Hyland Connect

webberj · ‎07-11-2013

Hi,

Sorry to ask a question that has been discussed a few times before, but I cannot find a solution to this issue that works for me!

I have created a new server (CentOS release 6.2) for Alfresco and downloaded and installed the latest released version of Alfresco Community (4.2.c), using the standard installer (from http://www.alfresco.com/products/community).

We would like to use SSL over port 8443, instead of non-SSL over port 8080. I have made LOTS of amendments to the standard configuration files (detailed below).

It was relatively straight forward to get the "Alfresco Explorer" working correctly using SSL, but I have had NO success in changing the configuration to enable Alfresco Share to authenticate.

When I attempt to log on to the Alfresco share (https://alfresco.nbi.ac.uk:8443/share), I see an error message that states: "The remote server may be unavailable or your authentication details have not been recognized." The authentication is working correctly for Alfresco Explorer (https://alfresco.nbi.ac.uk:8443/alfresco), but not for share.

I also see the following message in the (alfresco)/tomcat/logs/catalina.out:
"2013-07-11 17:11:42,098 INFO [web.site.EditionInterceptor] [http-bio-8443-exec-12] Unable to retrieve License information from Alfresco: 500"

Please can someone advice whether it is possible to get Share working over SSL?

I have made the following configuration amendments, but to no avail so far!

———————
 In <alfresco>/tomcat/shared/classes/alfresco-global.properties change the following:
 alfresco.context=alfresco
 alfresco.host=alfresco.nbi.ac.uk
 alfresco.port=8443
 alfresco.protocol=https

 share.context=share
 share.host=alfresco.nbi.ac.uk
 share.port=8443
 share.protocol=https

 and add web.application.context.url=https://127.0.0.1:8443/alfresco

———————

 Update <alfresco>/tomcat/conf/web.xml
 Add the following lines at the end of the file (before the </web-app> )

 <!– Added to attempt to stop http and force https instead –>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Protected Context</web-resource-name>
 <url-pattern>/*</url-pattern>
 </web-resource-collection>

 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

———————

 Update /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml
 Change the "endpoint URLs" from
 <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url
 to
 <endpoint-url>https://localhost:8443/alfresco</endpoint-url
 (by removing the /s, changing http to https and changing 8080 to 8443)

 Add: <repository-url>https://localhost:8443/alfresco</repository-url>
 Update the alfresco endpoint to be : <endpoint-url>https://localhost:8443/alfresco/wcs</endpoint-url>
 (by adding the "wcs"
 And add <external-auth>true</external-auth> to the alfresco endpoint

———————

 Update /opt/alfresco-4.2.c/tomcat/webapps/share/WEB-INF/classes/alfresco/share-cmis-config.xml
 Change parameter key value from
 value="http://localhost:8080/alfresco/cmisatom"
 to
 value="https://localhost:8443/alfresco/cmisatom'/>

———————

 Update /opt/alfresco-4.2.c/tomcat/webapps/share/WEB-INF/classes/alfresco/share-documentlibrary-config.xml
 Change <repository-url>http://localhost:8080/alfresco</repository-url>
 to <repository-url>https://localhost:8443/alfresco</repository-url>

———————

 Update /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/web-client-config.xml
 Change <scheme>http</scheme>
 to <scheme>https</scheme>

 Change <port>8080</port>
 to <port>8443</port>

———————

Any advice that anyone can give to help me configure this would be very gratefully received!

Thanks
John

mitpatoliya · ‎07-12-2013

you can place all your configs of share-cmis-config.xml share-documentlibrary-config.xml
in to share-config-custom.xml as it will override all this file.

Please do that change and then post your share-config-custom.xml config

webberj · ‎07-12-2013

Thank you for your quick response.

As suggested, I have combined the configuration files: "share-cmis-config.xml" and "share-documentlibrary-config.xml" into the existing share-config-custom.xml file by adding the lines at the end!

Please see attached a copy of my new share-config-custom.xml file (renamed to .txt so that I could attach it to this page).

Thanks
John

webberj · ‎07-12-2013

I am not sure my file attached correctly, so here it is again!

Are you able to see the file now? I have definitely attached it, but am not sure that I can see it… where does the file get attached to this page?

rjohnson · ‎07-12-2013

You seem to be having trouble. I have Share working on several sites via https without changing / adding anything in share-custom-config.xml, but I did it using Apache, mod_jk and mod_ssl.

Should you want to do it that way, below are my notes on how I did it on Ubuntu 12.04 and Alfresco 4.2c (I have also done it on Alfresco 4.0a on Ubuntu 10.04 and if memory serves it was an identical procedure.

<blockquote>
Install Apache

Apache is not technically a pre-requisite, but in order to route https requests to Alfresco without needing to specify a port number and without needing to use iptables then it helps.
sudo apt-get install apache2

and now we need to map the https to Alfresco, so first check if mod_jk and mod_ssl are installed and enabled. Please note, it is very unlikely that mod_ssl would not be installed, if you think it isn't, double check. To check for the modules do this:

/etc/apache2/mods-enabled

ls -l | grep “jk.load”
ls -l | grep “ssl.load”

If either of the 2 commands return nothing, go to

/etc/apache2/mod-available

and repeat the command. If you still get nothing you will need to install the modules, if they now return a result you will merely need to configure them.
mod_jk
If jk.load is not installed then at the command line type

sudo apt-get install libapache2-mod-jk

and to enable it type

sudo a2enmod jk
mod_ssl
So to enable ssl type

sudo a2enmod ssl

Create SSL certificates and keys

In production you will be installing purchased SSL certificates but you need to do what follows to enable everything for the production certificates and to have a system that replicates a production environment.

You can create the certificate files anywhere you like but they must eventually be copied into a directory that the apache server can see. For this section let us create the files in /tmp

cd /tmp
To generate the keys for the Certificate Signing Request (CSR)
openssl genrsa -des3 -out server.key 1024

This will ask you for a passphrase, this is not important but use something you can remember because you will need it in the next command.
Create the insecure key
openssl rsa -in server.key -out server.key.insecure

You will need to enter the passphrase that you used in the first step.

mv server.key server.key.secure
mv server.key.insecure server.key
Create the CSR
openssl req -new -key server.key -out server.csr
Answer the questions asked. The data is not important, but be sensible, its visible.
Create a self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Installing a certificate
In Ubuntu certificates are stored in /etc/ssl/certs and keys are stored in /etc/ssl/private so from the directory in which you created the certificates:-

sudo cp *.crt /etc/ssl/certs
sudo cp *.key /etc/ssl/private
Connect Apache to Alfresco
Configure Apache
You now need to tell Apache to intercept calls to https services and redirect them. This is done using the 000-default files. You also need to adjust ssl to cater for certain browsers using the ssl.conf file.
000-default
cd /etc/apache2/sites-enabled
sudo vi 000-default

Open this file and append the lines below after all the existing content


<VirtualHost *:443>
          ServerName {servername}
          SSLEngine On
          SSLCertificateFile /etc/ssl/certs/server.crt
          SSLCertificateKeyFile /etc/ssl/private/server.key 
          <Location />
              SSLRequireSSL On
              SSLVerifyClient optional
              SSLRenegBufferSize 104860000
              SSLVerifyDepth 1
              SSLOptions +StdEnvVars +StrictRequire
          </Location>
          # Send everything for the context / to worker named worker1 via ajp13
          JkMount /* ajp13_worker
</VirtualHost>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

httpd.conf

Whilst not absolutely necessary it is tidy to define the host name for your server. Should you not do this, apache will try a reverse DNS lookup to determine the host name. This reverse lookup will work for any public IP address you register against a domain name on the internet but in testing or in closed networks that do not have a local DNS it will not work and so it is neat to define the server name. To do this

cd /etc/apache2
sudo vi httpd.conf
Add the line


ServerName {your-server-name}
‍‍‍

Save and restart Apache

Configure SSL

ssl.conf
cd /etc/apache2/mods-enabled
sudo vi ssl.conf

Open this file and either append the line below after all the existing content but before the </IfModule> line, or, if it exists (and in 12.04 it does exist) remove the # from the beginning of the line.


SSLInsecureRenegotiation on
‍‍‍

Please note that this reads worse than it is and in any case is required for Internet Explorer 8 and other browsers to function. This is nothing to do with security in our application or server, but to do with the implementation of SSL renegotiation in major browsers.

Restart apache
sudo /etc/init.d/apache2 restart

The result

https://{hostname}/share will now get you to the login page (once Alfresco is installed). Note that if you try and go to https://{hostname} you will end up at the Tomcat Welcome page.

</blockquote>

webberj · ‎07-15-2013

Hi,

Thank you for your response and for the instructions.

I have seen other instructions for implementing Alfresco using Apache, mod_jk and mod_ssl as well, so this might be something that we need to do.

However, we were hoping to configure Alfresco Share without needing to use Apache. As the Alfresco Implementation is build on Tomcat, we were hesitant to implement a second Web server (Apache) in front of another web server (Tomcat) unless it is absolutely necessary. We are therefore looking to see if what we are trying to achieve is possible with just Tomcat.

Thanks
John

jasswalkjr · ‎07-14-2014

Hello webberj: Did you ever solve this problem? I would like to do the same thing right now.

pacco_robin · ‎04-07-2014

Dear Bob,

Thanks for your private messages and thanks for this explanation. It really helped and now I have it up and running using Apache and https.

Regards,

Frank

A tip for someone who wants to do this and use public certificates. Instead of creating self signed certificates do this:

cd /tmp
sudo openssl req -nodes -newkey rsa:2048 -keyout [servername_domainname_extension].key -out [servername_domainname_extension].csr
Answer the questions. Leave password and optional company name blank.

Now secure the key file.
sudo chmod 600 [servername_domainname_extension].key

Get the csr signature.
sudo cat [servername_domainname_extension].csr

Get your certificate with your csr information
Move the certificate to /tmp

then copy the key and certificate
sudo cp [servername_domainname_extension].key /etc/ssl/private
sudo cp [servername_domainname_extension].crt /etc/ssl/certs

Make sure you also get a root certificate and intermediate certicate.
Move them to /etc/ssl/certs
sudo cp [root certificate].crt /etc/ssl/certs
sudo cp [intermediate certificate].crt /etc/ssl/certs

Now move forward in Bob's explanation connecting Apache to Alfresco.
Do not forget to add 2 lines to 000-default after SSLCertificateKeyFile
SSLCertificateChainFile /etc/ssl/certs/[root certificate].crt
SSLCertificateChainFile /etc/ssl/certs/[intermediate certificate].crt

tybion · ‎10-21-2015

Thank you rjohnson - brilliantly simple - it works nicely for me - Ubuntu 14.04 and Alfresco 5.0.d.

webberj · ‎07-17-2013

Having been digging further, I have traced this issue down to one section of code in one configuration file!

I have trawled through all of the configuration files to identify the ones where a specific port (8080) is defined. I have changed all of these ports from 8080 to 8443, and changed any associated http to https as well.

The ONE file that causes the authentication of Alfresco Share to break is the: /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.

I have amended MOST of the entries in the file, to change:
—–
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>

to
<endpoint-url>https://localhost:8443/alfresco/s</endpoint-url>
——

The one section which breaks Alfresco Share Authentication is:

 <endpoint>
 <id>alfresco</id>
 <name>Alfresco - user access</name>
 <description>Access to Alfresco Repository WebScripts that require user authentication</description>
 <connector-id>alfresco</connector-id>
 <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
 <identity>user</identity>
 </endpoint>

If I amend this code to point to HTTPS and port 8443 the user authentication for Alfresco Share no longer works!

Please can someone help me as to how I can amend this code to use SSL over port 8443 instead of non-SSL over port 8080.

Thanks
John

Hyland Connect

Change Alfresco to use SSL and 'Share' stops authenticating!