X509Certificate to get the cert in the code. So it seems that the client is unaware that it needs to send the cert? Just guessing here - but this is as far as our investigation has taken us.
Any ideas?
Java
penjdk version "1.8.0_91"Tomcat: 7.0.68-1
<blockcode>ERROR [solr.tracker.AbstractTracker] [SolrTrackerScheduler_Worker-10] Model tracking failed
org.alfresco.error.AlfrescoRuntimeException: 07200907 GetModelsDiff return status is 403
at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1157)
at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:249)
at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:207)
at org.alfresco.solr.tracker.ModelTracker.ensureFirstModelSync(ModelTracker.java:229)
at org.alfresco.solr.component.EnsureModelsComponent.prepare(EnsureModelsComponent.java:80)
at org.apache.solr.handler.component.AlfrescoSearchHandler.handleRequestBody(AlfrescoSearchHandler.java:283)
at org.apache.solr.handler.RequestHandlerBase.handleRequest(RequestHandlerBase.java:135)
at org.alfresco.solr.Cloud.getResponse(Cloud.java:159)
at org.alfresco.solr.Cloud.getSolrDocumentList(Cloud.java:143)
at org.alfresco.solr.SolrInformationServer.getDocsWithUncleanContent(SolrInformationServer.java:715)
at org.alfresco.solr.tracker.ContentTracker.doTrack(ContentTracker.java:74)
at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:185)
at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
</blockcode>
