Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Tomcat SSL Help Plz [Solved]

102020
Champ on-the-rise
Champ on-the-rise

‎03-26-2013 04:35 PM

Greetz!

So I've been working on getting my 3dp CA installed but coming into problems. I know a lot of people are using mod_jk and fronting with Apache, don't want to do that, seems really unnecessary.

After looking at server.xml for tomcat, I see that Alfresco is using ssl.keystore and ssl.truststore. I've also been readying about the cacerts file located in alfresco\java\jre\lib\security

Basically I have what is called a class 4 ssl certificate (extended class 3).
From my CA (startcom) they give me:
ca.pem
sub.class4.server.ca.pem

or they can give me the same thing in .crt format (or .der format i think it is?).
I've been able to install with the .crt, but get error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I also have a .p12 file, .crt and .key file (which is what I made the .p12 from).

How exactly did Alfresco change this from a stock tomcat config? What is the proper procedure, i've seen tons of posts, some kinda work, some dont, and my CA give me this to follow:
https://forum.startcom.org/viewtopic.php?f=15&t=1390


All help greatly appreciated, as this part seems to not be greatly documented in regards to importing your 3dp CA.
Labels:
0 Kudos
2 REPLIES 2

102020
Champ on-the-rise
Champ on-the-rise

‎04-08-2013 02:50 PM

Ok so here are the commands and such you need to do, we used StartCom SSL for our 3DP ssl.

keytool -genkey -alias myServer.FQDN.com -dname "cn=myServer.FQDN.com, o=FQDN, o=.com" -keystore c:\Alfresco\alf_data\keystore\keystore.jks -keysize 2048 -keyalg RSA

keytool -certreq -alias myServer.FQDN.com -file myServer.FQDN.com.csr

>Copy contents of csr, paste into startcom, generates crt, download crt. at same time download intermediate and root certs.

keytool -import -trustcacerts -alias startcom.ca -file c:\Alfresco\alf_data\keystore\ca.crt -keystore c:\Alfresco\java\jre\lib\security\cacerts

keytool -import -trustcacerts -alias startcom.ca.sub -file c:\Alfresco\alf_data\keystore\sub.class3.server.ca.crt -keystore c:\Alfresco\java\jre\lib\security\cacerts

>Restart Alfresco

keytool -importcert -alias myServer.FQDN.com -file c:\Alfresco\alf_data\keystore\myServer.FQDN.com.signed.crt -trustcacerts -keystore c:\Alfresco\alf_data\keystore\keystore.jks

>Edit c:\Alfresco\tomcat\conf\server.xml

Find:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="C:\Alfresco/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true" connectionTimeout="240000" truststoreFile="C:\Alfresco/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxSavePostSize="-1" /> 


Replace:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="C:\Alfresco/alf_data/keystore/keystore.jks" keystorePass="kT9X6oe68t" keystoreType="JKS"
secure="true" connectionTimeout="240000" clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxSavePostSize="-1" /> 


This will get SSL on port 8443 (or whatever you set your SSL port as) to be a fully signed certificate. You can also go into your alfresco-global.properties and add the following to use the same certificate for Share Point SSL over port 7070:

### Sharepoint ###
vti.server.external.host=myServer.FQDN.com
vti.server.external.port=7070
vti.server.external.protocol=https
vti.server.ssl.keystore=C:/Alfresco/keys/keystore.jks
vti.server.ssl.password=kT9X6oe68t


just a note: the vti.server.ssl.password value is the default keystore password.
0 Kudos

eswbitto
Confirmed Champ
Confirmed Champ
In response to 102020

‎06-18-2013 05:05 PM

I have followed your instructions and modified them accordingly to work on the OS that I'm using.

My topic is here: http://forums.alfresco.com/forum/installation-upgrades-configuration-integration/integration-other-s...

I followed your instructions from here:
http://forums.alfresco.com/forum/installation-upgrades-configuration-integration/installation-upgrad...

So I skipped over the first part and went down to the https part and followed the instructions for a self signed cer. I didn't do that above part where you add to the alfresco-global.properties file. I don't know if it is crucial to have that step or not. When I make the changes and restart alfresco I can't reach https://my.fqdn.addy:8443/share nor http://my.fqdn.addy:8080/share. Neither one works…in fact it breaks. I end up having to completely erase the whole install and re-install.
So I tried modifying the share-config-custom.xml like the original instructions said to do. That doesn't do anything either.

Is there any off chance you could point me in the right direction of what I need to do? Right now I'm working on using apache (httpd) to handle the ssl and not worry about the tomcat version that alfresco uses. I'd like not to do it that way, but I'm running out of options to try.


Bitto
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC