Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACS 23.2.1 Enterprise keystore issues

mparsons
Champ in-the-making
Champ in-the-making

‎06-19-2024 01:15 PM

I'm having trouble configuring the keystores properly due to the inconsitent documentation.  I am completely new to ACS and tasked with installing it on Windows.

Documentation says:

1. For catalina.bat, configure the below; however when I look at the keystore-passwords.properties file, it says that is deprecated.  Also, is the standard keystore type JCEKS or PCKS12?

 Alfresco Docs - Install on Tomcat
set “JAVA_TOOL_OPTIONS=-Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA -Dmetadata-keystore.metadata.algorithm=DESede”

2. When configuring the Tomcat server.xml file for the 8443 connector, it keeps throwing errors stating:

WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector] failed to set property [clientAuth] to [true]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.keystore]
[main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatekeystorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststoreFile] to [D:\alfresco-content-services\alf_data\keystore\ssl.truststore]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificatetruststorePass] to [password]
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [certificateTruststoreType] to [PKCS12]

This is my config for the connector:

<Connector port="8443" protocol="HTTP/1.1"
connectionTimeout="20000"
maxHttpHeaderSize="32768"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="true">
<SSLHostConfig sslProtocol="TLSv1.2">
<Certificate
certificatekeystoreFile="D:\alfresco-content-services\alf_data\keystore\ssl.keystore"
certificatekeystorePass="keypassword"
certificateKeystoreType="JCEKS"
certificatetruststoreFile="D:\alfresco-content-services\alf_data\keystore\ssl.truststore"
certificatetruststorePass="trustpw"
certificateTruststoreType="JCEKS"
/>
</SSLHostConfig>
</Connector>

Labels:
0 Kudos
3 REPLIES 3

angelborroy
Community Manager Community Manager
Community Manager

‎06-20-2024 02:18 AM

In addition to documentation, this may help you to understand the task:

https://hub.alfresco.com/t5/news-announcements/tech-talk-live-157-slides-and-recording/ba-p/321141/j...

https://github.com/aborroy/alfresco-mtls-debugging-kit

Hyland Developer Evangelist
0 Kudos

mparsons
Champ in-the-making
Champ in-the-making
In response to angelborroy

‎06-20-2024 11:06 AM

Thanks I have watched the talk which provides some better detail.  However, I noticed you are using Docker and step-ca in your demo; is the Alfresco-SSL-generator tool not supported?  You also mention using the community.sh script to generate certificates, but that doesn't apppear to be available in the Windows folder.

0 Kudos

mparsons
Champ in-the-making
Champ in-the-making
In response to mparsons

‎06-20-2024 02:27 PM

Also, can you let me know what file the configuration in catalina.bat should be configured for?  Is it intended to point to the file "keystore" that is generated in the \ssl-tool-win\keystores\alfresco dir using the Alfresco SSL tool, or the ssl.keystore or ssl.truststore file?  If it is the keystore file, is it in JCEKS format and what are the passwords?  Alfresco fails to start with the error "Failed to create key: metadata in key store: Location: D:/alfresco-content-services/alf_data/keystore/keystore".

Documentation says to configure:

set “JAVA_TOOL_OPTIONS=

-Dencryption.keystore.type=JCEKS

-Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding

-Dencryption.keyAlgorithm=DESede

-Dencryption.keystore.location=<TOMCAT_HOME>/alf_data/keystore/metadata-keystore/keystore

-Dmetadata-keystore.password=mp6yc0UD9e

-Dmetadata-keystore.aliases=metadata

-Dmetadata-keystore.metadata.password=oKIWzVdEdA

-Dmetadata-keystore.metadata.algorithm=DESede”

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC