Official documentation includes a number of measures that can be taken in order to improve default security provided by the platform:
https://docs.alfresco.com/content-services/latest/admin/securing-install/
In this blog post, 5 simple stepts related to that information are covered:
Alfresco Docker Installer
Alfresco Docker Installer, available in https://github.com/alfresco/alfresco-docker-installer, may be used to generate a reference Docker Compose deployment including all the steps described below.
Use following settings to create that kind of configuration.
$ yo alfresco-docker-installer ? Which ACS version do you want to use? 7.1 ? How may GB RAM are available for Alfresco (16 is minimum required)? 16 ? Do you want to use HTTPs for Web Proxy? Yes ? What is the name of your server? localhost ? Choose the password for your admin user: hyland ? What HTTPs port do you want to use (all the services are using the same port)? 443 ? Do you want to use FTP (port 2121)? No ? Do you want to use MariaDB instead of PostgreSQL? No ? Are you using different languages (this is the most common scenario)? Yes ? Would you like to use HTTP, HTTPs or Shared Secret for Alfresco-SOLR communication? https ? Do you want to use credentials for Events service (ActiveMQ)? Yes ? Choose the USERNAME for your ActiveMQ user: alfresco ? Choose the PASSWORD for your ActiveMQ user: hyland ? Do you want to create an internal SMTP server? No ? Do you want to create an internal LDAP server? No ? Select the addons to be installed: ? Are you using a Windows host to run Docker? No ? Do you want to use a start script? No
You will get some warnings related to keystores and certificates that will be covered later in this blog post.
--------------------------------------------------------------- WARNING: You selected HTTPs for the NGINX Web Proxy. Default certificates localhost.cer and localhost.key have been provided in config/cert folder. You may replace these certificates by your own. --------------------------------------------------------------- --------------------------------------------------------------- WARNING: You selected HTTPs communication for Alfresco-Solr. Default keystores have been provided in keystores folder. You may replace these certificates by your own. Check https://github.com/Alfresco/alfresco-ssl-generator ---------------------------------------------------------------
All required resources are created in your local computer, including configuration for ACS, configuration for NGINX and required keystores, truststores and digital certificates.
create .env create docker-compose.yml create alfresco/Dockerfile create alfresco/modules/amps/empty create alfresco/modules/jars/empty create share/Dockerfile create share/web-extension/share-config-custom-dev.xml create share/modules/amps/empty create share/modules/jars/empty create search/Dockerfile create config/nginx.conf create config/nginx.htpasswd create config/cert/localhost.cer create config/cert/localhost.key create keystores/alfresco/keystore create keystores/alfresco/ssl.keystore create keystores/alfresco/ssl.truststore create keystores/client/browser.p12 create keystores/solr/ssl-repo-client.keystore create keystores/solr/ssl-repo-client.truststore
1. Password storage
By default, Alfresco stores user passwords in the database using MD4 hashing. This only applies to deployments using NTML authentication subsystem, that is the one provided by default. Since this algorithm may be enough for many use cases, a safer one can be specified by using following settings in alfresco-global.properties file (or in the alfresco service section in docker-compose.yml)
system.preferred.password.encoding=bcrypt10
This bcrypt10 setting is using a Blowfish based algorithm with salt. Despite this digest is harder to attack than MD4, salting provides the ability to store different digest for the same user password. That increments security measures against unauthorized database access.
In addition, when using new Alfresco deployments, default admin password may be changed by using a new MD4 string (hyland in the following sample) in alfresco-global.properties file (or in the alfresco service section in docker-compose.yml)
alfresco_user_store.adminpassword=967f366ac4f37d059231c40edc8c0f72
2. Web Proxy
Instead of exposing directly every service, a proxy configuration provides a single entry point for every external request. That makes easier to implement security measures and protections on your platform.
Different approaches can be followed in order to implement this recommendation, but in this Docker deployment NGINX Web Proxy is used.
Alfresco services (alfresco, share, content-app) are not exposing ports in Docker Compose and only the proxy service is exposing HTTPs default port (443). So every request to the platform is using this single entry point. Required configuration for NGINX is available in config/nginx.conf file
# Alfresco Content Application Proxy location / { proxy_pass http://content-app:8080; } # Repository Proxy location /alfresco/ { proxy_pass http://alfresco:8080; } # Api-Explorer Proxy location /api-explorer/ { proxy_pass http://alfresco:8080; } # Share Proxy location /share/ { proxy_pass http://share:8080; }
Note that mTLS configuration is used for Alfresco-Solr communication, so SOLR SSL port is exposed as 8983 with mTLS to provide access to SOLR Web Console.
3. TLS for Web Proxy
A third step would be to add TLS protocol for the Web Proxy, to enable HTTPs communications with ACS applications and services. Using this approach enables encryption, that means privacy, in every operation. Remember that is recommended to use TLSv1.2 or TLSv1.3 protocol versions for this configuration, relying on digital certificates using at least 2048 bits for the RSA key.
This configuration is provided for NGINX in config/nginx.conf file
listen *:443 ssl; ssl_certificate /etc/nginx/localhost.cer; ssl_certificate_key /etc/nginx/localhost.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3;
In addition, server certificate is available in config/cert folder (both public and private key) and this is the origin of the first warning:
--------------------------------------------------------------- WARNING: You selected HTTPs for the NGINX Web Proxy. Default certificates localhost.cer and localhost.key have been provided in config/cert folder. You may replace these certificates by your own. ---------------------------------------------------------------
Remember to use your own certificate (RSA 2048 bits is recommended) when using this approach for real word deployments.
4. mTLS for Alfresco-Solr communication
Alfresco and SOLR communication is not authenticated when using plain HTTP protocol. The fourth step includes a safer configuration for this communication, that may be based in Shared Secret HTTP Header or Mutual TLS. We are covering the Mutual TLS configuration, that is based in TLS v1.2 using digital certificates of 2048 bits RSA keys. Remember that Mutual TLS requires server and client certificates to ensure authentication between the parties.
Default Alfresco and Solr certificates are provided in keystores folder, hence the warning coming from the Alfresco Docker Installer.
--------------------------------------------------------------- WARNING: You selected HTTPs communication for Alfresco-Solr. Default keystores have been provided in keystores folder. You may replace these certificates by your own. Check https://github.com/Alfresco/alfresco-ssl-generator ---------------------------------------------------------------
Remember to create your own set of keystores and truststores (by using https://github.com/Alfresco/alfresco-ssl-generator or some other PKI software) when using this approach for real word deployments.
5. ActiveMQ credentials
This service is used for asynchronous messages production and consumption. Alfresco Repository is producing messages every time a document is created or updated, while Alfresco Event API (the Out Of Process SDK) is consuming these messages. Using credentials authentication protects unauthorized access to this resource.
Username and password can be added to activemq service by using following environment variables in docker-compose.yml file
activemq: image: alfresco/alfresco-activemq:${ACTIVEMQ_TAG} environment: ACTIVEMQ_ADMIN_LOGIN: "alfresco" ACTIVEMQ_ADMIN_PASSWORD: "hyland"
In addition, repository service needs to be aware of this credentials by using following properties in alfresco-global.properties file (or in the alfresco service section in docker-compose.yml)
messaging.broker.username=alfresco messaging.broker.password=hyland
When using Alfresco Java Events SDK (Out Of Process - https://github.com/Alfresco/alfresco-java-sdk) you need to add credentials to application.properties file
spring.activemq.username=alfresco spring.activemq.password=hyland
If you want to see all that live on a video, check it out in:
One more thing
Additionally you may be instested in securing the communication between Repository and Local Transformers using following steps: