Hyland Connect

vgusev2007 · ‎04-01-2014

Hi everyone!
I plan to setup Alfresco One 4.2.1 as an ECM system for my small company. So, I have tested it in Alfresco CE 4.2e, it works (SSO, webdav, cifs, and so on).

Now, I want to ask you about configure security access to our Alfresco via Web. I want to buy a SSL cert (DV level)

Can you hint me a best way with it?

So, I have two variant with it:

1. Setup a reverse proxy for https (Linux+apache), and redirect my users from http to https
2. Setup Tomcat alfresco for use https only…

What about good way for me?

I prefere the first variant because it's an easy way, but I'm not shure about good work alfresco with it… (for example: SSO, document direct link, webdav and so on…).

What are you think about it? I'm new in web and alfresco…

Can you tell me about step-by-step guide for it?

And the second question is about port of alfresco setup.

What is best setting during setup? Is it 8080 8443 + plus cifs unstandart port or 80 and 443? I see "top" command in my linux and see root priv for java, regardless port 8080 8443 or 80 and 443…

What about if I setup alfresco with port 8080 and 8443, and setup apache as a reverse proxy on the same host: from 443 (https) to 8080 (default web port of alfresco)?

Thank a lot for you help to me.

eswbitto · ‎04-01-2014

I can give you some setup instructions on how to setup the Alfresco+apache. I've tried numerous times to get it to work with tomcat and never could get the SSL to work. If you do enough researching you will find all the same material I'm about to post from other threads as well. None of what I'm about to give I can take the credit for. Keep in mind that these instructions were made for Centos and they may differ slightly on your ubuntu. Only you can really determine that.

First things first if this is a vanilla install then you can add all of the items below in no particular order. Also, you want to purchase a valid SSL cert from a certificate authority. Example:
http://www.digicert.com/ppc/?gclid=COPigMfav70CFcRefgodMigAng

Edit your Alfresco-global.properties file and add or edit the following:


### Sharepoint ###
vti.server.external.host=myhostname.net
vti.server.external.port=1111
vti.server.external.protocol=https
‍‍‍‍‍‍

Note: Port 1111 is used for this example its not one that I use officially, but for the purpose of this guide I'm referencing it. Also, I didn't want to use the standard port number 7070 for security reasons. So feel free to use 7070 or whatever other port you want to use.

Prerequisites:
You need to install mod_jk, httpd-devel
Optional: php-pear, php-devel, pecl install apc
Download the ajp tomcat connector: tomcat-connectors-1.2.37-src.tar.gz (there might be an updated version)
Place the tar file contents to usr/src/*
cd /usr/src/tomcat-connectors-1.2.37-src/native
./configure –with-apxs=/usr/sbin/apxs && make && make install
cp ./apache-2.0/mod_jk.so /usr/lib64/httpd/modules/
———————————————–
Create the following file:
/opt/alfresco/tomcat/conf/Catalina/localhost/ROOT.xml


<?xml version="1.0" encoding="UTF-8"?>
<Context path="" docBase="share.war">
</Context>
‍‍‍‍‍

——————————————————
Next we need to setup a connector for Apache. It's possible this is *already done* on your Tomcat install by default, if not add the following in the Catalina
Service section in /path to your install/alfresco/tomcat/conf/server.xml:


<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
‍‍‍

————————————————
Need to define a worker file.
I used /opt/alfresco/tomcat/conf/workers.properties as configuration file:


worker.list=tomcat
worker.tomcat.port=8009
worker.tomcat.host=localhost
worker.tomcat.type=ajp13
worker.tomcat.lbfactor=1
‍‍‍‍‍‍‍

The name tomcat is arbitrary, so you can replace all occurrences with whatever you like.
—————————————————
Create a config file in /etc/httpd/conf.d/
I named it alfresco.conf


LoadModule jk_module modules/mod_jk.so
JkWorkersFile /path to your install/alfresco/tomcat/conf/workers.properties
‍‍‍‍

In Apache add this to the end of your config.


<VirtualHost *:443>
  ServerName mydomain.net
  
  SSLEngine on
  SSLCertificateKeyFile /path to my file.key
  SSLCertificateFile /path to my file.crt
  SSLCACertificateFile /path to my CAfile.crt

  #ProxyPass /paste http://localhost/paste/
  #ProxyPassReverse /paste http://localhost/paste/

  RequestHeader set X-Forwarded-Proto "https"
  ProxyPass / http://myhostname:8080/
  ProxyPassReverse / http://myhostname:8080/


  ProxyTimeout 300
  SSLProxyEngine on

  <Proxy *>
    allow from all
  </Proxy>

</VirtualHost>



<VirtualHost *:1111>
  ServerName mydomain.net

  SSLEngine on
  SSLCertificateKeyFile /path to my file.key
  SSLCertificateFile /path to my file.crt
  SSLCACertificateFile /path to my CA file.crt

  RequestHeader set X-Forwarded-Proto "https"
  ProxyPass / ajp://127.0.0.1:7070/
  ProxyPassReverse / ajp:127.0.0.1:7070/
  ProxyTimeout 300
  SSLProxyEngine on

  <Proxy *>
    Allow from all
  </Proxy>

</VirtualHost>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Now for a SSL connection on your sharepoint do the following:
Download the file jetty-ajp-6.1.14.jar from http://repo1.maven.org/maven2/org/mortbay/jetty/jetty-ajp/6.1.14/ (this might be an outdated version of the file.)

Place the jar file in webapps/alfresco/WEB-INF/lib

Locate the following file: //alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/module/org.alfresco.module.vti/context/vti.context.xml

Search for the


<bean id=“vtiServerConnector” class=“org.mortbay.jetty.bio.SocketConnector”>‍‍

Comment it out
Put the following below it:


<bean id="vtiServerConnector" class="org.mortbay.jetty.ajp.Ajp13SocketConnector">
      <property name="port">
           <value>${vti.server.port}</value>
      </property>
      <property name="headerBufferSize">
           <value>8192</value>
      </property>
  </bean>
‍‍‍‍‍‍‍‍‍‍

You may need to edit your ssl.conf file and enter Listen 1111 or whatever port number you decide to use if not the default 7070.
Restart alfresco service and you should be good to go.

NOW I stress that you may still have a SSL issue because the guys at Alfresco included a picture file that downloads on the sign in page from their website. This "kinda" breaks a true SSL connection. I had to disable that in order for everything to end up the way that I wanted it to. Hope this helps. Sorry I can't help you with the tomcat portion, but there are a lot of smart peeps in this forum that can help with that if you decide to go that route.

vgusev2007 · ‎04-02-2014

Exelent guide! Thank a lot for you! I'll true to do it step-by-step. I'll write here if I have a problem.

Really BIG thank for you guide to me.

I have printed out it on a papper.

firetux · ‎02-26-2015

Thank you ESWBitto for this guide!

We use Alfresco Community 5.0.c and configured as you written above. But we have to use mod_ajp instead mod_jk. This should'nt be a problem.

The document opens in Word or Excel, but the apache error log prints the following error.

==> /var/log/apache2/alfresco-sp_error.log <==
[Thu Feb 26 13:39:38 2015] [error] ajp_read_header: ajp_ilink_receive failed
[Thu Feb 26 13:39:38 2015] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:7171 (127.0.0.1)

After editing i'm not able to save the change and word raise an error and the same error in apache errorlog appears again.

Don't worry about the port. We change the vti.server.port to 7171 and the vti.server.external.port to 7070.

Have you an idea?

Regards
Philipp

eswbitto · ‎03-02-2015

Hello firetux,

Sorry it has been a while since I have visited the forums. A couple of things you should know. I'm currently using 4.2.f. I haven't tested the SSL connection with 5.0.c, but I know that "hacking" (as mr. rogers puts it) is a lot harder to do in this version. I think alfresco wants you to only put your modifications in a single place such as the /install/alfresco/tomcat/shared place. The biggest thing I think is to make sure that alfresco recognizes the ajp connector and that apache and alfresco can talk to each other. If you have the firewall enabled on the server maybe turn it off and test to see if you have a rule blocking it.

I'll keep a closer look on this thread from now on. Hope this helps in some way.

borisstankov · ‎06-03-2015

Hi there,

I tried the setting above on the 5.0.c installation. However I'm getting Connection refused:
2015-06-03 11:34:15,024 ERROR [solr.tracker.AbstractTracker] [SolrTrackerScheduler_Worker-3] Tracking failed
java.net.ConnectException: Connection refused

Do you have another solution for this problem?

Cause I can see that some time went from last post.

Regards,
Boris

borisstankov · ‎06-03-2015

Hello again,

After some further test I managed to start the SW.
I had some different error messages and I just found this topic of yours:
https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-lda...
I added the text from the file to my share-config-custom.xml and now I'm able to access the alfresco via tghe https.
However I still have a lot of error in the catalina.out log. Would you mind take a look at them. I attached a file here with them.

Regards!

eswbitto · ‎06-03-2015

Hey Boris,

Those instructions were for 4.2.x I haven't begun testing with 5.0.x yet. In the near future I'll be upgrading and going through that process myself.

borisstankov · ‎06-04-2015

Hey,

I understood that the Alfresco version is older, but I had to do it.
How ever I had some difficulties but the end game is that the Alfresco started after long testing period of how I can start it to work on https.

Did you restrict some how the http traffic from outside or you left it as well?

Cheers, mate!

eswbitto · ‎06-04-2015

Hello Boris,

We have a requirement that users be able to access alfresco both inside and outside of our network. So for our firewall all the ports that alfresco requires is open (externally). Internally not that big of a deal.

Hyland Connect

Setup https and ports